Mac OS X Server
Administrator’s Guide
K
Apple Computer, Inc.
©
2002 Apple Computer, Inc. All rights reserved.
Under the copyright laws, this publication may not be copied, in whole or in part, without the written
consent of Apple.
The Apple logo is a trademark of Apple Computer, Inc., registered in the U.S. and other countries. Use of the
“keyboard” Apple logo (Option-Shift-K) for commercial purposes without the prior written consent of Apple may
constitute trademark infringement and unfair competition in violation of federal and state laws.
Apple, the Apple logo, AppleScript, AppleShare, AppleTalk, ColorSync, FireWire, Keychain, Mac, Macintosh,
Power Macintosh, QuickTime, Sherlock, and WebObjects are trademarks of Apple Computer, Inc., registered
in the U.S. and other countries. AirPort, Extensions Manager, Finder, iMac, and Power Mac are trademarks of
Apple Computer, Inc.
Adobe and PostScript are trademarks of Adobe Systems Incorporated.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in
the U.S. and other countries.
Netscape Navigator is a trademark of Netscape Communications Corporation.
RealAudio is a trademark of Progressive Networks, Inc.
©
1995–2001 The Apache Group. All rights reserved.
UNIX is a registered trademark in the United States and other countries, licensed exclusively through
X/Open Company, Ltd.
062-9285/7-26-02
Contents
Preface How to Use This Guide 39
What’s Included in This Guide 39
Using This Guide 40
Setting Up Mac OS X Server for the First Time 41
Getting Help for Everyday Management Tasks 41
Getting Additional Information 41
1 Administering Your Server 43
Highlighting Key Features 43
Ease of Setup and Administration 43
Networking and Security 44
File and Printer Sharing 44
Open Directory Services 45
Comprehensive Management of Macintosh Workgroups 45
High Availability 46
Extensive Internet and Web Services 46
Highlighting Individual Services 46
Directory Services 47
Open Directory 47
Password Validation 47
Search Policies 48
File Services 48
Sharing 48
Apple File Service 49
Windows Services 49
3
Network File System (NFS) Service 49
File Transfer Protocol (FTP) 50
Print Service 50
Web Service 51
Mail Service 51
Macintosh Workgroup Management 52
Client Management 52
NetBoot 52
Network Install 53
Network Services 53
DHCP 54
DNS 54
IP Firewall 54
SLP DA 54
QuickTime Streaming Service 55
Highlighting Server Applications 56
Administering a Server From Different Computers 58
Server Assistant 58
Open Directory Assistant 58
Directory Access 59
Workgroup Manager 59
Opening and Authenticating in Workgroup Manager 59
Major Workgroup Manager Tasks 60
Server Settings 60
Server Status 61
Macintosh Manager 62
NetBoot Administration Tools 62
Network Install Administration Application 62
Server Monitor 62
Streaming Server Admin 63
Where to Find More Information 64
If You’re New to Server and Network Management 64
If You’re an Experienced Server Administrator 64
Contents
4
2 Directory Services 65
Storage for Data Needed by Mac OS X 66
A Historical Perspective 67
Data Consolidation 68
Data Distribution 69
Uses of Directory Data 70
Inside a Directory Domain 71
Discovery of Network Services 72
Directory Domain Protocols 73
Local and Shared Directory Domains 74
Local Data 74
Shared Data 75
Shared Data in Existing Directory Domains 78
Directory Domain Hierarchies 78
Two-Level Hierarchies 79
More Complex Hierarchies 81
Search Policies for Directory Domain Hierarchies 82
The Automatic Search Policy 83
Custom Search Policies 84
Directory Domain Planning 85
General Planning Guidelines 85
Controlling Data Accessibility 86
Simplifying Changes to Data in Directory Domains 86
Identifying Computers for Hosting Shared Domains 87
Open Directory Password Server 87
Authentication With a Password Server 88
Network Authentication Protocols 88
Password Server Database 88
Password Server Security 89
Overview of Directory Services Tools 89
Setup Overview 90
Before You Begin 91
Setting Up an Open Directory Domain and Password Server 92
Deleting a Shared Open Directory Domain 93
Contents
5
Configuring Open Directory Service Protocols 93
Setting Up Search Policies 94
Using the Automatic Search Policy 95
Defining a Custom Search Policy 95
Using a Local Directory Search Policy 96
Changing Basic LDAPv3 Settings 97
Enabling or Disabling Use of DHCP-Supplied LDAPv3 Servers 97
Showing or Hiding Available LDAPv3 Configurations 97
Configuring Access to Existing LDAPv3 Servers 98
Creating an LDAPv3 Configuration 98
Editing an LDAPv3 Configuration 99
Duplicating an LDAPv3 Configuration 99
Deleting an LDAPv3 Configuration 100
Changing an LDAPv3 Configuration’s Connection Settings 100
Configuring LDAPv3 Search Bases and Mappings 101
Populating LDAPv3 Domains With Data for Mac OS X 103
Using an Active Directory Server 104
Creating an Active Directory Server Configuration 104
Setting Up an Active Directory Server 105
Populating Active Directory Domains With Data for Mac OS X 105
Accessing an Existing LDAPv2 Directory 106
Setting Up an LDAPv2 Server 106
Creating an LDAPv2 Server Configuration 106
Changing LDAPv2 Server Access Settings 107
Editing LDAPv2 Search Bases and Data Mappings 108
Using NetInfo Domains 110
Creating a Shared NetInfo Domain 110
Configuring NetInfo Binding 111
Adding a Machine Record to a Parent NetInfo Domain 113
Configuring Static Ports for Shared NetInfo Domains 113
Viewing and Changing NetInfo Data 114
Using UNIX Utilities for NetInfo 114
Using Berkeley Software Distribution (BSD) Configuration Files 115
Mapping BSD Configuration Files 115
Contents
6
Setting Up Data in BSD Configuration Files 118
Configuring Directory Access on a Remote Computer 118
Monitoring Directory Services 119
Backing Up and Restoring Directory Services Files 119
3 Users and Groups 121
How User Accounts Are Used 122
Authentication 122
Password Validation 123
Information Access Control 124
Directory and File Owner Access 125
Directory and File Access by Other Users 125
Administration Privileges 125
Server Administration 125
Local Mac OS X Computer Administration 126
Directory Domain Administration 126
Home Directories 126
Mail Settings 127
Resource Usage 127
User Preferences 127
How Group Accounts Are Used 127
Information Access Control 127
Group Directories 128
Workgroups 128
Computer Access 128
Kinds of Users and Groups 128
Users and Managed Users 128
Groups, Primary Groups, and Workgroups 129
Administrators 129
Guest Users 129
Predefined Accounts 130
Setup Overview 132
Before You Begin 135
Administering User Accounts 137
Where User Accounts Are Stored 137
Contents
7
Creating User Accounts in Directory Domains on Mac OS X Server 137
Creating Read-Write LDAPv3 User Accounts 138
Changing User Accounts 138
Working With Read-Only User Accounts 139
Working With Basic Settings for Users 139
Defining User Names 139
Defining Short Names 140
Choosing Stable Short Names 141
Avoiding Duplicate Names 141
Avoiding Duplicate Short Names 143
Defining User IDs 144
Defining Passwords 145
Assigning Administrator Rights for a Server 145
Assigning Administrator Rights for a Directory Domain 145
Working With Advanced Settings for Users 146
Defining Login Settings 146
Defining a Password Validation Strategy 147
Editing Comments 147
Working With Group Settings for Users 147
Defining a User’s Primary Group 148
Adding a User to Groups 148
Removing a User From a Group 149
Reviewing a User’s Group Memberships 149
Working With Home Settings for Users 149
Working With Mail Settings for Users 150
Disabling a User’s Mail Service 150
Enabling Mail Service Account Options 150
Forwarding a User’s Mail 151
Working With Print Settings for Users 151
Disabling a User’s Access to Print Queues Enforcing Quotas 152
Enabling a User’s Access to Print Queues Enforcing Quotas 152
Deleting a User’s Print Quota for a Specific Queue 153
Restarting a User’s Print Quota 153
Working With Managed Users 154
Contents
8
Defining a Guest User 154
Deleting a User Account 154
Disabling a User Account 155
Administering Home Directories 155
Distributing Home Directories Across Multiple Servers 156
Setting Up Home Directories for Users Defined in Existing Directory Servers 157
Choosing a Protocol for Home Directories 160
Setting Up AFP Home Directory Share Points 160
Setting Up NFS Home Directory Share Points 160
Creating Home Directory Folders 161
Defining a User’s Home Directory 161
Defining No Home Directory 162
Defining a Home Directory for Local Users 162
Defining a Network Home Directory 163
Defining an Advanced Home Directory 163
Setting Disk Quotas 164
Defining Default Home Directories for New Users 165
Using Import Files to Create AFP Home Directories 165
Moving Home Directories 165
Deleting Home Directories 165
Administering Group Accounts 165
Where Group Accounts Are Stored 165
Creating Group Accounts in a Directory Domain on Mac OS X Server 165
Creating Read-Write LDAPv3 Group Accounts 166
Changing Group Accounts 167
Working With Read-Only Group Accounts 167
Working With Member Settings for Groups 167
Adding Users to a Group 168
Removing Users From a Group 168
Naming a Group 169
Defining a Group ID 170
Working With Volume Settings for Groups 170
Creating Group Directories 171
Automatically Creating Group Directories 171
Contents
9
Customizing Group Directory Settings 172
Working With Group and Computer Preferences 173
Deleting a Group Account 173
Finding User and Group Accounts 173
Listing Users and Groups in the Local Directory Domain 174
Listing Users and Groups in Search Path Directory Domains 174
Listing Users and Groups in Available Directory Domains 174
Refreshing User and Group Lists 175
Finding Specific Users and Groups in a List 175
Sorting User and Group Lists 175
Shortcuts for Working With Users and Groups 176
Editing Multiple Users Simultaneously 176
Using Presets 176
Creating a Preset for User Accounts 176
Creating a Preset for Group Accounts 177
Using Presets to Create New Accounts 177
Renaming Presets 178
Deleting a Preset 178
Changing Presets 178
Importing and Exporting User and Group Information 178
Understanding What You Can Import 179
Using Workgroup Manager to Import Users and Groups 179
Using Workgroup Manager to Export Users and Groups 181
Using dsimportexport to Import Users and Groups 181
Using dsimportexport to Export Users and Groups 184
Using XML Files Created With Mac OS X Server 10.1 or Earlier 186
Using XML Files Created With AppleShare IP 6.3 186
Using Character-Delimited Files 187
Writing a Record Description 188
Using the StandardUserRecord Shorthand 189
Using the StandardGroupRecord Shorthand 189
Understanding Password Validation 189
Contrasting Password Validation Options 191
The Authentication Authority Attribute 192
Contents
10
Choosing a Password 192
Migrating Passwords 193
Setting Up Password Validation Options 193
Storing Passwords in User Accounts 193
Enabling Basic Password Validation for a User 193
The Problem With Readable Passwords 194
Using a Password Server 195
Setting Up a Password Server 196
Enabling the Use of a Password Server for a User 196
Exporting Users With Password Server Passwords 197
Making a Password Server More Secure 197
Monitoring a Password Server 197
Using Kerberos 197
Understanding Kerberos 198
Integrating Mac OS X With a Kerberos Server 199
Enabling Kerberos Authentication for Mail 200
Enabling Kerberos Authentication for AFP 200
Enabling Kerberos Authentication for FTP 200
Enabling Kerberos Authentication for Login Window 200
