Publishers of technology books, eBooks, and videos for creative people

Home > Articles > Apple > Operating Systems

So You Want to Be a Mac OS X Server Admin? Understanding the Building Blocks of Open Directory and Mac OS X User Management

Managing user accounts is a fundamental task for any systems administrator. Working with user and computer accounts in a network is often a common part of many IT and technical support jobs as well. To manage user accounts in a Mac OS X environment, it helps to understand how they are stored and accessed on both individual workstations and in shared directories in Mac OS X Server. With Ryan Faas, find out about the hidden architecture at the core of user and computer management in Mac OS X and Mac OS X Server and how to use it effectively and securely.
Like this article? We recommend

For more information on the Macintosh, visit our Macintosh Reference Guide or sign up for our Macintosh Newsletter.

Managing user accounts is a fundamental task for any systems administrator. Working with user and computer accounts in a network is often a common part of many IT and technical support jobs as well. To manage user accounts in a Mac OS X environment, it helps to understand how they are stored and accessed on both individual workstations and in shared directories in Mac OS X Server.

This article covers the conceptual and practical aspects of how Mac OS X workstations and servers use Apple’s Open Directory architecture to store and make use of user account information. It also includes information about computers and other resources within a network. First, I’ll explain what Open Directory is, how it works, and the basics of an Open Directory infrastructure. Then, I’ll move on the practical steps involved in creating and editing user accounts within Open Directory under Mac OS X Server.

Understanding Open Directory

Directory services are one of the backbones of a network operating system. Each major network operating system includes at least one type of directory service that stores information about users, servers and workstations, and network resources. A directory service is essentially a database that contains predetermined fields for storing information. This predetermined structure is called the service’s schema. Each type of directory service has a unique schema that formats data about users, groups, computers, printers, and so forth. It’s possible for an administrator to modify that schema if the fields included in it don’t provide enough flexibility for resources in a network, although this is usually done only if one needs to integrate multiple directory services in a single network (such as Apple’s Open Directory and Microsoft’s Active Directory).

In modern operating systems designed for use in a network, such as Mac OS X, a directory service exists on each computer to support multiple users of that computer. This local directory service typically includes just a list of user accounts that can be used for multiple users to log in to the computer, each with his or her own computing experience and using a folder on the local hard drive as each user’s home directory or home folder. The local directory service can also store information about which components of the computer a particular user is allowed to access.

Network operating systems, such as Mac OS X Server, include much more robust directory services. At a server level, directory services provide administrators with several important capabilities. The most significant of these is that they centralize the data that could be stored in the directory services of individual workstations in a single place.

Beyond storing directory data in a central place, network-based directory services allow that data to be shared with all the workstations and servers within a network. Users can authenticate against a shared directory for access to any workstation on the network, not just the one in their office or classroom. The user account can also be used for ownership of any files that they create anywhere within the network. Likewise, it can be used for setting access restrictions for not only files created by other users but also to files and folders created by the system administrator, to whole share points, to printers and other shared devices, and to establish predefined preferences and restrictions for any workstation or application to which the user has access. By incorporating home directories with directory services, users can maintain a consistent user experience across all workstations and have a secure place to store their files that can be accessed from any workstation.

Directory services under Mac OS X and Mac OS X Server are part of a multipart architecture called Open Directory. Open Directory goes beyond being a single directory service and truly goes beyond the basic functions of a directory service. It includes a series of components that manage access to multiple types of directory services (Apple’s LDAP implementation—which is often referred to simply and slightly confusingly as Open Directory, other LDAP directory types, Apple’s legacy NetInfo directory service, Microsoft’s Active Directory, and Unix NIS servers and BSD configuration files). Open Directory components also manage Mac OS X’s interaction with self-discovering network protocols such as AppleTalk, Rendezvous/Bon Jour, Microsoft’s SMB, and the open standard SLP protocol. In both the client and server versions of Mac OS X, you can manage each of these components by using the Directory Access application.

Although Open Directory is a very robust collection of network components, discussion of Open Directory generally refers to the Apple LDAP or NetInfo directory databases, which are used for storing and sharing directory data. Apple’s LDAP and NetInfo directory databases are the two that can be considered native to Mac OS X; that is, the operating system is designed specifically to interact with them and with their particular schema for storing directory information.

