powered by PmWiki
Table of Contents
Open Directory began with Mac OS X Server 10.2. In this initial form, Open Directory consisted of a network-visible NetInfo directory domain and a corresponding Authentication Manager service for storing passwords outside of the directory. Version 10.2 also included support for Kerberos. Mac OS X versions 10.1 and 10.0 stored user password information within the directory domain using crypt password authentication authorities, but version 10.2 paved the way for the current Shadow Hash and Password Server mechanisms. Password Server is the successor to Authentication Manager, and was introduced in Open Directory 2 in Mac OS X Server 10.3. Open Directory 2 was also the first version to use LDAPv3 as the directory domain.
Mac OS X Server 10.4 includes Open Directory 3, which introduced Active Directory domain member support, trusted directory binding, and increased robustness. The forthcoming Mac OS X Server 10.5 will feature Open Directory 4 with support for cross-domain authorization and a built-in RADIUS server for managing AirPort base stations.
The number of connections that a directory service can handle is harder to measure because directory service connections occur in the context of the connections of all the services that the server provides. With Mac OS X Server, a server dedicated to Open Directory has a limit of 1000 simultaneous client computer connections
The Open Directory server may actually be able to provide LDAP and authentication services to more client computers, because all the client computers will not need these services at once. Each client computer connects to the LDAP directory for up to two minutes, and connections to the Open Directory Password Server are even shorter lived. An Open Directory server may be able to support well over 1000 client computers because the odds are that only a fraction of the client computers that could make a connection with Open Directory will actually make connections at the same time. Determining what the fraction is—what percentage of the potential client computers will make connections at the same time—can be difficult. For example, client computers that each have a single user who spends all day working on graphics files will need Open Directory services relatively infrequently. In contrast, computers in a lab will have many users logging in throughout the day, each with a different set of managed client preference settings, and these computers will place a relatively high load on Open Directory services. In general, you can correlate Open Directory usage with login and logout. These activities will generally dominate directory and authentication services in any system. The more frequently users log in and out, the fewer client computers an Open Directory server (or any directory and authentication server) can support. You need more Open Directory servers if users log in very frequently. You can get by with fewer Open Directory servers if work sessions are long duration and login is infrequent 
Open Source Directory Services
As Apple have taken on a Unix based Operating System, most open source solutions will work with the current OS. To turn Apple into a NOS (Network Operating System)it is simply a matter of downloading Apple's version of these (which are simply Open Source with Apples tweaks) and installing them.
Open Directory relies on open source technologies, like Open LDAP and Kerberos, for seamless interoperability with other standards-based LDAP servers. It can apparently plug into environments that use proprietary services, such as Microsoft’s Active Directory and Novell’s eDirectory. For organizations that haven’t yet deployed directory services, the Open Directory server is an easy-to-deploy solution that lets small operations benefit from centralized information. And because there’s no per-user or per-seat fees, Open Directory can scale with the needs of your organization — without draining your IT budget.
Apple's Open Directory architecture includes source code for both directory client access and directory servers. Open Directory forms the foundation of how Mac OS X accesses all authoritative configuration information (users, groups, mounts, managed desktop data, etc.). Mac OS X obtains this information via abstraction API's, enabling the use of virtually any directory system.
Directory Service components are available under the Apple Public Source License. Open Directory Access
Apples Version of MS Active Directory
GUI of Apple's LDAP
Built into Open Directory is a robust authentication server using MIT’s Kerberos Key Distribution Center (KDC) — providing strong authentication with support for secure single sign-on. That means users need authenticate only once, with a single user name and password pair, for access to a broad range of Kerberized network services. For services that have not been Kerberized, the integrated SASL service automatically negotiates the strongest-possible authentication protocol.
Support for Mixed-Platform Environments
Open Directory uses OpenLDAP, the open source implementation of LDAP, to provide directory services for mixed-platform environments. A common language for directory access lets you consolidate information from different platforms and define a single name space for all network resources. Whether you have Mac, Windows or Linux systems on your network, you can set up and manage a single directory; you don’t need maintain a separate directory or separate user records for each platform. This also streamlines the user experience: Users can move effortlessly between Mac and Windows computers — and still gain authenticated single sign-on access to directory-based system and network resources.
NT Domain Services
Apple has integrated the NT Domain services of the popular open source Samba 3 project with Open Directory, making it possible to host NT Domain services on Mac OS X Server v10.4. You can set up Mac OS X Server as a Primary Domain Controller (PDC) or Backup Domain Controller (BDC) for your network, so Windows users can authenticate against Mac OS X Server directly from the PC login window. NT Domain services also enable Mac OS X Server to host roaming profiles and network home directories for Windows clients. Now any user in your directory can securely log in and access the same user account, authentication, home directory and network resources from a Mac or a Windows system. These capabilities make Mac OS X Server ideal for replacing aging Windows NT or Windows 2000 servers, without requiring businesses to transition to an expensive Active Directory infrastructure.
Implementation in Mac OS X Server
Mac OS X Server can host an Open Directory domain when configured as an Open Directory Master. In addition to its local directory, this OpenLDAP-based LDAPv3 domain is designed for centralized management data, users, groups, and computer accounts. The directory domain is paired with the Open Directory Password Server and, optionally, a Kerberos realm. Either provides an authentication model and stores password information outside of the directory domain itself.
For Kerberos authentication, the Kerberos realm can either be hosted by a Kerberos key distribution center (KDC) running on the server system, or the server can participate in an existing Kerberos realm.
For services that are not Kerberized, the Password Server provides the following Simple Authentication and Security Layer-based authentication methods:
Any Mac OS X Server system configured as an Open Directory Master can act as a Windows Primary Domain Controller (MDC) , providing domain authentication services to Windows clients and Backup Domain Controller for disaster redundancy, acting as a backup for the PDC.
Seeking Help Documentation
Using Onscreen Help
You can view instructions and other useful information from this and other documents in the server suite by using onscreen help. On a computer running Mac OS X Server, you can access onscreen help after opening Workgroup Manager or Server Admin. From the Help menu, select one of the options:
You can also access onscreen help from the Finder or other applications on a server or on an administrator computer. (An administrator computer is a Mac OS X computer with server administration software installed on it.) Use the Help menu to open Help Viewer, and then choose Library > Mac OS X Server Help. To see the latest server help topics, make sure the server or administrator computer is connected to the Internet while you’re using Help Viewer. Help Viewer automatically retrieves and caches the latest server help topics from the Internet. When notconnected to the Internet, Help Viewer displays cached help topics.
Directory Services Framework
Open Directory can describe the plugins model used by Directory Access and the directory services framework in Mac OS X and Mac OS X Server. When connected to a directory system, a Mac OS X client or Server can authenticate users, lookup contacts, perform service discovery and name resolution with the following types of directories: