Discover the Power of Open Directory

by Noah Gift

Open Directory is one of Apple's best-kept secrets. Open Directory is Apple's Directory Server, and believe it or not, it can run your corporation or your home network.

In part one of this three-part series, we will configure a very basic Open Directory System and set up an OS X client on it. In part two, we will set up a Red Hat Linux client to use Open Directory, configure common NFS home directories served out from a Linux NFS server for both OS X and Linux, and finally, set up a mobility account (caching network home directory--great for laptops). In part three, we will journey into the unthinkable by authenticating a Windows machine against Open Directory and giving it a roaming profile. Yes, that is correct, Open Directory does Windows, too!

Many people are under the impression that there are two options when it comes to Directory Services: if your systems are predominantly Unix, then you run OpenLDAP, and if your systems are predominantly Windows, then you run Active Directory.

There is another choice. I have personally used Open Directory in a corporate setting, and it works great! In fact, Linux, OS X, and Windows clients were authenticating to Open Directory and all working off of network home directories. Yes, that is correct--Linux and Windows clients can authenticate and work from network home directories.

Additionally, Open Directory is a dream to administer and set up, and very inexpensive to operate. A license for OS X Server, which supports 10 AFP clients, is around $500. It is wise to run in a master/slave configuration, so this will run you about $1,000 in software costs. All you need next are two machines with mirrored hard drives, a couple gigs of RAM, and that's it! A corporation can easily run off of this configuration.

Setting Up Open Directory

Now let's take a look at how easy it is to set up Open Directory. At home I have a Mac mini running OS X Server that works just fine with 512MB of RAM as an Open Directory Master. I take care to make backups of the database, but this setup had a total cost of around $1K. Not a bad idea for a small business or a sophisticated home setup like mine.

My home setup is as follows:

Let's assume you have a spare Mini or workstation you can throw OS X Server on for this test. I am also going to assume you are on a private network. If you're on a public network, you can easily switch my "pretendco" examples for real FQDN entries. Now let's get started!

Step 1: Getting local host files configured properly

These entries should be entered into all machines connecting to Open Directory. DNS is one of the few things that can trip up Open Directory, so we will just use local host files. Name resolution needs to be correct for every lookup to the LDAP database. Here is an example of what would be appended on both the Open Directory master and client's /etc/hosts file. (Notes: always back up your /etc/hosts file before you edit, and APPEND this data--do not replace your whole config file.)  mini  cent  nlap

Local Host File Example
Figure 1. Local Host File Example

Step 2: Using Server Admin Tools

The Server Admin Tools are available as a free download if you don't have them installed already. They are also quite easy and intuitive to use. Once they are installed you might want to put an icon for the Workgroup Manager and Server Admin in your dock for easy access.

  1. Open up Server Admin.
  2. Add Server
  3. Select Open Directory Service and Change to Open Directory Master.

Step 3: Create a new Open Directory master domain

Note that a separate account called the Directory Administrator or diradmin is created. All administrative tasks will be performed by this account. Also note that you should see clearly the Kerberos Realm and Search Base. If you don't, there is an error on the local host files you have set up.

Make sure you save the configuration. Getting the configuration and LDAP database working will take about a minute or so, and then you're done! It's really that easy to set up an LDAP server and Kerberos authentication.

Create a New Open Directory Master Domain
Figure 2. Create a New Open Directory Master Domain

Step 4: Configure a Mac client

Configuring a Mac client to talk to Open Directory is trivial. It is almost easier than launching iTunes. Go to your Mac client's Utilities folder and open up Directory Access.

From here, you want to check the LDAP option and select Configure. When the dialog box opens, select "New" and just type in When you select Continue, it will autoconfigure everything. You're done! Just reboot, and you'll be connected.

Selecting LDAP
Figure 3. Selecting LDAP

Create a New LDAP Connection
Figure 4. Create a New LDAP Connection

Step 5: Enabling Fast User Switching

By far the easiest way to test Open Directory user accounts is to enable Fast User Switching in System Preferences > Accounts > Login Options. This way you can just go into the upper-righthand corner of your screen and quickly test changes you make.

(Note: One gotcha to look out for is that there is a cascading authentication lookup scheme. If you already have a local account called "bob," then you create an Open Directory account called "bob," the local account wins. Keep that in mind if something doesn't seem to work the way you hoped!)

Step 6: Adding an Open Directory user

Fire up Workgroup Manager and add a new user. I suggest adding a new test user called "oduser." Create an easy password like "test" and save the user.

Now select the Home tab and create a local home directory for the new user on your client machine. (Note that you will need to manually create this later.) Click the "+" icon and under home, enter /Users/oduser. This will put the home directory field in the database. Now save.

Create a Local Home Directory
Figure 5. Create a Local Home Directory

Step 7: Adding a local home directory for the Open Directory User

We now need to create a local directory that corresponds with the home directory attribute. Open a shell as root and type in:

mkdir /Users/oduser

chown oduser:staff /Users/oduser

Step 8: Do a fast user switch test

Go to the upper-right corner and log in as oduser with the password "test." You should be able to log in, and skeleton account data will auto-populate /Users/oduser. You are now using Open Directory!

Fast User Switch Select
Figure 6. Fast User Switch Select


Open Directory is easy to use and set up, and it can be used in both massive corporate installations and small home setups. Open Directory can manage a heterogeneous environment consisting of Windows, Linux, and OS X clients, or it can seamlessly integrate into an Active Directory or LDAP world.

This article showed you a quick and dirty way to set up Open Directory from scratch and authenticate a Mac client against it. This barely scratches the surface of what Open Directory can really do. In the next part of this article, I will show you how to integrate a Linux file server to serve out common network home directories for OS X and Linux clients, as well as authenticate Linux boxes to Open Directory.

Noah Gift is the co-author of Python For Unix and Linux by O'Reilly. He is an author, speaker, consultant, and community leader, writing for publications such as IBM Developerworks, Red Hat Magazine, O'Reilly, and MacTech, and Manning.

Return to Mac DevCenter.

Copyright © 2017 O'Reilly Media, Inc.