Open Directory is a central piece of Mac OS X, which was designed from the ground up as a multiuser and network operating system. The majority of Mac OS X components and applications interact with Open Directory. For example, the Mac OS X Login Window application, which authenticates user access to a computer, interacts with Open Directory whenever a user attempts the login. Login Window simply passes the username and password to Open Directory; Open Directory attempts to locate an entry in one of its databases (a user entry in a directory database can also be referred to as a user object or a user account) that matches the username entered and, assuming that it finds a match, verifies the password. The results are then passed back to the Login Window, which either processes the user’s login or rejects it.

For another example, the Mac OS X file system allows users to be designated as owners of the folders and files they create and enables access rights to be assigned to folders and files for other users. The file system isn’t concerned with usernames or passwords; it is concerned solely with user ID numbers that are associated as having access to or ownership of a folder or the group ID numbers that are specified as having some level of access to the folder. When a user tries to access the folder, the file system looks to Open Directory for the user ID number to know whether the user is the folder’s owner. If not, it looks to Open Directory to know whether the user has permission to access the folder or is a member of a group designated with access rights to the folder. The file system doesn’t need to know the user’s name or which groups the user belongs to. Open Directory has that information stored as part of the user object, along with the relevant user ID and group ID numbers.

Open Directory doesn’t just act as a moderator for user information. It can contain entries or objects for groups of users, workgroups (groups that have managed preferences settings), computers, computer lists, print queues, share points that are auto-mounted by computers, and varying kinds of presets. Each of these objects has a series of unique attributes that contain identification or configuration information. A user object, for example includes attributes (or database fields) for user ID number, full user name, shortname(s), password and password type, home directory location and storage quota, group membership, printer access and quotas, managed preferences configurations, email information, and administrative rights and options. Through the broad range of information that Open Directory stores, it acts as a perfect repository for the information that various operating system and application components might need to access. Keeping this information independent of the components or processes that need access to it ensures its integrity and availability. It also allows the information to be centrally stored and managed, whether on a local workstation or in a shared directory stored on a Mac OS X Server Open Directory server.

Apple calls individual Open Directory databases domains (they are also commonly called shared directories or shared domains). Each Mac OS X computer contains a built-in local Open Directory domain. This domain is a NetInfo domain that contains information about local users and local resources for that computer. Local domains provide you the ability to create multiple user accounts on a single computer. Those user accounts are limited to that particular computer. They can be used to connect to the computer over a network for file sharing, although this is accomplished using the Connect to Server option from the Finder’s Go menu. What happens when you use the Connect to Server command (if it is not part of a shared domain) is that the computer you are using establishes a connection to the requested computer (a server or a workstation with file sharing enabled) using a file sharing protocol, which will prompt you for a username password if both computers are not part of a shared directory domain. The file sharing protocol on the requested computer then accesses its local directory domain to determine whether you are allowed access to any shared folders.

This process is very different from a shared directory domain. A shared domain is an LDAP domain that is hosted on an Open Directory server (for older Mac OS X Server infrastructures, the domain may also be a shared NetInfo domain, although using shared NetInfo domains has been significantly discouraged in the two Mac OS X Server versions). The domain is shared over TCP/IP with other computers. When you log in to a computer that is configured to access a shared domain, the computer first looks for your user entry in its local NetInfo domain and, if it doesn’t find a match, looks to the shared domain. When you log in, specified share points can be mounted automatically, giving you access to a network home directory and possibly other shared folders as well. If you use the Connect to Server command to access resources on a server that is also part of the same directory domain (whether you are connecting the same server that is hosting the domain or another server that is part of the domain), your user account is verified based on the shared domain without you needing to provide any separate information for the server.

Shared domains are the basis of Mac OS X administration. They are where you store user accounts, create user groups, configure managed preferences, set up auto-mounting of share points, configure access to group folders and resources, and ca publish print queues to which your users can have access to and to which you can restrict their use. You can have a single shared domain or you can have several. If you have multiple directory domains, you need to determine the order in which Mac OS X computers will search them for Open Directory information. This process is called establishing a search path.