Enabling Kerberos Authentication for Telnet 201
Solving Problems With Kerberos 201
Using LDAP Bind Authentication 201
Backing Up and Restoring Files 201
Backing Up a Password Server 201
Backing Up Root and Administrator User Accounts 202
Supporting Client Computers 202
Validating Windows User Passwords 202
Setting Up Search Policies on Mac OS X Client Computers 202
Solving Problems 202
You Can’t Modify an Account Using Workgroup Manager 202
A Password Server User’s Password Can’t Be Modified 203
Users Can’t Log In or Authenticate 203
You Can’t Assign Server Administrator Privileges 204
Users Can’t Access Their Home Directories 204
Contents
11
Mac OS X User in Shared NetInfo Domain Can’t Log In 204
Kerberos Users Can’t Authenticate 204
4 Sharing 205
Privileges 205
Explicit Privileges 206
User Categories 206
Privileges Hierarchy 207
Client Users and Privileges 207
Privileges in the Mac OS X Environment 207
Network Globe Contents 207
Share Points in the Network Globe 208
Static Versus Dynamic Linking 208
Adding System Resources to the Network Library Folder 208
Setup Overview 208
Before You Begin 209
Organize Your Shared Information 210
Windows Users 210
Security Issues 210
Restricting Access by Unregistered Users (Guests) 210
Setting Up Sharing 211
Creating Share Points and Setting Privileges 211
Configuring Apple File Protocol (AFP) Share Points 212
Configuring Server Message Block (SMB) Share Points 212
Configuring File Transfer Protocol (FTP) Share Points 213
Sharing (Exporting) Items Using Network File System (NFS) 213
Automounting Share Points 214
Resharing NFS Mounts as AFP Share Points 215
Managing Sharing 215
Turning Sharing Off 216
Removing a Share Point 216
Browsing Server Disks 216
Viewing Share Points 216
Copying Privileges to Enclosed Items 217
Viewing Share Point Settings 217
Contents
12
Changing Share Point Owner and Privilege Settings 217
Changing the Protocols for a Share Point 218
Deleting an NFS Client from a Share Point 218
Creating a Drop Box 218
Supporting Client Computers 219
Solving Problems 219
Users Can’t Access a CD-ROM Disc 219
Users Can’t Find a Shared Item 219
Users Can’t See the Contents of a Share Point 219
5 File Services 221
Before You Begin 221
Security Issues 222
Allowing Access to Registered Users Only 222
Client Computer Requirements 223
Setup Overview 223
Apple File Service 224
Automatic Reconnect 224
Find By Content 224
Kerberos Authentication 224
Apple File Service Specifications 224
Before You Set Up Apple File Service 225
Setting Up Apple File Service 225
Configuring Apple File Service General Settings 225
Configuring Apple File Service Access Settings 226
Configuring Apple File Service Logging Settings 227
Configuring Apple File Service Idle Users Settings 228
Starting Apple File Service 229
Managing Apple File Service 229
Viewing Apple File Service Status 229
Viewing Apple File Service Logs 230
Stopping Apple File Service 230
Starting Up Apple File Service Automatically 231
Changing the Apple File Server Name 231
Registering With Network Service Locator 231
Contents
13
Enabling AppleTalk Browsing for Apple File Service 232
Setting Maximum Connections for Apple File Service 232
Turning On Access Logs for Apple File Service 232
Archiving Apple File Service Logs 233
Disconnecting a User From the Apple File Server 233
Disconnecting Idle Users From the Apple File Server 234
Allowing Guest Access to the Apple File Server 234
Creating a Login Greeting for Apple File Service 234
Sending a Message to an Apple File Service User 235
Windows Services 235
Windows Services Specifications 236
Before You Set Up Windows Services 236
Ensuring the Best Cross-Platform Experience 236
Windows User Password Validation 236
Setting Up Windows Services 237
Configuring Windows Services General Settings 237
Configuring Windows Services Access Settings 238
Configuring Windows Services Logging Settings 239
Configuring Windows Services Neighborhood Settings 239
Starting Windows Services 240
Managing Windows Services 240
Stopping Windows Services 240
Setting Automatic Startup for Windows Services 240
Changing the Windows Server Name 241
Finding the Server’s Workgroup Name 241
Checking Windows Services Status 241
Registering with a WINS Server 242
Enabling Domain Browsing for Windows Services 242
Setting Maximum Connections for Windows Services 242
Setting Up the Windows Services Log 243
Disconnecting a User From the Windows Server 243
Allowing Guest Access in Windows Services 243
Assigning the Windows Server to a Workgroup 244
File Transfer Protocol (FTP) Service 244
Contents
14
Secure FTP Environment 244
User Environments 245
On-the-Fly File Conversion 247
Custom FTP Root 248
Kerberos Authentication 248
Before You Set Up FTP Service 248
Restrictions on Anonymous FTP Users (Guests) 249
Setup Overview 249
Setting Up File Transfer Protocol (FTP) Service 250
Configuring FTP General Settings 250
Configuring FTP Access Settings 251
Configuring FTP Logging Settings 251
Configuring FTP Advanced Settings 252
Starting FTP Service 252
Managing File Transfer Protocol (FTP) Service 252
Stopping FTP Service 252
Setting Up Anonymous FTP Service 253
Creating an Uploads Folder for Anonymous Users 253
Specifying a Custom FTP Root 253
Specifying the FTP Authentication Method 254
Configuring the FTP User Environment 254
Viewing FTP Logs 254
Displaying Banner and Welcome Messages to Users 255
Displaying Messages Using message.txt files 255
Using README Message 255
Network File System (NFS) Service 256
Before You Set Up NFS Service 256
Security Implications 256
Setup Overview 256
Setting Up NFS Service 257
Configuring NFS Settings 257
Managing NFS Service 258
Stopping NFS Service 258
Viewing NFS Service Status 258
Contents
15
Viewing Current NFS Exports 258
Supporting Client Computers 259
Supporting Mac OS X Clients 259
Connecting to the Apple File Server in Mac OS X 259
Setting Up a Mac OS X Client to Mount a Share Point Automatically 260
Changing the Priority of Network Connections 260
Supporting Mac OS 8 and Mac OS 9 Clients 260
Connecting to the Apple File Server in Mac OS 8 or Mac OS 9 261
Setting up a Mac OS 8 or Mac OS 9 Client to Mount a Share Point Automatically 261
Supporting Windows Clients 261
TCP/IP 262
Using the Network Neighborhood to Connect to the Windows Server 262
Connecting to the Windows Server Without the Network Neighborhood 262
Supporting NFS Clients 262
Solving Problems With File Services 263
Solving Problems With Apple File Service 263
User Can’t Find the Apple File Server 263
User Can’t Connect to the Apple File Server 263
User Doesn’t See Login Greeting 263
Solving Problems With Windows Services 263
User Can’t See the Windows Server in the Network Neighborhood 263
User Can’t Log in to the Windows Server 264
Solving Problems With File Transfer Protocol (FTP) 264
FTP Connections Are Refused 264
Clients Can’t Connect to the FTP Server 265
Anonymous FTP Users Can’t Connect 265
Where to Find More Information About File Services 265
6 Client Management: Mac OS X 267
The User Experience 268
Logging In 268
Locating the Home Directory 268
Before You Begin 269
Designating Administrators 270
Setting Up User Accounts 270
Contents
16
Setting Up Group Accounts 271
Setting Up Computer Accounts 271
Creating a Computer Account 272
Creating a Preset for Computer Accounts 273
Using a Computer Accounts Preset 273
Adding Computers to an Existing Computer Account 274
Editing Information About a Computer 274
Moving a Computer to a Different Computer Account 275
Deleting Computers From a Computer List 275
Deleting a Computer Account 276
Searching for Computer Accounts 276
Managing Guest Computers 277
Working With Access Settings 278
Restricting Access to Computers 278
Making Computers Available to All Users 279
Using Local User Accounts 279
Managing Portable Computers 280
Unknown Portable Computers 280
Portable Computers With Multiple Local Users 280
Portable Computers With One Primary Local User 280
Using Wireless Services 281
How Workgroup Manager Works With System Preferences 281
Managing Preferences 282
About the Preferences Cache 283
Updating the Managed Preferences Cache 283
Updating Cached Preferences Manually 283
How Preference Management Works 284
Preference Management Options 284
Managing a Preference Once 285
Always Managing a Preference 285
Never Managing a Preference 285
Managing User Preferences 285
Managing Group Preferences 286
Managing Computer Preferences 286
Contents
17
Editing Preferences for Multiple Records 287
Disabling Management for Specific Preferences 287
Managing Applications Preferences 288
Applications Items Preferences 288
Creating a List of Approved Applications 288
Preventing Users From Opening Applications on Local Volumes 289
Managing Application Access to Helper Applications 289
Applications System Preferences 290
Managing Access to System Preferences 290
Managing Classic Preferences 291
Classic Startup Preferences 291
Making Classic Start Up After a User Logs In 291
Choosing a Classic System Folder 291
Classic Advanced Preferences 292
Allowing Special Actions During Restart 292
Keeping Control Panels Secure 292
Preventing Access to the Chooser and Network Browser 293
Making Apple Menu Items Available in Classic 293
Adjusting Classic Sleep Settings 294
Managing Dock Preferences 294
Dock Display Preferences 294
Controlling the User’s Dock 294
Dock Items Preferences 295
Adding Items to a User’s Dock 295
Preventing Users From Adding Additional Dock Items 296
Managing Finder Preferences 296
Finder Preferences 296
Keeping Disks and Servers From Appearing on the User’s Desktop 296
Controlling the Behavior of Finder Windows 297
Making File Extensions Visible 298
Selecting the User Environment 298
Hiding the Alert Message When a User Empties the Trash 298
Finder Commands Preferences 299
Controlling User Access to an iDisk 299
Contents
18
Controlling User Access to Remote Servers 299
Controlling User Access to Folders 300
Preventing Users From Ejecting Disks 300
Hiding the Burn Disc Command in the Finder 301
Removing Restart and Shut Down Commands From the Apple Menu 301
Finder Views Preferences 302
Adjusting the Appearance and Arrangement of Desktop Items 302
Adjusting the Appearance of Finder Window Contents 303
Managing Internet Preferences 304
Setting Email Preferences 304
Setting Web Browser Preferences 304
Managing Login Preferences 305
Login Window Preferences 305
Deciding How a User Logs In 305
Helping Users Remember Passwords 306
Preventing Restarting or Shutting Down the Computer at Login 306
Login Items Preferences 307
Opening Applications Automatically After a User Logs In 307
Managing Media Access Preferences 308
Media Access Disc Media Preferences 308
Controlling Access to CDs and DVDs 308
Controlling the Use of Recordable Discs 309
Media Access Other Media Preferences 309
Controlling Access to Hard Drives and Disks 309
Ejecting Items Automatically When a User Logs Out 310
Managing Printing Preferences 311
Printer List Preferences 311
Making Printers Available to Users 311
Preventing Users From Modifying the Printer List 312
Restricting Access to Printers Connected to a Computer 312
Printer Access Preferences 313
Setting a Default Printer 313
Restricting Access to Printers 313
Contents
19
7 Print Service 315
What Printers Can Be Shared? 316
Who Can Use Shared Printers? 317
Setup Overview 317
Before You Begin 319
Security Issues 319
