Discover the Power of Open Directoryby Noah Gift
Open Directory is one of Apple's best-kept secrets. Open Directory is Apple's Directory Server, and believe it or not, it can run your corporation or your home network.
In part one of this three-part series, we will configure a very basic Open Directory System and set up an OS X client on it. In part two, we will set up a Red Hat Linux client to use Open Directory, configure common NFS home directories served out from a Linux NFS server for both OS X and Linux, and finally, set up a mobility account (caching network home directory--great for laptops). In part three, we will journey into the unthinkable by authenticating a Windows machine against Open Directory and giving it a roaming profile. Yes, that is correct, Open Directory does Windows, too!
Many people are under the impression that there are two options when it comes to Directory Services: if your systems are predominantly Unix, then you run OpenLDAP, and if your systems are predominantly Windows, then you run Active Directory.
There is another choice. I have personally used Open Directory in a corporate setting, and it works great! In fact, Linux, OS X, and Windows clients were authenticating to Open Directory and all working off of network home directories. Yes, that is correct--Linux and Windows clients can authenticate and work from network home directories.
Additionally, Open Directory is a dream to administer and set up, and very inexpensive to operate. A license for OS X Server, which supports 10 AFP clients, is around $500. It is wise to run in a master/slave configuration, so this will run you about $1,000 in software costs. All you need next are two machines with mirrored hard drives, a couple gigs of RAM, and that's it! A corporation can easily run off of this configuration.
Setting Up Open Directory
Now let's take a look at how easy it is to set up Open Directory. At home I have a Mac mini running OS X Server that works just fine with 512MB of RAM as an Open Directory Master. I take care to make backups of the database, but this setup had a total cost of around $1K. Not a bad idea for a small business or a sophisticated home setup like mine.
My home setup is as follows:
- File Server: CentOS 4.4 box with 1TB RAID shared out via NFS.
- Authentication: OS X Server, version 10.4.9, running on a Mac mini. This is the Open Directory box.
- Clients: 10.4.9 MacBookPro, 10.4.9 PowerPC iBook, Cent OS 4.4, Ubuntu 7.04 web server, and quite a few Virtual Machines.
Let's assume you have a spare Mini or workstation you can throw OS X Server on for this test. I am also going to assume you are on a private network. If you're on a public network, you can easily switch my "pretendco" examples for real FQDN entries. Now let's get started!
Step 1: Getting local host files configured properly
These entries should be entered into all machines connecting to Open Directory. DNS is one of the few things that can trip up Open Directory, so we will just use local host files. Name resolution needs to be correct for every lookup to the LDAP database. Here is an example of what would be appended on both the Open Directory master and client's /etc/hosts file. (Notes: always back up your /etc/hosts file before you edit, and APPEND this data--do not replace your whole config file.)
192.168.0.106 mini.pretendco.com mini 192.168.0.101 cent.pretendco.com cent 192.168.0.104 ubu.pretendco.com nlap
Figure 1. Local Host File Example
Step 2: Using Server Admin Tools
The Server Admin Tools are available as a free download if you don't have them installed already. They are also quite easy and intuitive to use. Once they are installed you might want to put an icon for the Workgroup Manager and Server Admin in your dock for easy access.
- Open up Server Admin.
- Add Server mini.pretendco.com.
- Select Open Directory Service and Change to Open Directory Master.
Step 3: Create a new Open Directory master domain
Note that a separate account called the Directory Administrator or diradmin is created. All administrative tasks will be performed by this account. Also note that you should see clearly the Kerberos Realm and Search Base. If you don't, there is an error on the local host files you have set up.
Make sure you save the configuration. Getting the configuration and LDAP database working will take about a minute or so, and then you're done! It's really that easy to set up an LDAP server and Kerberos authentication.
Figure 2. Create a New Open Directory Master Domain
Pages: 1, 2