Understanding Mac OS X Open Directory

Managed client environment

Open Directory offers a rich managed client environment that can be used to secure and define the user environment for all users and computers. Virtually every aspect of the Mac OS X user experience can be preset for new users or can be permanently defined so that it can't be modified.

When using Mac OS X Server 10.4 (Tiger) with computers running the same Mac OS X release, it is also possible to create preference manifests. These are XML files that can be used to define the preferences settings of virtually any Mac OS X application. Managed preferences under Mac OS X can be set for individual users, groups or lists of computers.

Integrating with other directory service platforms

Active Directory integration is often the easiest, and there are several easy methods of integration for both Mac OS X computers and Mac OS X Server. Beyond Active Directory, Open Directory can be integrated with almost any platform that is LDAP-based or supports LDAP queries. In fact, true integration between Open Directory and Active Directory is often done using LDAP.

Integrating directory services platforms often begins with modifying the schema of the platforms involved to be able to support the additional objects and attributes that make up Open Directory's schema. Often, the Open Directory schema will also be modified to accommodate the needs of the other platform. By supporting the additional information types, it becomes possible to not only perform queries between the platforms but also to store data for specific features, such as managed preferences. While this is a daunting task, the rewards can be worth it in large environments that need a broad solution for differing types of systems.

Hosting a Windows Domain

For those environments that need to support authentication from Windows workstations, Open Directory can host a Windows NT-style domain. In these scenarios, the Open Directory Master acts as a Primary Domain Controller, and replicas function as Backup Domain Controllers. This setup is not always perfect, and the hosted domain is not an Active Directory domain. However, it does provide for authentication and allows for the hosting of home directories and Windows profiles. And it works well in many environments.

Ryan Faas is a freelance writer and technology consultant specializing in Macintosh and multiplatform network issues. In addition to writing for Computerworld, he is a frequent contributor to InformIT.com. Ryan was also the co-author of Essential Mac OS X Panther Server Administration (O'Reilly Media, 2005) You can find more information about Ryan, his consulting services and recently published work at www.ryanfaas.com, and you can e-mail him at ryan@ryanfaas.com.