Setting Up Print Service 319
Starting Up and Configuring Print Service 319
Adding Printers 320
Configuring Print Queues 320
Adding Print Queues to Shared Open Directory Domains 321
Setting Up Print Quotas 322
Enforcing Quotas for a Print Queue 322
Setting Up Printing on Client Computers 323
Mac OS X Clients 323
Adding a Print Queue in Mac OS X Using AppleTalk 323
Adding a Print Queue in Mac OS X Using LPR 323
Adding a Print Queue From an Open Directory Domain 323
Mac OS 8 and Mac OS 9 Clients 324
Setting Up Printing on Mac OS 8 or 9 Client for an AppleTalk Printer 324
Setting Up Printing on Mac OS 8 or 9 Clients for an LPR Printer 324
Windows Clients 325
UNIX Clients 325
Managing Print Service 325
Monitoring Print Service 325
Stopping Print Service 326
Setting Print Service to Start Automatically 326
Managing Print Queues 326
Monitoring a Print Queue 326
Putting a Print Queue on Hold (Stopping a Print Queue) 327
Restarting a Print Queue 327
Changing a Print Queue’s Configuration 327
Renaming a Print Queue 328
Selecting a Default Print Queue 329
Contents
20
Deleting a Print Queue 329
Managing Print Jobs 329
Monitoring a Print Job 329
Stopping a Print Job 330
Putting a Print Job on Hold 330
Restarting a Print Job 330
Holding All New Print Jobs 331
Setting the Default Priority for New Print Jobs 331
Changing a Print Job’s Priority 331
Deleting a Print Job 332
Managing Print Quotas 332
Suspending Quotas for a Print Queue 332
Managing Print Logs 332
Viewing Print Logs 333
Archiving Print Logs 333
Deleting Print Log Archives 334
Solving Problems 334
Print Service Doesn’t Start 334
Users Can’t Print 334
Print Jobs Don’t Print 334
Print Queue Becomes Unavailable 335
8 Web Service 337
Before You Begin 338
Configuring Web Service 338
Providing Secure Transactions 338
Setting Up Web Sites 338
Hosting More Than One Web Site 339
Understanding WebDAV 339
Defining Realms 339
Setting WebDAV Privileges 339
Understanding WebDAV Security 339
Understanding Multipurpose Internet Mail Extension (MIME) 340
Setting Up Web Service for the First Time 341
Managing Web Service 342
Contents
21
Starting or Stopping Web Service 343
Starting Web Service Automatically 343
Modifying MIME Mappings 343
Setting Up Persistent Connections for Web Service 344
Limiting Simultaneous Connections for Web Service 344
Setting Up Proxy Caching for Web Service 345
Blocking Web Sites From Your Web Server Cache 345
Enabling SSL for Web Service 346
Setting Up the SSL Log for a Web Server 346
Setting Up WebDAV for a Web Server 346
Starting Tomcat 347
Checking Web Service Status 348
Viewing Logs of Web Service Activity 348
Setting Up Multiple IP Addresses for a Port 348
Managing Web Sites 349
Setting Up the Documents Folder for Your Web Site 349
Changing the Default Web Folder for a Site 349
Enabling a Web Site on a Server 350
Setting the Default Page for a Web Site 351
Changing the Access Port for a Web Site 351
Improving Performance of Static Web Sites 351
Enabling Access and Error Logs for a Web Site 352
Setting Up Directory Listing for a Web Site 352
Connecting to Your Web Site 353
Enabling WebDAV 353
Setting Access for WebDAV-Enabled Sites 354
Enabling a Common Gateway Interface (CGI) script 354
Enabling Server Side Includes (SSI) 355
Monitoring Web Sites 356
Setting Server Responses to MIME Types 356
Enabling SSL 357
Enabling PHP 357
WebMail 358
WebMail Users 358
Contents
22
WebMail and Your Mail Server 359
WebMail Protocols 359
Enabling WebMail 359
Configuring WebMail 360
Setting Up Secure Sockets Layer (SSL) Service 361
Generating a Certificate Signing Request (CSR) for Your Server 361
Obtaining a Web Site Certificate 362
Installing the Certificate on Your Server 363
Enabling SSL for the Site 363
Solving Problems 364
Users Can’t Connect to a Web Site on Your Server 364
A Web Module Is Not Working as Expected 364
A CGI Will Not Run 364
Installing and Viewing Web Modules 365
Macintosh-Specific Modules 365
mod_macbinary_apple 365
mod_sherlock_apple 365
mod_auth_apple 365
mod_redirectacgi_apple 366
mod_hfs_apple 366
Open-Source Modules 366
Tomcat 366
PHP: Hypertext Preprocessor 366
mod_perl 366
MySQL 367
Where to Find More Information 367
9 Mail Service 369
Mail Service Protocols 370
Post Office Protocol (POP) 370
Internet Message Access Protocol (IMAP) 371
Simple Mail Transfer Protocol (SMTP) 371
SMTP Alternatives: Sendmail and Postfix 371
How Mail Service Uses SSL 372
How Mail Service Uses DNS 372
Contents
23
Where Mail Is Stored 373
How User Account Settings Affect Mail Service 373
What Mail Service Can Do About Junk Mail 373
SMTP Authentication 374
Restricted SMTP Relay 374
SMTP Authentication and Restricted SMTP Relay Combinations 375
Rejected SMTP Servers 375
Mismatched DNS Name and IP Address 375
Blacklisted Servers 375
What Mail Service Doesn’t Do 376
Mail Service Configuration in the Local Directory 376
Overview of Mail Service Tools 376
Setup Overview 377
Overview of Ongoing Mail Service Management 379
Before You Begin 379
Working With General Settings for Mail Service 380
Starting and Stopping Mail Service 380
Starting Mail Service Automatically 380
Requiring or Allowing Kerberos Authentication 381
Adding or Removing Local Names for the Mail Server 381
Changing Protocol Settings for Mail Service 382
Monitoring and Archiving Mail 382
Working With Settings for Incoming Mail 382
Limiting Incoming Message Size 383
Deleting Email Automatically 383
Notifying Users Who Have New Mail 383
Working With Settings for Incoming POP Mail 384
Requiring Authenticated POP (APOP) 384
Changing the POP Response Name 384
Changing the POP Port Number 385
Working With Settings for Incoming IMAP Mail 385
Requiring Secure IMAP Authentication 385
Changing the IMAP Response Name 386
Using Case-Sensitive IMAP Folder Names 386
Contents
24
Controlling IMAP Connections Per User 386
Terminating Idle IMAP Connections 387
Changing the IMAP Port Number 387
Working With Settings for Outgoing Mail 387
Sending Nonlocal Mail 388
Sending Only Local Mail 388
Suspending Outgoing Mail Service 388
Working With Settings for SMTP Mail 389
Requiring SMTP Authentication 389
Sending SMTP Mail via Another Server 389
Changing the SMTP Response Names 390
Changing the Incoming SMTP Port Number 391
Changing the Outgoing SMTP Port Number 391
Enabling an Alternate Mail Transfer Agent 391
Starting Sendmail 392
Working With the Mail Database 393
Converting the Mail Database From an Earlier Version 393
Changing Where Mail Is Stored 394
Configuring Automatic Mail Deletion 394
Allowing Administrator Access to the Mail Database and Files 394
Cleaning Up the Mail Files 395
Working With Network Settings for Mail Service 396
Specifying DNS Lookup for Mail Service 396
Updating the DNS Cache in Mail Service 397
Changing Mail Service Timeouts 397
Limiting Junk Mail 398
Restricting SMTP Relay 398
Rejecting SMTP Connections From Specific Servers 399
Checking for Mismatched SMTP Server Name and IP Address 399
Rejecting Mail From Blacklisted Senders 401
Allowing SMTP Relay for a Backup Mail Server 401
Filtering SMTP Connections 401
Working With Undeliverable Mail 402
Forwarding Undeliverable Incoming Mail 402
Contents
25
Limiting Delivery Attempts in Mail Service 402
Sending Nondelivery Reports to Postmaster 403
Monitoring Mail Status 403
Viewing Overall Mail Service Activity 404
Viewing Connected Mail Users 404
Viewing Mail Accounts 404
Reviewing Mail Service Logs 404
Reclaiming Disk Space Used by Mail Service Logs 405
Supporting Mail Users 405
Configuring Mail Settings for User Accounts 405
Configuring Email Client Software 406
Creating Additional Email Addresses for a User 407
Performance Tuning 407
Backing Up and Restoring Mail Files 408
Where to Find More Information 408
Books 408
Internet 409
10 Client Management: Mac OS 9 and OS 8 411
The User Experience 412
Logging In 412
Logging In Using the All Other Users Account 413
Logging In Using the Guest Account 413
Locating the Home Directory 413
Finding Applications 414
Finding Shared Documents 414
Before You Begin 414
Client Computer Requirements 414
Administrator Computer Requirements 415
Using Update Packages 417
Choosing a Language for Macintosh Manager Servers and Clients 417
Changing the Apple File Service Language Script 418
Inside Macintosh Manager 418
Macintosh Manager Security 418
About the Macintosh Manager Share Point 419
Contents
26
The Multi-User Items Folder 419
How the Multi-User Items Folder Is Updated 420
How Macintosh Manager Works With Directory Services 420
Where User Information Is Stored 421
How Macintosh Manager Works With Home Directories 422
How Macintosh Manager Works With Preferences 422
Where Macintosh Manager Preferences Are Stored 422
Using the MMLocalPrefs Extension 423
Using NetBoot With Macintosh Manager 423
Preparation for Using NetBoot 423
Setting Up Mac OS 9 or Mac OS 8 Managed Clients 424
Logging In to Macintosh Manager as an Administrator 425
Working With Macintosh Manager Preferences 426
Importing User Accounts 426
Applying User Settings With a Template 426
Importing All Users 427
Importing One or More Users 427
Collecting User Information in a Text File 428
Importing a List of Users From a Text File 428
Finding Specific Imported Users 429
Providing Quick Access to Unimported Users 429
Using Guest Accounts 429
Providing Access to Unimported Mac OS X Server Users 430
Setting Up a Guest User Account 431
Designating Administrators 431
About Macintosh Manager Administrators 431
Allowing Mac OS X Server Administrators to Use Macintosh Manager Accounts 432
About Workgroup Administrators 432
Creating a Macintosh Manager Administrator 432
Creating a Workgroup Administrator 432
Changing Your Macintosh Manager Administrator Password 433
Working With User Settings 433
Changing Basic User Settings 433
Allowing Multiple Logins for Users 434
Contents
27
Granting a User System Access 434
Changing Advanced Settings 434
Limiting a User’s Disk Storage Space 435
Updating User Information From Mac OS X Server 435
Setting Up Workgroups 436
Types of Workgroup Environments 436
Creating a Workgroup 436
Using a Template to Apply Workgroup Settings 437
Creating Workgroups From an Existing Workgroup 437
Modifying an Existing Workgroup 438
Using Items Settings 438
Setting Up Shortcuts to Items for Finder Workgroups 438
Making Items Available to Panels or Restricted Finder Workgroups 439
Making Items Available to Individual Users 440
Using Privileges Settings 440
Protecting the System Folder and Applications Folder 440
Protecting the User’s Desktop 440
Preventing Applications From Altering Files 441
Preventing Access to FireWire Disks 441
Allowing Users to Play Audio CDs 441
Allowing Users to Take Screen Shots 442
Allowing Users to Open Applications From a Disk 442
Setting Access Privileges for Removable Media 442
Setting Access Privileges for Menu Items 443
Sharing Information in Macintosh Manager 443
Selecting Privileges for Workgroup Folders 444
Setting Up a Shared Workgroup Folder 444
Setting Up a Hand-In Folder 445
Using Volumes Settings 445
Connecting to AFP Servers 445
Providing Access to Server Volumes 446
Using Printers Settings 447
Making Printers Available to Workgroups 447
Setting a Default Printer 447
Contents
28
Restricting Access to Printers 448
Setting Print Quotas 448
Allowing Users to Exceed Print Quotas 448
Setting Up a System Access Printer 449
Using Options Settings 449
Choosing a Location for Storing Group Documents 450
