Replication provides for situations where you have a particularly large or active Open Directory environment and for situations where you have multiple sites with slow network links between them. In such cases, you can bind computers to a local replica rather to the remote master. The system also supports automatic fail-over from the master to the next available replica. Because replicas can be promoted to become an Open Directory Master in the event of a complete failure of the Master, they also serve as backups of your domain.
Joining additional servers to Open Directory
To provide single-sign on access to services and to allow users to use a single account for accessing all resources within a network, you can join additional servers that are neither master nor replica to a network. These servers are referred to as member servers or as being bound to Open Directory or, in the designation used by Server Admin, as connected to a directory system.
There are two advantages to using servers in such a way. First, users need only remember one user account. Second, because of Kerberos and single sign-on, users will have seamless access and the integrity of their passwords is maintained throughout the network.
The process of configuring additional servers to rely on user accounts stored in Open Directory is, at least in part, the same as joining a workstation. First, select the "Connected to a directory system" role using the pop-up menu in the "General Open Directory Settings" pane in Server Admin. Then use the "Open Directory Access" button to launch Directory Access. Bind the server to the domain and configure a search path just as you would for any other computer.
In theory, you could stop at this point and the server would allow access to resources via accounts in Open Directory. However, additional steps are required if you want the server to use Kerberos authentication. This is because every server that relies on a Kerberos distribution center for authentication must maintain a copy of certain encrypted files, including the keytab file. The process of configuring a server for Kerberos authentication is referred to as joining it to the Kerberos realm.
Joining a server to the Kerberos realm involves several steps. First, you must bind it to Open Directory (as described above). Then you must create a computer record for it using Workgroup Manager. The computer record can be part of any computer list in your Open Directory domain, but its name must be listed as its fully qualified domain name.
Once the server has a computer account, connect to the Open Directory master using Server Admin and then click the "Add Kerberos Record" button in the "General" pane of the Open Directory Settings. You will be asked to authenticate as a domain administrator, provide the fully qualified domain name of the server -- referred to as the configuration record name -- and then to specify the user name(s) of one or more administrators who will have authority to join the server to the Kerberos realm. These people are referred to as delegated administrators. This will place the required information into the server's computer record in Open Directory.
The final step is to use Server Admin to connect to the member server and click the "Join Kerberos Realm" button in the "General" pane of the Open Directory Settings. You will be asked to select a realm from a list of known Kerberos realms -- typically, you will only see the realm on your Open Directory Master -- and to enter the user name and password of a delegated administrator. At this point, the required Kerberos files are copied to the server and, it is configured to support Kerberos authentication.
You can also use the "Logs" panel in Server Admin to view the various service logs used by Open Directory to ensure that all needed processes are running correctly. These logs can also be useful for troubleshooting problems, as well as for identifying potential network attacks or attempts by unauthorized users to log in to computers within your network. As such, it is a good practice to review them on a regular basis.
Ryan Faas is a freelance writer and technology consultant specializing in Mac and multiplatform network issues. In addition to writing for Computerworld, he is a frequent contributor to InformIT.com. Ryan was also the co-author of O'Reilly's Essential Mac OS X Panther Server Administration. You can find more information about Ryan, his consulting services and recently published work at www.ryanfaas.com, and can e-mail him at ryan@ryanfaas.com.