Chapter 1. Directory Services

A directory service is the software that stores, organizes, and provides access to information in a directory. In the context that we will use the term throughout this book, we mean a database of users, groups, computers, and network devices such as printers. The directory service supplies that database to client computers. In most enterprise, educational, and larger institutions, common directory service implementations range from Microsoft's Active Directory (AD) to Novell's eDirectory, as well as the open source Open LDAP. Most modern directory services are based on standards developed in the public forum.

The most common standard architectural guidelines are defined in the X.500 model "The Directory: Overview of concepts, models and services." While the concepts and roots of most directories are complex, by their very nature they share the simple goal of unified user management, authentication, and authorization. Directory servers with different origins thus find many commonalities in their structure and accessibility. The Lightweight Directory Access Protocol (LDAP), which is utilized by nearly every major directory service system, is a testament to this need for accessibility, as we will discuss later in this chapter. Put simply, any system engineered for large-scale centralized authentication must inherently allow disparate clients to participate, otherwise it is doomed to a finite growth potential.

In Mac OS X, there are a number of plug-ins that allow you to leverage a variety of different directory services. Each computer must at least contain a local directory service database to establish a baseline of system-critical data, such as users, groups, and even some configuration data. If every Mac OS X computer sold required an enterprise directory service just to login, Apple stores would not be popping up like Starbucks in cities around the United States. Local authentication is a cornerstone of all modern operating systems, and often the gateway for small and medium businesses to grow into larger directory systems over time. A common misconception is that Apple's Open Directory terminology is applied only to its enterprise-class authentication services. In reality, the same term refers to those local or client standards implemented in local accounts. In fact, in previous operating systems, Apple even had the same technology running on Open Directory masters, such as 10.2 netinfod and 10.3 Password Server. This concept of architecting what amounts to miniature directory servers into the base operating system allows for later migration to larger directory service systems without much reeducation of entry-level system administrators. The best example of this is Apple's parental controls system that, at its base, leverages the same technology used to manage thousands of Mac OS X in enterprise environments every day. Due to such forethought, clients can also be configured out of the box to utilize a variety of other external directory services; support for several network-based directory service systems is provided without the installation of any additional software.

This chapter starts with an explanation of how the local directory service works. Once we have explained how local users can be managed, we will move on to discuss LDAP, the industry-standard directory database used to supply directory services. Next, we will cover various types of binding to directory servers from Mac OS X that let end users log into their computers using a centralized username and password. Finally, we will look at building external accounts and show how to build a directory service based on Apple's Open Directory.