Making Items Open at Startup 450
Checking for Email When Users Log In 451
Creating Login Messages for Workgroups 451
Setting Up Computer Lists 451
Creating Computer Lists 451
Setting Up the All Other Computers Account 452
Duplicating a Computer List 452
Creating a Computer List Template 453
Disabling Login for Computers 453
Using Workgroup Settings for Computers 454
Controlling Access to Computers 454
Using Control Settings 454
Disconnecting Computers Automatically to Minimize Network Traffic 454
Setting the Computer Clock Using the Server Clock 455
Using a Specific Hard Disk Name 455
Creating Email Addresses for Managed Users 455
Using Security Settings for Computers 456
Keeping Computers Secure If a User Forgets to Log Out 456
Allowing Access to All CDs and DVDs 457
Allowing Access to Specific CDs or DVDs 457
Choosing Computer Security Settings for Applications 457
Allowing Specific Applications to Be Opened by Other Applications 458
Allowing Users to Work Offline 458
Allowing Users to Switch Servers After Logging In 459
Allowing Users to Force-Quit Applications 459
Allowing Users to Disable Extensions 459
Using Computer Login Settings 460
Choosing How Users Log In 460
Contents
29
Creating Login Messages for Computers 460
Customizing Panel Names 460
Managing Portable Computers 461
Portable Computers With Network Users 461
Portable Computers With Local Users 461
Letting Users Check Out Computers 462
Using Wireless Services 462
Using Global Security Settings 462
Using Macintosh Manager Reports 463
Setting the Number of Items in a Report 463
Keeping the Administration Program Secure 463
Verifying Login Information Using Kerberos 464
Preventing Users From Changing Their Passwords 464
Allowing Administrators to Access User Accounts 464
Copying Preferences for Mac OS 8 Computers 464
Using Global CD-ROM Settings 465
Managing Preferences 466
Using Initial Preferences 466
Using Forced Preferences 467
Preserved Preferences 468
Solving Problems 470
I’ve Forgotten My Administrator Password 470
Administrators Can’t Get to the Finder After Logging In 470
Generic Icons Appear in the Items Pane 470
Selecting “Local User” in the Multiple Users Control Panel Doesn’t Work 471
Some Printers Don’t Appear in the Available Printers List 471
Users Can’t Log In to the Macintosh Manager Server 471
Users Can’t Log In as “Guest” on Japanese-Language Computers 471
A Client Computer Can’t Connect to the Server 471
The Server Doesn’t Appear in the AppleTalk List 472
The User’s Computer Freezes 472
Users Can’t Access Their Home Directories 472
Users Can’t Access Shared Files 472
Shared Workgroup Documents Don’t Appear in a Panels Environment 472
Contents
30
Applications Don’t Work Properly or Don’t Open 472
Users Can’t Drag and Drop Between Applications 473
Users Can’t Open Files From a Web Page 473
Sometimes the Right Application Doesn’t Open for Users 473
Where to Find More Information 473
11 DHCP Service 475
Before You Set Up DHCP Service 475
Creating Subnets 476
Assigning IP Addresses Dynamically 476
Using Static IP Addresses 476
Locating the DHCP Server 476
Interacting With Other DHCP Servers 477
Assigning Reserved IP Addresses 477
Setting Up DHCP Service for the First Time 477
Managing DHCP Service 478
Starting and Stopping DHCP Service 478
Setting the Default DNS Server for DHCP Clients 479
Setting the LDAP Server for DHCP Clients 479
Setting Up Logs for DHCP Service 480
Deleting Subnets From DHCP Service 480
Changing Lease Times for Subnet Address Ranges 480
Monitoring DHCP Client Computers 481
Creating Subnets in DHCP Service 481
Changing Subnet Settings in DHCP Service 481
Setting DNS Options for a Subnet 482
Setting NetInfo Options for a Subnet 482
Disabling Subnets Temporarily 483
Viewing DHCP and NetBoot Client Lists 483
Viewing DHCP Log Entries 483
Solving Problems 484
Where to Find More Information 484
12 NetBoot 485
Prerequisites 486
Contents
31
Administrator Requirements 486
Server Requirements 486
Client Computer Requirements 487
Network Requirements 488
Capacity Planning 488
NetBoot Implementation 489
NetBoot Image Folder 489
Property List File 490
Boot Server Discovery Protocol (BSDP) 491
TFTP and the Boot ROM File 492
NetBoot Files and Directory Structure 493
Security 493
NetBoot and AirPort 493
Setup Overview 493
Setting Up NetBoot on a Mac OS X Server 496
Creating a Mac OS X Disk Image 496
Installing Classic (Mac OS 9) on a Mac OS X Disk Image 497
Installing the Mac OS 9 Disk Image 497
Modifying the Mac OS 9 Disk Image 498
Specifying the Default NetBoot Disk Image 500
Setting Up Multiple Disk Images 500
Configuring NetBoot on Your Server 501
Starting NetBoot on Your Server 501
Enabling NetBoot Disk Images 502
Managing NetBoot 502
Turning Off NetBoot 502
Disabling Disk Images 502
Updating Mac OS X Disk Images 503
Monitoring the Status of Mac OS X NetBoot Clients 503
Monitoring the Status of Mac OS 9 NetBoot Clients 503
Filtering NetBoot Client Connections 503
Load Balancing 504
Enabling Server Selection 504
Using Share Points to Spread the Load 505
Contents
32
Supporting Client Computers 505
Updating the Startup Disk Control Panel 505
Setting Up “System-Less” Clients 506
Selecting a NetBoot Startup Image (from Mac OS X) 506
Selecting a NetBoot Startup Image (from Mac OS 9) 506
Starting Up Using the N Key 507
Solving Problems 507
A NetBoot Client Computer Won’t Start Up 507
You Are Using Macintosh Manager and a User Can’t Log In to a NetBoot Client 508
13 Network Install 509
Understanding Packages 509
Setup Overview 510
Setting Up Network Install 511
Creating a Network Install Disk Image 511
Creating Custom Packages for Network Install 512
Including Packages in an Installer Disk Image 512
Enabling Installer Disk Images 513
14 DNS Service 515
Before You Set Up DNS Service 516
DNS and BIND 516
Setting Up Multiple Name Servers 516
Using DNS With Mail Service 516
Setting Up DNS Service for the First Time 517
Managing DNS Service 518
Starting and Stopping DNS Service 518
Viewing DNS Log Entries 519
Viewing DNS Service Status 519
Viewing DNS Usage Statistics 519
Inside DNS Service (Configuring BIND) 520
What Is BIND? 520
BIND on Mac OS X Server 520
BIND Configuration File 520
Zone Data Files 521
Contents
33
Practical Example 521
Setting Up Sample Configuration Files 521
Configuring Clients 522
Check Your Configuration 523
Load Distribution With Round Robin 523
Setting Up a Private TCP/IP Network 523
Where to Find More Information 524
15 Firewall Service 525
Before You Set Up Firewall Service 527
What Is a Filter? 527
IP Address 527
Subnet Mask 527
Using Address Ranges 528
IP Address Precedence 529
Multiple IP Addresses 529
Practical Examples 529
Block Access to Internet Users 529
Block Junk Mail 530
Allow a Customer to Access the Apple File Server 530
Setting Up Firewall Service for the First Time 530
Managing Firewall Service 531
Starting and Stopping Firewall Service 531
Setting Firewall Service to Start Automatically 531
Editing IP Filters 532
Creating an IP Filter 532
Searching for IP Filters 533
Viewing the Firewall Log 533
Configuring Firewall Service 533
Setting Up Logs for Firewall Service 534
Viewing Denied Packets 535
Filtering UDP Ports in Firewall Service 535
Blocking Multicast Services in Firewall Service 536
Allowing NetInfo Access to Certain IP Addresses 536
Changing the Any Port (Default) Filter 537
Contents
34
Preventing Denial-of-Service Attacks 537
Creating IP Filter Rules Using ipfw 538
Reviewing IP Filter Rules 539
Creating IP Filter Rules 539
Deleting IP Filter Rules 539
Port Reference 540
Solving Problems 543
You Can’t Access the Server Over TCP/IP 543
You Can’t Locate a Specific Filter 543
Where to Find More Information 543
16 SLP DA Service 545
SLP DA Considerations 545
Before You Begin 545
Managing Service Location Protocol (SLP) Directory Agent (DA) Service 547
Starting and Stopping SLP DA Service 547
Viewing Scopes and Registered Services in SLP 547
Creating New Scopes in SLP DA Service 548
Registering a Service With SLP DA 548
Deregistering Services in SLP DA Service 549
Setting Up Logs for SLP DA Service 549
Logging Debugging Messages in SLP DA Service 549
Viewing SLP DA Log Entries 549
Using the Attributes List 550
Where to Find More Information 550
17 Tools for Advanced Users 551
Terminal 552
Using the Terminal Application 552
Understanding UNIX Command-Line Structure 553
Secure Shell (SSH) Command 553
Enabling and Disabling SSH Access 553
Opening an SSH Session 553
Executing Commands in an SSH Session 554
Closing an SSH Session 554
Contents
35
Understanding Key Fingerprints 554
dsimportexport 555
Log Rolling Scripts 555
diskspacemonitor 556
diskutil 557
installer 558
Using installer 558
Full Operating System Installation 559
softwareupdate 561
systemsetup 561
Working With Server Identity and Startup 561
Working With Date and Time Preferences 562
Working With Sleep Preferences 562
networksetup 562
Reverting to Previous Network Settings 563
Retrieving Your Server’s Network Configuration 563
Configuring TCP/IP Settings 564
Configuring DNS Servers and Search Domains 564
Managing Network Services 564
Designating Proxy Servers 565
MySQL Manager 565
Simple Network Management Protocol (SNMP) Tools 566
diskKeyFinder 566
Enabling IP Failover 567
Requirements 567
Hardware 567
Software 567
Failover Operation 567
Enabling IP Failover 569
Configuring IP Failover 569
Notification Only 570
Pre And Post Scripts 570
Contents
36
Appendix A Open Directory Data Requirements 573
User Data That Mac OS X Server Uses 573
Standard Data Types in User Records 574
Format of the MailAttribute Data Type 577
Standard Data Types in Group Records 580
Glossary 581
Index 591
Contents
37
PREFACE
How to Use This Guide
What’s Included in This Guide
This guide consists primarily of chapters that tell you how to administer individual Mac OS X
Server services:
m
Chapter 1, “Administering Your Server,” highlights the major characteristics of Mac OS X
Server’s services and takes you on a tour of its administration applications.
m
Chapter 2, “Directory Services,” describes the services that Mac OS X computers use to
find information about users, groups, and devices on your network. The Mac OS X
directory services architecture is referred to as
m
Chapter 3, “Users and Groups,” covers user and group accounts, describing how to
administer settings for server users and collections of users (groups), including Open
Directory Password Server and other password authentication options.
m
Chapter 4, “Sharing,” tells you how to share folders, hard disks, and CDs among network
users, as well as how to make them automatically visible after logging in to Mac OS X
computers.
m
Chapter 5, “File Services,” describes the file services included in Mac OS X Server: Apple
file service, Windows services, Network File System (NFS) service, and File Transfer
Protocol (FTP) service.
m
Chapter 6, “Client Management: Mac OS X,” addresses client management for Mac OS X
computer users. Client management lets you customize a user’s working environment
and restrict a user’s access to network resources.
m
Chapter 7, “Print Service,” tells you how to share printers among users on Macintosh,
Windows, and other computers.
m
Chapter 8, “Web Service,” describes how to set up and administer a Web server and host
multiple Web sites on your server.
m
Chapter 9, “Mail Service,” describes how to set up and administer a mail server on
your server.
Open Directory.
