PDA

View Full Version : Open Directory




brettuk
Aug 2, 2012, 05:49 PM
Hi Folks,

I'm tempted to buy OS X server as it's only 13, for me to play with for home use.

I'm curious about Open Directory, it seems to be touted as Active Directory for the rest of us, but there's a lack of detail about how it works.

Can I import existing accounts to it? Do password changes propagate through the network (i'd imagine they do)? Can you prevent certain users from logging into certain computers? For instance, I don't want every user being able to log into the OS X server, as they have no business logging in there.

Another nice feature seems to be that Synology support Open Directory, so when I get that device, everything should work seemlessly with no additional password prompts (single sign on)? Is this correct?

I've had some limited experience with Active Directory, I had a test domain I played with when I was younger, but not with Open Directory.

Thanks



jackhdev
Aug 3, 2012, 05:15 PM
Yes, you can import accounts into Open Directory and the password changes propagate through the network. You can restrict who logs into the server using Service Access settings.

I don't know what Synology is.

Open Directory is REALLY easy to set up. You fill in a few text boxes (nothing complicated), click ok, and it creates everything.

DoFoT9
Aug 4, 2012, 12:18 AM
Can I import existing accounts to it? Do password changes propagate through the network (i'd imagine they do)? Can you prevent certain users from logging into certain computers? For instance, I don't want every user being able to log into the OS X server, as they have no business logging in there.
Yes, most certainly can do that - OD is actually extremely powerful! Apple's implementation of OD is "for the rest of us", but there are still the "things users don't see" aspects which make it potentially even far greater than AD.

Another nice feature seems to be that Synology support Open Directory, so when I get that device, everything should work seemlessly with no additional password prompts (single sign on)? Is this correct?
Yes, it works perfectly, have used it many times.

Yes, you can import accounts into Open Directory and the password changes propagate through the network.
Yes, it's important to mention here that each machine you want to connect to the OD (like AD), must be joined to the domain. System Prefs->Users & Groups->Login Options->Join.

:)

Truffy
Aug 6, 2012, 02:27 AM
Never used AD, but OD is undoubtedly useful. I understand that it has some weaknesses compared to AD, but for a SOHO set up it should suffice easily enough. I'm coming from SLS and have read that MLS's implementation of OD (such as MCX) is different. But I'm still working through the real-world implications of that though.

marc7654
Aug 8, 2012, 07:44 AM
An Apple OD system is actually a combination of Open LDAP, Kerberos and something Apple calls Password Server. Password Server deals with all the passwords that can't be dealt with through Kerberos, like NTLM etc. It's all automatic you don't usually need to manage each component separately.

The key to setting up any OS X Server is to get DNS and static IPs setup before you setup the server. Apple has good documentation for the basic setup and management. If you need to integrate with Window systems then it gets much more complicated.

drober30
Aug 9, 2012, 07:52 AM
I just completed an Apple training on OSX 10.7 and Server. I'm looking to set up an OD and possibly integrate it with our AD too.

Anyways, one thing that was mentioned in training or I was warned about is the possibility of the MAC users Keychain becoming out of sync. Understanding how this happens upfront and how to fix it will make your life easier.

I will leave it up to the much more knowledgeable on here to elaborate.

In the next few days I need to learn about Deploy Studio. My instructor said it is an excellent program and I look forward to learning all this new stuff!