Understanding Mac OS X Open Directory

Search paths for shared domains

Mac OS X computers can be bound to multiple directory domains (both Open Directory and domains of other platforms such as Active Directory). This requires that a search path be established that defines the order in which available domains will be searched for account information. This is different from a Windows environment, in which a list of available domains is part of the log-in dialog. As mentioned above, the local NetInfo domain will always be first in the search path on Mac OS X. However, you can place any other domains in any order that you choose.

Search paths can be useful in a number of ways. They allow you to have separate containers for different groups of users and/or computers. They also allow you to build support for multiple directory service platforms that can mix and match advantages of each system. For example, you could rely on user accounts stored in Active Directory but manage computers using accounts stored in Open Directory, which enables you take advantage of Apple's client management architecture. Search paths are powerful tools, but it is important to recognize that if you have users with the same name in two domains in a search path, only the account in the first domain of the search path will actually be found.

Directory binding

Mac OS X computers can be bound to Open Directory domains in two ways. The first, and simplest, is Dynamic Host Configuration Protocol (DHCP). Mac OS X Server can include information about a domain with other information in response to a computer's DHCP request. By default, Mac OS X will accept and use Open Directory configurations received by DHCP. This is helpful both because it saves the time and effort of manually configuring each computer in a network.

For static binding, you configure access to directory domains using the Directory Access utility, which is located in the Utilities folder inside Mac OS X's Applications folder. Directory Access includes plug-in modules that can be configured for each of Open Directory's features. For instance, the LDAP v3 plug-in manages Open Directory domain configuration and binding.

Search paths are set by using the Authentication tab in Directory Access. You can choose to use an automatic search that includes DHCP-supplied domains and the local domain; local-only, in which only the local domain is used; and custom, which allows you to manually configure and set the search path of available domains. You can also use the Contacts tab to set up LDAP search paths of domains for Mac OS X's Address Book application.