39
m
Chapter 10, “Client Management: Mac OS 9 and OS 8,” addresses client management for
Mac OS 8 and 9 computer users, describing how to use Macintosh Manager to manage
their day-to-day working environments.
m
Chapter 11, “DHCP Service,” describes Dynamic Host Configuration Protocol (DHCP)
service, which lets you dynamically allocate IP addresses to the computers used by
server users.
m
Chapter 12, “NetBoot,” describes the application that lets Macintosh Mac OS 9 and X
computers boot from a network-based system image.
m
Chapter 13, “Network Install,” tells you how to use the centralized network software
installation service that automates installing, restoring, and upgrading Macintosh
computers on your network.
m
Chapter 14, “DNS Service,” describes Dynamic Name Service (DNS), a distributed
database that maps IP addresses to domain names.
m
Chapter 15, “Firewall Service,” addresses how to protect your server by scanning
incoming IP packets and rejecting or accepting these packets based on filters you create.
m
Chapter 16, “SLP DA Service,” describes Service Location Protocol Directory Assistant (SLP
DA), which you can use to make devices on your network visible to your server users.
m
Chapter 17, “Tools for Advanced Users,” describes server applications, tools, and
techniques intended for use by experienced server administrators.
m
Appendix A, “Open Directory Data Requirements,” provides information you’ll need
when you must map directory services information needed by Mac OS X to information
your server will retrieve from another vendor’s server.
m
The Glossary defines terms you’ll encounter as you read this guide.
Using This Guide
Review the first chapter to acquaint yourself with the services and applications that Mac OS X
Server provides.
Then read any chapter that’s about a service you plan to provide to your users. Each service’s
chapter includes an overview of how the service works, what it can do for you, strategies for
using it, how to set it up for the first time, and how to administer it over time.
Also take a look at any chapter that describes a service with which you’re unfamiliar. You may
find that some of the services you haven’t used before can help you run your network more
efficiently and improve performance for your users.
Most chapters end with a section called “Where to Find More Information.” This section
points you to Web sites and other reference material containing more information about
the service.
Preface
40
Setting Up Mac OS X Server for the First Time
If you haven’t installed and set up Mac OS X Server, do so now.
m
Refer to
Getting Started With Mac OS X Server,
the document that came with your
software, for instructions on server installation and setup. For many environments, this
document provides all the information you need to get your server up, running, and
available for initial use.
m
Review Chapter 1, “Administering Your Server,” in this guide to determine which services
you’d like to refine and expand, to identify new services you’d like to set up, and to learn
about the server applications you’ll use during these activities.
m
Read specific chapters to learn how to continue setting up individual services. Pay
particular attention to the information in these sections: “Setup Overview,” “Before You
Begin,” and “Setting Up for the First Time.”
Getting Help for Everyday Management Tasks
If you want to change settings, monitor services, view service logs, or do any other day-to-day
administration task, you can find step-by-step procedures by using the online help available
with server administration programs. While all the administration tasks are also documented
in this guide, sometimes it’s more convenient to retrieve information in online help form
while using your server.
Getting Additional Information
In addition to this document, you’ll find information about Mac OS X Server
m
in
Getting Started With Mac OS X Server, which tells you how to install and set up your
server initially
m in Upgrading to Mac OS X Server, which provides instructions for migrating data to
Mac OS X Server from existing Macintosh computers
m at www.apple.com/macosx/server
m in online help on your server
m in Read Me files on your server CD
How to Use This Guide
41
CHAPTER
1
1 Administering Your Server
Mac OS X Server is a powerful server platform that delivers a complete range of services to
users on the Internet and local network:
m You can connect users to each other, using services such as mail and file sharing.
m You can share system resources, such as printers and computers—maximizing their
availability as users move about and making sure that disk space and printer usage remain
equitably shared.
m You can host Internet services, such as Web sites and streaming video.
m You can customize working environments—such as desktop resources and personal
files—of networked users.
This chapter is a tour of Mac OS X Server capabilities and administration. The chapter begins
by pointing out some of Mac OS X Server’s key features. Then it summarizes the services you
can set up to support the clients you want your server to host. Finally, it introduces the
applications you use to set up and administer your server.
Highlighting Key Features
Mac OS X Server has a wide range of features that characterize it as easy to use, yet robust
and high performing.
Ease of Setup and Administration
From the time you first unpack your server throughout its initial setup and deployment, its
ease of use is prominent.
Setup assistants quickly walk you through the process of making basic services initially
available. While your network users take advantage of the initial file sharing, mail, Web and
other services, you can add on additional client support and manage day-to-day server
operations using graphical administrative applications. From one administrator computer,
you can set up and manage all the Mac OS X Servers on your network.
43
Networking and Security
You can choose from several user authentication options, ranging from Kerberos or
Lightweight Directory Access Protocol (LDAP) to Mac OS X Server’s Open Directory
Password Server.
Password Server lets you implement password policies and supports a wide variety of client
protocols. The Password Server is based on a standard known as SASL (Simple
Authentication and Security Layer), so it can support a wide range of network user
authentication protocols that are used by clients of Mac OS X Server services, such as mail
and file servers, that need to authenticate users.
Kerberos authentication is available for file services—Apple Filing Protocol (AFP) and File
Transfer Protocol (FTP)—as well as for mail services (POP, IMAP, and SMTP).
External network communication requests can be controlled with built-in Internet Protocol
(IP) firewall management. And data communications can be encrypted and authenticated
with protocol-level data security provided with Secure Sockets Layer (SSL), Transport Layer
Security (TLS), and Secure Shell (SSH).
File and Printer Sharing
File sharing offers flexible support for various native protocols as well as security and high
availability:
m It’s easy to share files with Macintosh, Windows, UNIX, Linux, and anonymous Internet
clients.
m You can control how much file space individual users consume by setting up mail and file
quotas. Quotas limit the number of megabytes a user can use for mail or files.
m Kerberos authentication is available for AFP and FTP file servers.
m You can improve the security of NFS volumes by setting up share points on them that let
users access them using the more secure AFP protocol. This feature is referred to as
resharing NFS mounts.
m AFP autoreconnect lets client computers keep Apple file servers mounted after long
periods of inactivity or after sleep/wake cycles.
Mac OS X Server printer sharing includes
m the ability to set up print quotas. Print quotas can be set up for each user and each print
queue, letting you limit the number of pages that can be printed during a particular
period.
m support for sharing printers among Mac OS 9 users (AppleTalk and LaserWriter 8
support), Mac OS X, Windows, and UNIX users
44 Chapter 1
Open Directory Services
User and group information is used by your server to authenticate users and authorize their
access to services and files. Information about other network resources is used by your
server to make printers and other devices available to particular users. To access this
information, the server retrieves it from centralized data repositories known as directory
domains. The term for the services that locate and retrieve this data is directory services.
The Mac OS X directory services architecture is referred to as Open Directory. It lets you
store data in a way that best suits your environment. Mac OS X Server can host directory
domains using Apple’s NetInfo and LDAP directory domains. Open Directory also lets you
take advantage of information you have already set up in non-Apple directory domains—for
example, LDAP or Active Directory servers or Berkeley Software Distribution (BSD)
configuration files.
Comprehensive Management of Macintosh Workgroups
Workgroup management services let you simplify and control the environment that
Macintosh client users experience.
Mac OS X Server client management support helps you personalize the computing
environment of Macintosh clients. You can set up Mac OS 8, 9, and X computers to have
particular desktop environments and access to particular applications and network
resources. You can design your Macintosh users’ experience as circumstances warrant.
You can also use NetBoot and Network Install to automate the setup of software used by
Macintosh client computers:
m NetBoot lets Macintosh Mac OS 9 and X computers boot from a network-based system
image, offering quick and easy configuration of department, classroom, and individual
systems as well as Web and application servers throughout a network. When you update
NetBoot images, all NetBooted computers have instant access to the new configuration.
m Network Install is a centralized network software installation service. It lets you selectively
and automatically install, restore, or upgrade network-based Macintosh systems anywhere
in the organization.
Mac OS X Server also lets you automatically configure the directory services you want Mac OS X
clients to have access to. Automatic directory services configuration means that when a user
logs into a Mac OS X computer, the user’s directory service configuration is automatically
downloaded from the network, setting up the user’s network access policies, preferences, and
desktop configuration without the need to configure the client computer directly.
Administering Your Server 45
High Availability
To maximize server availability, Mac OS X Server includes technology for monitoring server
activity, monitoring and reclaiming disk space, automatically restarting malfunctioning
services, and automatically restarting the server following a power failure.
You can also configure IP failover. IP failover is a way to set up a standby server that will take
over if the primary server fails. The standby server takes over the IP address of the failed
server, which takes the IP address back when it is online again. IP failover is useful for DNS
servers, Web servers hosting Web sites, media broadcast servers, and other servers that
require minimal data replication.
Extensive Internet and Web Services
Powerful Internet and Web services are built into Mac OS X Server:
m Apache, the most popular Web server, provides reliable, high-performance Web content
delivery. Integrated into Apache is Web-Based Distributed Authoring and Versioning
(WebDAV), which simplifies the Web publishing and content management environment.
m If your Web sites contain static HTML files that are frequently requested, you can enable a
performance cache to improve server performance.
m Web services include a comprehensive assortment of open-source services—Ruby,
Tomcat, MySQL, PHP, and Perl.
m Mac OS X Server includes a high-performance Java virtual machine.
m SSL support enables secure encryption and authentication for ecommerce Web sites and
confidential materials.
m QuickTime Streaming Server (QTSS) lets you stream both live and stored multimedia
content on the Internet using industry-standard protocols.
m Mail service lets you set up a mail server your network users can use to send and receive
email.
m WebMail service bundled with Mac OS X Server enables your users to access mail service
via a Web browser.
Highlighting Individual Services
This section highlights individual Mac OS X Server services and tells you where in this guide
to find more information about them.
46 Chapter 1
Directory Services
Directory services let you use a central data repository for user and network information
your server needs to authenticate users and give them access to services. Information about
users (such as their names, passwords, and preferences) as well as printers and other
resources on the network is consolidated rather than distributed to each computer on the
network, simplifying the administrator’s tasks of directory domain setup and maintenance.
Open Directory
On Mac OS X computers, the directory services are collectively referred to as Open
Directory. Open Directory acts as an intermediary between directory domains that store
information and Mac OS X processes that need the information.
Open Directory supports a wide variety of directory domains, letting you store your directory
information on Mac OS X Server or on a server you already have set up for this purpose:
m You can define and manage information in directory domains that reside on Mac OS X
Server. Open Directory supports both NetInfo and LDAPv3 protocols and gives you
complete control over directory data creation and management.
m Mac OS X Server can also retrieve directory data from LDAP and Active Directory servers
and BSD configuration files you’ve already set up. Your server provides full read/write and
SSL communications support for LDAPv3 directory domains.
Chapter 2, “Directory Services,” provides complete information about all the Open Directory
options, including instructions for how to create Mac OS X–resident directory domains and
how to configure your server and your clients to access directory domains of all kinds.
Chapter 3, “Users and Groups,” describes how to work with user and group accounts stored
in Open Directory domains.
Password Validation
Open Directory gives you several options for validating a user’s password:
m Using a value stored as a readable attribute in the user’s account.
m Using a value stored in the Open Directory Password Server. This strategy lets you set up
user-specific password policies for users. For example, you can require a user to change
his password periodically or use only passwords having more than a minimum number
of characters.
Password Server supports a wide range of client authentication protocols.
m Using a Kerberos server.
m Using LDAP bind authentication with a non-Apple LDAPv3 directory server.
“Understanding Password Validation” on page 189 provides more information about these
options and tells you how to implement them.
