Integrating Active Directory and Apple’s Open Directory
For environments that include Mac OS X Server, another option is integrating Active Directory with Apple’s Open Directory. Like Active Directory, Open Directory is an LDAP-based directory system that leverages Kerberos (as well as other authentication mechanisms) for secure authentication and single sign-on that can be used for centralized account management and client management via Open Directory’s managed preferences features.
Similar to group policies, managed preferences options in Mac OS X can be used to manage virtually any aspect of system configuration or user environment. As mentioned, Centrify integrates with these options to deliver the client management capabilities in Direct Control. Apple has implemented 15 major areas of Mac system management that can be defined using the Workgroup Manager administration tool. However, since Mac OS X Tiger was released in 2005, administrators have also had access to a Preferences Editor feature that can be used to manage the user experience of any application that stores preferences or configuration files according to Apple’s guidelines for developers. This allows for almost complete management of a Mac that been joined or bound to an Open Directory domain.
The challenge of using managed preferences directly in a largely Windows or heterogeneous environment is that without integrating Open Directory and Active Directory in some fashion, you would need to maintain two completely independent directories containing user and computer accounts as well as groups or other organizational units. Although integrating Active Directory and Open Directory doesn’t provide a complete single management solution for both platforms as Direct Control does, it does offer the option of maintaining a single set of centralized accounts for management purposes. There is also the related challenge that you will need to implement Mac OS X Server and Open Directory, which could be an added cost both in terms of physical investment as well as skill set development.
If you do opt for an integrated environment, you have a handful of choices for how to do so. First is the option to simply bind the Mac clients to both an Open Directory domain and Active Directory domain using Directory Utility (Leopard) or Directory Access (Panther or Tiger). This allows you to define managed preferences for computer accounts using Workgroup Manager with no additional steps.
If you also configure the Active Directory plug-in on the server(s) hosting the Open Directory domain, you can add the ability to create groups that are populated with Active Directory users. If you extend the Active Directory schema to support the attributes used by Open Directory for managed preferences (or for other Mac OS X features), you can provide a much higher level of integration between the two platforms, including the ability to define preferences for individual users. Ideally, this is the best integrated environment option, though it is also typically the most complex and requires a solid understanding of both Active Directory and OpenLDAP (on which Open Directory is based) to achieve successfully.
The third major option introduced last year with Mac OS X Leopard Server is augmented records. These are a new Open Directory attribute that allows an Open Directory domain to augment records from another LDAP-based directory system (including Active Directory). User and group records are imported from the primary directory, which is still relied upon for authenticating users and accessing any appropriate attributes that it supports. Macs that are running Leopard and that are bound to the Open Directory domain, however, will also access any additional attributes assigned to those imported records in Open Directory. Although Apple introduced this feature, its use is primarily aimed at Leopard Server’s simplified workgroup mode, which doesn’t offer all of Open Directory’s features or managed preferences, though it is possible to implement the use of augmented records in the full featured advanced mode as well.