A search path exists for all Mac OS X computers. Even those with only local NetInfo domains have a search path, although their search path only contains the local domain. If you have a single shared domain, the search path would be first the local domain and then the shared domain. If you have more than one shared domain, the search path designates which shared domain to search first (and then second, third, and so on). Search paths can be configured in a number of ways.

Located in the /Applications/Utilities folder of any Mac OS X installation, Directory Access is the utility that allows you to configure which components of Open Directory are active and how those components interact with shared resources and shared directory domains. Directory Access allows you to configure access to a shared domain for a workstation (or, in certain situations, a server) and allows you to specify the workstation’s search path.

Directory Access consists of three tabs: Services, Authentication, and Contacts. The Services tab contains a list of all the modules that are part of Open Directory. Each of these modules relates either to a self-discovering network protocol or a directory service type. The Authentication tab allows you to specify the Open Directory search path. The Contacts tab allows you to specify a search path for contact information (which can also be stored in an LDAP directory). The Search path specified in the Contacts tab can theoretically be accessed by a number of Mac OS X applications, although only the Address Book and (because of its integration with Address Book) the Mac OS X Mail application make use of a Contacts search path in any practical method. Contacts search paths are configured in the same way as Authentication search paths.

Each Open Directory module listed on the Services tab can be enabled or disabled using the checkbox next to it. Note: you will need to authenticate using a local administrator account for the workstation using the padlock button to make changes in Directory Access, and you will need to click the Apply button to save and activate changes. Disabling those modules related to self-discovering protocols can help you restrict user access to those protocols. However, Open Directory modules don’t provide full control of all of these services. Those modules that provide directory services should be disabled only if you are certain that you will not provide authentication or user information based on those services.

By default, the search path is defined automatically as the local NetInfo domain and any shared domains specified by a DHCP server. You can manually configure a search path or you can set Directory Access to create one automatically using the Authentication tab. The Authentication tab contains a Search pop-up menu and a Directory Domain list. The Search menu allows you to configure an automatic search path (the default) in which shared domains provided by a DHCP server are searched after the local NetInfo domain (which is always first in any search path), a local directory search path that searches only the local NetInfo domain regardless of Open Directory module configurations, and a custom search path in which you manually specify which shared directories are included in the Directory Node list and the order in which they are searched.

To create a custom search path, you should first configure the appropriate Open Directory modules in the Services tab to access the directories you want to include in the search path. For Open Directory LDAP domains (those hosted by Mac OS X Server version 10.2 and higher), you would enable and configure the LDAPv3 module. With each version of Mac OS X, configuring this module has gotten significantly easier. In Mac OS X Tiger, it is simply a matter of clicking the New button and entering the IP address or DNS name of the Open Directory server (along with choosing whether SSL will be used to secure the connection, which requires SSL configuration of the server, and whether the directory domain will be used for user authentication and access and/or for contact search paths). Depending on the version of Mac OS X, you might also need to select Open Directory as the LDAP mappings for the domain, which specifies that the Open Directory schema is used by the domain, and enter the domain’s search base (which I’ll explain in a bit). Depending on the Mac OS X version, you might also need to configure the LDAPv3 module to allow automatic search paths to include domains specified by a DHCP server, as shown in the following figure.

Once access to the directories is configured, select Custom Path from the Authentication tab’s Search pop-up menu. Depending on the type of directories you choose, they can be listed automatically in the Directory Node list. If they are not, click the Add button. All available directories (that is, those you have configured and that the workstation can locate over the network) should be listed in the Available Directories dialog box that is displayed. Select the directories you want to include in your search path and click OK. They will be added to the Directory Domain list. Drag the directories into the appropriate order (top being first) to create your search path, noting that the local NetInfo/root directory is grayed-out because it is always searched first. If there are any directories in the Directory Domain list that you don’t want included, select them and click the Remove button. When you have configured your search path, click the Apply button to save and activate it. Restart the computer, and the new search path will be implemented.

Peachpit Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Peachpit and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Peachpit products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email ask@peachpit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by Adobe Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.peachpit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020