Administering Your Server 47
Search Policies
Before a user can log in to or connect with a Mac OS X client or server, he or she must enter
a name and password associated with a user account that the computer can find. A Mac OS X
computer can find user accounts that reside in a directory domain of the computer’s search
policy. A search policy is a list of directory domains the computer searches when it needs
configuration information.
You can configure the search policy of Mac OS X computers on the computers themselves.
You can automate Mac OS X client directory setup by using your server’s built-in DHCP
Option 95 support.
Chapter 2, “Directory Services,” describes how to configure search policies on any Mac OS X
computer.
File Services
Mac OS X Server makes it easy to share files using the native protocols of different kinds of
client computers. Mac OS X Server includes four file services:
m Apple file service, which uses the Apple Filing Protocol (AFP), lets you share resources
with clients who use Macintosh or Macintosh-compatible operating systems.
m Windows services use Server Message Block (SMB) protocol to let you share resources
with clients who use Windows, and to provide name resolution service for Windows
clients.
m File Transfer Protocol (FTP) service lets you share files with anyone using FTP.
m Network File System (NFS) service lets you share files and folders with users who have
NFS client software (UNIX users).
You can deploy network home directories for Mac OS X clients using AFP and for UNIX
clients using NFS. With a network home directory, users can access their applications,
documents, and individual settings regardless of the computer to which they log in. You can
impose disk quotas on network home directories to regulate server disk usage for users with
home directories.
Sharing
You share files among users by designating share points. A share point is a folder, hard disk
(or hard disk partition), or CD that you make accessible over the network. It’s the point of
access at the top level of a group of shared items.
On Mac OS X computers, share points can be found in the /Network directory and by using
the Finder’s Connect To Server command. On Mac OS 8 and 9 computers, users access share
points using the Chooser. On Windows computers, users use Network Neighborhood.
Chapter 4, “Sharing,” tells you how to set up and manage share points.
48 Chapter 1
Static file server listings can also be published in a non-Apple directory domain, making it
easy for computers in your company that are not on your local network to discover and
connect to Mac OS X Server.
Apple File Service
Apple Filing Protocol (AFP) allows Macintosh client users to connect to your server and
access folders and files as if they were located on the user’s own computer.
AFP offers
m file sharing support for Macintosh clients over TCP/IP
m autoreconnect support when a file server connection is interrupted
m encrypted file sharing (AFP through SSH)
m automatic creation of user home directories
m Kerberos v5 authentication for Mac OS X v10.2 and later clients
m fine-grain access controls for managing client connections and guest access
m automatic disconnect of idle clients after a period of inactivity
AFP also lets you reshare NFS mounts using AFP. This feature provides a way for clients not
on the local network to access NFS volumes via a secure, authenticated AFP connection. It
also lets Mac OS 9 clients access NFS file services on traditional UNIX networks.
See “Apple File Service” on page 224 for details about AFP.
Windows Services
Windows services in Mac OS X Server provide four native services to Windows clients:
m file service, which allows Windows clients to connect to Mac OS X Server using Server
Message Block (SMB) protocol over TCP/IP
m print service, which uses SMB to allow Windows clients to print to PostScript printers on
the network
m Windows Internet Naming Service ( WINS), which allows clients across multiple subnets
to perform name/address resolution
m browsing, which allows clients to browse for available servers across subnets
See “Windows Services” on page 235 for more information about Windows services.
Network File System (NFS) Service
NFS is the protocol used for file services on UNIX computers.
The NFS term for sharing is export. You can export a shared item to a set of client computers
or to “World.” Exporting an NFS volume to World means that anyone who can access your
server can also access that volume.
Administering Your Server 49
NFS does not support name/password authentication. It relies on client IP addresses to
authenticate users and on client enforcement of privileges—not a secure approach in most
networks. Therefore use NFS only if you are on a local area network (LAN) with trusted client
computers or if you are in an environment that can’t use Apple file sharing or Windows file
sharing. If you have Internet access and plan to export to World, your server should be
behind a firewall.
See “Network File System (NFS) Service” on page 256 for more information about NFS.
File Transfer Protocol (FTP)
FTP allows computers to transfer files over the Internet. Clients using any operating system
that supports FTP can connect to your FTP file server and download files, depending on the
permissions you set. Most Internet browsers and a number of freeware applications can be
used to access your FTP server.
FTP service in Mac OS X Server supports Kerberos v5 authentication and, for most FTP
clients, resuming of interrupted FTP file transfers. Mac OS X Server also supports dynamic
file conversion, allowing users to request compressed or decompressed versions of
information on the server.
FTP is considered to be an insecure protocol, since user names and passwords are
distributed across the Internet in clear text. Because of the security issues associated with
FTP authentication, most FTP servers are used as Internet file distribution servers for
anonymous FTP users.
Mac OS X Server supports anonymous FTP and by default prevents anonymous FTP users
from deleting files, renaming files, overwriting files, and changing file permissions. Explicit
action must be taken by the server administrator to allow uploads from anonymous FTP
users, and then only into a specific share point.
See “File Transfer Protocol (FTP) Service” on page 244 for details about FTP.
Print Service
Print service in Mac OS X Server lets you share network and direct-connect printers among
clients on your network. Print service also includes support for managing print queues,
monitoring print jobs, logging, and using print quotas.
Print service lets you
m share printers with Mac OS 9 (PAP, LaserWriter 8), Mac OS X (IPP, LPR/LPD), Windows
(SMB/CIFS), and UNIX (LPR/LPD) clients
m share direct-connect USB printers with Mac OS X version 10.2 and later clients
m connect to network printers using AppleTalk, LPR, and IPP and connect to direct-connect
printers using USB
m make printers visible using Open Directory directory domains
50 Chapter 1
m impose print quotas to limit printer usage
See Chapter 7, “Print Service,” for information about print service.
Web Service
Web service in Mac OS X Server is based on Apache, an open-source HTTP Web server. A Web
server responds to requests for HTML Web pages stored on your site. Open-source software
allows anyone to view and modify the source code to make changes and improvements.
This has led to Apache’s widespread use, making it the most popular Web server on the
Internet today.
Web service includes a high-performance, front-end cache that improves performance for
Web sites that use static HTML pages. With this cache, static data doesn’t need to be accessed
by the server each time it is requested.
Web service also includes support for Web-based Distributed Authoring and Versioning,
(WebDAV). With WebDAV capability, your client users can check out Web pages, make
changes, and then check the pages back in while the site is running. In addition, Mac OS X
users can use a WebDAV-enabled Web server as if it were a file server.
Web service’s Secure Sockets Layer (SSL) support enables secure encryption and
authentication for ecommerce Web sites and confidential materials. An easy-to-use digital
certificate provides non-forgeable proof of your Web site identity.
Mac OS X Server offers extensive support for dynamic Web sites:
m Web service supports Java Servlets, JavaServer Pages, MySQL, PHP, Perl, and UNIX and
Mac CGI scripts.
m Mac OS X Server also includes WebObjects deployment software. WebObjects offers a
flexible and scalable way to develop and deploy ecommerce and other Internet
applications. WebObjects applications can connect to multiple databases and dynamically
generate HTML content. You can also purchase the WebObjects development tools if you
want to create WebObjects applications. For more information and documentation on
WebObjects, go to the WebObjects Web page:
www.apple.com/webobjects
See Chapter 8, “Web Service,” for details about Web service.
Mail Service
Mail services support the SMTP, POP, and IMAP protocols, allowing you to select a local or
server-based mail storage solution for your users.
Administering Your Server 51
With remote mail administration you can manage the message database from any IMAP
client. Realtime Blackhole List support allows you to block messages from known spam
sources. Support for single or dual IMAP/POP3 mail inboxes gives flexibility in mail retrieval; a
user can have a POP mailbox for office use and an IMAP mailbox for mobile use. Automatic
blind copying (BCC) on incoming mail from specified hosts lets you track email coming from
specific sites. You can limit the amount of disk space a user consumes for mail messages.
To protect email communication from eavesdroppers, mail service features SSL encryption of
IMAP connections between the mail server and clients, SMTP AUTH authentication using
LOGIN and PLAIN, and APOP and Kerberos v5 authentication for POP, IMAP, and SMTP clients.
For complete information about mail services, see Chapter 9, “Mail Service.”
Macintosh Workgroup Management
Mac OS X Server provides work environment personalization for Mac OS 8, 9, and X
computer users, ranging from preference management to operating system and application
installation automation.
Client Management
You can use Mac OS X Server to manage the work environments of Mac OS 8, 9, and X
clients. Preferences you define for individual users, groups of users, and computers provide
your Macintosh users with a consistent desktop, application, and network appearance
regardless of the Macintosh computer to which they log in.
To manage Mac OS 8 and 9 clients, you use Macintosh Manager, described in Chapter 10,
“Client Management: Mac OS 9 and OS 8.” To manage Mac OS X clients, you use Workgroup
Manager, as Chapter 6, “Client Management: Mac OS X,” describes.
Mac OS X client management has several advantages:
m You can take advantage of the directory services autoconfiguration capability to
automatically set up the directory services used by Mac OS X client computers.
m When you update user, group, and computer accounts, managed Mac OS X users inherit
changes automatically. You update Mac OS 8 and 9 accounts independently, using
Macintosh Manager.
m You have more direct control over individual system preferences.
m Network home directories and group directories can be mounted automatically at login.
NetBoot
NetBoot lets Macintosh clients boot from a system image located on Mac OS X Server instead
of from the client computer’s disk drive. You can set up multiple NetBoot disk images, so
you can boot clients into Mac OS 9 or X or even set up customized Macintosh environments
for different groups of clients.
52 Chapter 1
NetBoot can simplify the administration and reduce the support normally associated with
large-scale deployments of network-based Macintosh systems. NetBoot is ideal for an
organization with a number of client computers that need to be identically configured. For
example, NetBoot can be a powerful solution for a data center that needs multiple identically
configured Web and application servers.
NetBoot allows administrators to configure and update client computers instantly by simply
updating a boot image stored on the server. Each image contains the operating system and
application folders for all clients on the server. Any changes made on the server are
automatically reflected on the clients when they reboot. Systems that are compromised or
otherwise altered can be instantly restored simply by rebooting.
See Chapter 12, “NetBoot,” for information about setting up and managing NetBoot.
Network Install
Network Install is a centrally managed installation service that allows administrators to
selectively install, restore, or upgrade client computers. Installation images can contain the
latest release of Mac OS X, a software update, site-licensed or custom applications, even
configuration scripts:
m Network Install is an excellent solution for operating system migrations, installing
software updates and custom software packages, restoring computer classrooms and labs,
and reimaging desktop and portable computers.
m You can define custom installation images for various departments in an organization,
such as marketing, engineering, and sales.
With Network Install you don’t need to insert multiple CDs to configure a system. All the
installation files and packages reside on the server and are installed onto the client computer
at one time. Network Install also includes pre- and post-installation scripts you can use to
invoke actions prior to or after the installation of a software package or system image.
See Chapter 13, “Network Install,” for more information about Network Install.
Network Services
Mac OS X Server includes these network services for helping you manage Internet
communications on your TCP/IP network:
m Dynamic Host Configuration Protocol (DHCP)
m Domain Name System (DNS)
m IP firewall
m Service Location Protocol Directory Agent (SLP DA)
Administering Your Server 53
DHCP
DHCP helps you administer and distribute IP addresses dynamically to client computers from
your server. From a block of IP addresses that you define, your server locates an unused
address and “leases” it to client computers as needed. DHCP is especially useful when an
organization has more clients than IP addresses. IP addresses are assigned on an as-needed
basis, and when they are not needed they are available for use by other clients.
As you learned in “Search Policies” on page 48, you can automate the directory services setup
of Mac OS X clients using your DHCP server’s Option 95 support. This option lets client
computers learn about their directory settings from an LDAP server.
Chapter 11, “DHCP Service,” provides information about your server’s DHCP capabilities.
DNS
DNS service lets users connect to a network resource, such as a Web or file server, by
specifying a host name (such as server.apple.com) rather than an IP address (192.168.11.12).
DNS is a distributed database that maps IP addresses to domain names.
A server that provides DNS service keeps a list of names and the IP addresses associated with
the names. When a computer needs to find the IP address for a name, it sends a message to
the DNS server (also known as a name server). The name server looks up the IP address and
sends it back to the computer. If the name server doesn’t have the IP address locally, it sends
messages to other name servers on the Internet until the IP address is found.
You will use DNS if you use SMTP mail service or if you want to create subdomains within
your primary domain. You will also use DNS if you are hosting multiple Web sites. If you don’t
have an Internet service provider (ISP) who handles DNS for your network, you can set up a
DNS server on your Mac OS X Server.
You’ll find complete information about DNS in Chapter 14, “DNS Service.”
IP Firewall
IP firewall service protects your server and the content you store on it from intruders. It
provides a software firewall, scanning incoming IP packets and accepting or rejecting them
based on filters you define.
You can set up server-wide restrictions for packets from specific IP addresses. You can also
restrict access to individual services—such as Web, mail, and FTP—by defining filters for the
ports used by the services.
See Chapter 15, “Firewall Service,” for more information about this service.
SLP DA
Service Location Protocol (SLP) provides structure to the services available on a network and
gives users easy access to them.
54 Chapter 1
Anything that can be addressed using a URL can be a network service—for example, file
servers and WebDAV servers. When a service is added to your network, the service uses SLP
to register itself on the network; you don’t need to configure it manually. When a client
computer needs to locate a network service, it uses SLP to look for services of that type. All
registered services that match the client computer’s request are displayed for the user, who
then can choose which one to use.
SLP Directory Agent (DA) is an improvement on basic SLP, providing a centralized repository
for registered network services. You can set up a DA to keep track of services for one or more
scopes (groups of services). When a client computer looks for network services, the DA for
the scope in which the client computer is connected responds with a list of available network
services. Because a client computer only needs to look locally for services, network traffic is
kept to a minimum and users can connect to network services more quickly.
See Chapter 16, “SLP DA Service,” for information about this service.
QuickTime Streaming Service
QuickTime Streaming Server (QTSS) lets you stream multimedia in real time using the
industry-standard RTSP/RTP protocols. QTSS supports MPEG-4, MP3, and QuickTime file
formats.
You can deliver live and prerecorded media over the Internet to both Macintosh and
Windows users, or relay streamed media to other streaming servers. You can provide unicast
streaming, which sends one stream to each individual client, or multicast streaming, which
sends the stream to a group of clients.
For more information about QTSS, refer to the QuickTime Web site:
www.apple.com/quicktime/products/qtss/
You can use QuickTime Broadcaster in conjunction with QTSS when you want to produce a
live event. QuickTime Broadcaster allows you to stream live audio and video over the
Internet. QuickTime Broadcaster meets the needs of both beginners and professionals by
providing preset broadcast settings and the ability to create custom settings. Built on top of
the QuickTime architecture, QuickTime Broadcaster enables you to produce a live event
using most codecs that QuickTime supports.
When teamed with QuickTime Streaming Server or Darwin Streaming Server, QuickTime
Broadcaster can produce a live event for delivery to an audience of any size, from an
individual to a large global audience.
For information about QuickTime Broadcaster, go to this Web site and navigate to the
QuickTime Broadcaster page:
www.apple.com/quicktime/
Administering Your Server 55
Highlighting Server Applications
This section introduces you to the applications, tools, and techniques you use to set up and
administer your Mac OS X Server. The following table summarizes them and tells you where
to find more information about them.
Application, tool,
or technique Use to
For more
information, see
Server Assistant Initialize services page 58
Open Directory
Assistant
Create or set up access to existing NetInfo and
LDAPv3 directory domains and create and
page 58
configure Password Servers
Directory Access Configure access to data in existing directory
page 59
domains and define a search policy
Workgroup Manager Administer accounts, manage share points, and
page 59
administer client management for Mac OS X
users
Server Settings Configure file, print, mail, Web, NetBoot, and
page 60
network services
Server Status Monitor services page 61
Macintosh Manager Administer client management for Mac OS 8
page 62
and 9 users
NetBoot
Manage NetBoot disk images page 62
administration tools
Package Maker Create Network Install installation packages page 62
Server Monitor Review information about Xserve hardware page 62
Streaming Server
Admin
Set up and manage QuickTime Streaming
Server (QTSS)
page 63
Terminal Run command-line tools page 552
Secure shell (SSH) Use Terminal to run command-line tools for
page 553
remote servers securely
dsimportexport Import and export user and group accounts
page 555
using XML or text files
56 Chapter 1
Application, tool,
or technique Use to
For more
information, see
log rolling scripts Periodically roll, compress, and delete server
page 555
log files
diskspacemonitor Monitor percentage-full disk thresholds and
page 556
execute scripts that generate email alerts and
reclaim disk space when thresholds are
reached
diskutil Manage Mac OS X Server disks and volumes
page 557
remotely
installer Install software packages remotely page 558
softwareupdate Find new versions of software and install them
page 561
remotely on a server
systemsetup Configure system preferences on a remote
page 561
server
networksetup Configure network services for a particular
page 562
network hardware port on a remote server
MySQL Manager Manage the version of MySQL that is installed
page 565
with Mac OS X Server
Simple Network
Monitor your server using the SNMP interface page 566
Management Protocol
(SNMP) administration
tools
diskKeyFinder Verify the physical location of a remote
page 566
headless server volume that you want to
manage
Enabling IP failover Set up a standby server that takes over if the
page 567
primary server fails
Administering Your Server 57
Administering a Server From Different Computers
You can use the server applications to manage the local server or to manage a remote server,
including headless servers. You can also manage Mac OS X Servers remotely from an
administrator computer. An administrator computer is a Mac OS X computer onto which
you have installed the server applications from the Mac OS X Server Administration Tools CD.
Administrator
computer
Mac OS X Servers
The following sections give you more information about the first 11 applications in the table
above, including instructions for using them to manage a remote server. The remaining
applications and tools are for use by experienced server administrators; see Chapter 17,
“Tools for Advanced Users,” for information about them.
Server Assistant
Server Assistant is the application you use to perform initial service setup of a Mac OS X
Server. You can use Server Assistant the first time you set up a local or remote Mac OS X
Server. See Getting Started With Mac OS X Server for instructions.
Open Directory Assistant
Use Open Directory Assistant to create shared server–resident NetInfo or LDAPv3 directory
domains, set up Password Servers, and configure access to shared domains and Password
Servers.
You can run Open Directory Assistant immediately after running Server Assistant, or you can
run it later, as many times as you like.
58 Chapter 1
You’ll find Open Directory Assistant in /Applications/Utilities/. For information about how to
use the application, see Chapter 2, “Directory Services.”
Directory Access
Directory Access is the primary application for setting up a Mac OS X computer’s
connections with directory domains as well as defining the computer’s search path.
Unlike Open Directory Assistant, Directory Access does not create directory domains. It
m configures connections with existing domains
m enables or disables service discovery protocols (AppleTalk, Rendezvous, SLP, and SMB)
m enables or disables directory protocols (LDAPv2, LDAPv3, NetInfo, and BSD configuration
files)
In addition, Directory Access is available on both Mac OS X Servers and Mac OS X client
computers, whereas Open Directory Assistant is available only on servers.
You’ll find Directory Access in /Applications/Utilities/. For information about how to use it,
see Chapter 2, “Directory Services.”
Workgroup Manager
You use Workgroup Manager to administer user, group, and computer accounts; manage
share points; and administer client management for Mac OS X users.
For information about using Workgroup Manager to administer user and group accounts, see
Chapter 3, “Users and Groups.” For information about using it to administer computer
accounts and client management settings, see Chapter 6, “Client Management: Mac OS X,”
and Chapter 10, “Client Management: Mac OS 9 and OS 8.” Chapter 4, “Sharing,” describes
how to use Workgroup Manager to manage share points.
Opening and Authenticating in Workgroup Manager
Workgroup Manager is installed in /Applications/Utilities/ when you install your server or set
up an administrator computer. To open Workgroup Manager, click the Workgroup Manager
icon in the Dock of Mac OS X Server or in the toolbar of Server Status:
m To open Workgroup Manager on the server you are using without authenticating, choose
View Directories from the Server menu. You will have read-only access to information
displayed in Workgroup Manager. To make changes, click the lock icon to authenticate as
an administrator. This approach is most useful when you are administering different
servers and working with different directory domains.
m To authenticate as an administrator for a particular server, enter the server’s IP address or
DNS name in the login window, or click Browse to choose from a list of servers. Specify
the user name and password for an administrator of the server, then click Connect. Use
this approach when you will be working most of the time with a particular server.
Administering Your Server 59
Major Workgroup Manager Tasks
After login, the user account window appears, with lists of user, group, and computer
accounts in the server’s local directory domain. Here is how to get started with the major
tasks you’ll be performing with this application:
m To administer user, group, or computer accounts, click the Accounts icon in the toolbar.
See Chapter 3, “Users and Groups,” for information about user and group accounts and
Chapter 6, “Client Management: Mac OS X,” for information about computer accounts.
m To work with preferences for managed users, groups, or computers, click the Preferences
icon in the toolbar. See Chapter 6, “Client Management: Mac OS X,” for instructions.
m To work with share points, click the Sharing icon in the toolbar. See Chapter 4, “Sharing,”
for instructions.
m To work with accounts in different directory domains at the same time, open multiple
Workgroup Manager windows by choosing New Workgroup Manager Window from the
Server menu.
m To open Server Status so you can monitor the status of a particular server, click the Status
icon in the toolbar. See “Server Status” on page 61 for information about the Server Status
application.
m To open Server Settings so you can work with a server’s file, print, mail, Web, NetBoot,
and network settings, choose Configure Services from the Server menu. See “Server
Settings” on page 60 for information about the Server Settings application.
m To control the way Workgroup Manager lists users and groups, whether it should use SSL
transactions, and other behaviors, choose Preferences from the Workgroup Manager
menu.
m To customize the Workgroup Manager toolbar, choose Customize Toolbar from the View
menu.
m To retrieve online information, use the Help menu. It provides help for server
administrators about Workgroup Manager as well as other Mac OS X Server topics.
Server Settings
You use Server Settings to administer file, print, mail, Web, NetBoot, and network services on
a server.
Server Settings is installed in /Applications/Utilities/ when you install your server or set up an
administrator computer. To open Server Settings, click the Server Settings icon in the Dock of
Mac OS X Server or choose Configure Services from the Server menu in Workgroup Manager.
To select a server to work with, enter its IP address or DNS name in the login window, or
click Browse to choose from a list of servers. Specify the user name and password for an
administrator, then click Connect.
60 Chapter 1
Click the service modules arranged on the Server Settings tabs to choose commands that let
you work with individual services:
m For administering file and print services, select the File & Print tab to access modules.
m For administering mail and Web service, select the Internet tab to access modules.
m For administering IP Firewall, DHCP, NetBoot, DNS, and SLP DA services, select the
Network tab to access modules.
m To retrieve online information, use the Help menu. It provides help for server
administrators about Server Settings as well as other Mac OS X Server topics.
Server Settings is not compatible with versions of Mac OS X Server earlier than version 10.2.
Server Status
You use Server Status to monitor the services running on Mac OS X Servers.
Server Status is installed in /Applications/Utilities/ when you install your server or set up an
administrative computer. To open Server Status, click the Server Status icon in the Dock of
Mac OS X Server or the Status icon in Workgroup Manager.
To select a server to monitor, click the Connect button in the Server Status toolbar. Enter the
IP address or DNS name of the server you want to monitor in the login window, or click
Browse to choose from a list of servers. Specify the user name and password for an
administrator, then click Connect.
Select items in the Devices & Services list to monitor specific servers and services running on
the servers:
m To review general status information for a particular server, select the server name.
m To review status information for a particular service running on a server, click the
disclosure triangle next to the server name to see a list of its services. Then select the
service of interest.
m To add a server to the Devices & Services list, click Connect in the toolbar and log in to
the server. The next time you open Server Status, any server you have added is displayed
in the Devices & Services list and can be monitored again by selecting a server in the list.
If a server in the list appears grey, double-click the server or click the Reconnect button in
the toolbar to log in again. Check the Add to Keychain option while you log in to enable
autoreconnect the next time you open Server Status.
m To remove a server from the Devices & Services list, select the server, click the Disconnect
button in the toolbar, and choose Remove From List from the Server menu.
m To control the way Server Status lists servers and services, how often status data is
refreshed, and other behaviors, choose Preferences from the Server Status menu.
m To customize the Server Status toolbar, choose Customize Toolbar command from the
View menu.
Administering Your Server 61
m To retrieve online information, use the Help menu. It provides help for server
administrators about Server Status as well as other Mac OS X Server topics.
Macintosh Manager
You use Macintosh Manager to administer client management for Mac OS 8 and 9 client
computers. You can use it locally (at the server) or remotely (from a Mac OS 9 or X computer
on the same network as your Mac OS X Server).
Open Macintosh Manager by clicking its icon in the Dock. Log in using a server, Macintosh
Manager, or workgroup administrator user name and password. As a server administrator,
you automatically have global administrator privileges for Macintosh Manager.
See Chapter 10, “Client Management: Mac OS 9 and OS 8,” for more information.
NetBoot Administration Tools
There are several applications you use to administer NetBoot:
m NetBoot Desktop Admin lets you modify Mac OS 9 images.
m Network Image Utility lets you create and modify Mac OS X images.
m The DHCP/NetBoot module of Server Settings lets you save NetBoot images.
See Chapter 12, “NetBoot,” for information about these tools.
Network Install Administration Application
You use Package Maker to create Network Install packages.
See Chapter 13, “Network Install,” for information about this application.
Server Monitor
You use Server Monitor to monitor Xserve hardware and trigger email notifications when
circumstances warrant attention. Server Monitor shows you information about the installed
operating system, drives, power supply, enclosure and processor temperature, cooling
blowers, security, and network.
Server Monitor is installed in /Applications/Utilities/ when you install your server or set up an
administrator computer. Use the application to monitor local or remote servers:
m To specify the Xserve server to monitor, click Add Server, identify the server of interest,
and enter user name and password information for an administrator of the server.
m Use the “Update every” pop-up menu to specify how often you want to refresh data.
m Use the Export Items and Import Items buttons to manage different lists of Xserve servers
you want to monitor. The Merge Items button lets you consolidate lists into one.
62 Chapter 1
m The system identifier lights on the front and back of an Xserve server light when service is
required. Use Server Monitor to understand why the lights are on. You can also turn the
lights on to identify a particular Xserve server in a rack of servers by selecting the server
and clicking “system identifier light on” on the Info tab.
m You can set Server Monitor to notify you by email when an Xserve server’s status changes.
For each server, you set up the conditions that you want notification about. The email
message can come from Server Monitor or from the server.
m Server Monitor keeps logs of Server Monitor activity for each Xserve server. (The logs do
not include system activity on the server.) The log shows, for example, the times Server
Monitor attempted to contact the server, and whether a connection was successful. The
log also shows server status changes. You can also use Server Monitor to get an Apple
System Profiler report on a remote server.
Streaming Server Admin
To set up and manage QTSS, you use the Web-based Streaming Server Admin program.
Streaming Server Admin lets you easily create and serve playlists, customize general settings,
monitor connected users, view log files, manage user and bandwidth usage, and relay a
stream from one server to another for scalability.
To use Streaming Server Admin:
1 From Mac OS X Server, click the Streaming Server Admin icon in the Dock, then go to step 3.
Alternatively, from a server with QTSS installed, open a Web browser. You can also use a Web
browser from a remote Mac OS X computer.
2 Enter the URL for your Streaming Server Admin.
For example, myserver.com:1220
Replace “myserver.com” with the name of your Streaming Server computer. 1220 is the
port number.
3 The first time you run Streaming Server Admin, the Setup Assistant prompts you for your
user name and password.
To display online help information about using Streaming Server Admin, setting up secure
administration (SSL), and setting up your server to stream hinted media, click the question
mark button in the application. Information about QTSS is also available at the QuickTime
Web site:
www.apple.com/quicktime/products/qtss/
Administering Your Server 63
Where to Find More Information
Regardless of your server administration experience, you may want to take advantage of the
wide range of Apple customer training courses. To learn more, go to
train.apple.com
If You’re New to Server and Network Management
If you want to learn more about Mac OS X Server, see the Mac OS X Server Web site:
www.apple.com/macosx/server/
Online discussion groups can put you in touch with your peers. Many of the problems you
encounter may already have been solved by other server administrators. To find the lists
available through Apple, see the following site:
www.lists.apple.com
The AppleCare support site’s discussion boards are an additional source of information:
www.info.apple.com/
Consider obtaining some of these reference materials. They contain background information,
explanations of basic concepts, and ideas for getting the most out of your network.
m Teach Yourself Networking Visually, by Paul Whitehead and Ruth Maran (IDG Books
Worldwide, 1998).
m Internet and Intranet Engineering, by Daniel Minoli (McGraw-Hill, 1997).
In addition, NetworkMagazine.com offers a number of online tutorials on its Web site:
www.networkmagazine.com
If You’re an Experienced Server Administrator
If you’re already familiar with network administration and you’ve used Mac OS X Server,
Linux, UNIX, or a similar operating system, you may find these additional references useful.
m A variety of books from O’Reilly & Associates cover topics applicable to Mac OS X Server,
such as Internet Core Protocols: The Definitive Reference, DNS and BIND, and TCP/IP
Network Administration. For more advanced information, see Apache: The Definitive
Guide, Writing Apache Modules with Perl and C, Web Performance Tuning, and Web
Security & Commerce, also published by O’Reilly and Associates. See the O’Reilly &
Associates Web site:
www.ora.com
m See the Apache Web site for detailed information about Apache:
www.apache.org/
64 Chapter 1
CHAPTER
2
2 Directory Services
Directory services provide a central repository for information about the systems,
applications, and users in an organization. In education and enterprise environments,
directory services are the ideal way to manage users and computing resources. Organizations
with as few as 10 people can benefit by deploying directory services.
Directory services can be doubly beneficial. They centralize system and network
administration, and they simplify a user’s experience on the network. With directory services,
information about all the users—such as their names, passwords, and preferences—as well as
printers and other resources on a network can be maintained in a single location rather than
on each computer on the network. Using directory services can reduce the system
administrator’s user management burden. In addition, users can log in to any authorized
computer on the network. Anywhere a user logs in, the user’s personal Desktop appears,
customized for the user’s individual preferences. The user always has access to personal files
and can easily locate and use authorized network resources.
Apple has built an open, extensible directory services architecture, called Open Directory,
into Mac OS X and Mac OS X Server. A Mac OS X Server or Mac OS X client computer can use
Open Directory to retrieve authoritative information about users and network resources
from a variety of sources:
m directory domains on the computer itself and on other Mac OS X Servers
m directory domains on other servers, including LDAP directory domains and Active
Directory domains on non-Apple servers
m BSD configuration files located on the computer itself
m network services, such as file servers, that make themselves known with the Rendezvous,
AppleTalk, SLP, or SMB service discovery protocols
Mac OS 9 and Mac OS 8 managed clients also use Open Directory to retrieve some user
information. For more information, see “How Macintosh Manager Works With Directory
Services” on page 420 in Chapter 10, “Client Management: Mac OS 9 and OS 8.”
65
The Open Directory architecture also includes Open Directory Password Server. A Password
Server can securely store and validate the passwords of users who want to log in to client
computers on your network or use other network resources that require authentication. A
Password Server can also enforce such policies as password expiration and minimum length.
To understand the information in this chapter, you should be comfortable with Mac OS X.
You do not need advanced network administrator or UNIX experience to use directory
services provided by Mac OS X Servers. If you want to integrate LDAP directories from other
servers, you need to be familiar with LDAP. If you want to integrate Active Directory servers,
you need to be familiar with Active Directory and LDAP. You need to be comfortable with
UNIX if you want to integrate BSD configuration files.
Storage for Data Needed by Mac OS X
Directory services act as an intermediary between directory domains, which store
information about users and resources, and the application and system software processes
that want to use the information. A directory domain stores information in a specialized
database that is optimized to handle a great many requests for information and to find and
retrieve information quickly. Information may be stored in one directory domain or in
several related directory domains.
Users
Groups
Printers
Servers
Mounts
Directory
domains
Directory
services
Processes
Processes running on Mac OS X computers can use directory services to save information in
a directory domain. For example, when you set up a user account, the application that you
use to do this has directory services store information about the user in a directory domain.
m On a computer with Mac OS X version 10.2, you use the My Account pane or the
Accounts pane of System Preferences to set up user accounts that are valid only on the
one computer.
m On a computer with Mac OS X Server version 10.2, you use the Accounts module of
Workgroup Manager to set up user accounts that are valid on all Mac OS X computers on
your network. You can specify additional user attributes in a network user account, such
as the location of the user’s home directory.
66 Chapter 2
Whether you use Workgroup Manager or System Preferences to create a user account, the
user information is stored in a directory domain.
When someone attempts to log in to a Mac OS X computer, the login process uses Mac OS X
directory services—Open Directory—to validate the user name and password.
Directory
domain
Accounts
Directory
services
Accounts
A Historical Perspective
Like Mac OS X, Open Directory has a UNIX heritage. Open Directory provides access to
administrative data that UNIX systems have generally kept in configuration files, which require
much painstaking work to maintain. (Some UNIX systems still rely on configuration files.)
Open Directory consolidates the data and distributes it for ease of access and maintenance.
Directory Services 67
Data Consolidation
For years, UNIX systems have stored administrative information in a collection of files located
in the /etc directory. This scheme requires each UNIX computer to have its own set of files,
and processes that are running on a UNIX computer read its files when they need
administrative information. If you’re experienced with UNIX, you probably know about the
files in the /etc directory—group, hosts, hosts.eq, passwd, and so forth. For example, a UNIX
process that needs a user’s password consults the /etc/passwd file, which contains a record for
each user account. A UNIX process that needs group information consults the /etc/group file.
/etc/
hosts
/etc/
passwd
/etc/
group
UNIX processes
Open Directory consolidates administrative information, simplifying the interactions
between processes and the administrative data they create and use.
Directory
services
Mac OS X processes
68 Chapter 2
Processes no longer need to know how and where administrative data is stored. Open
Directory gets the data for them. If a process needs the location of a user’s home directory,
the process simply has Open Directory retrieve the information. Open Directory finds the
requested information, and then returns it, insulating the process from the details of how the
information is stored. If you set up Open Directory to access administrative data in several
directory domains, Open Directory automatically consults them as needed.
Directory
domain
Directory
domain
Directory
services
Mac OS X processes
Some of the data stored in a directory domain is identical to data stored in UNIX
configuration files. For example, the authentication attributes, home directory location, real
name, user ID, and group ID—all stored in the user records of a directory domain—have
corresponding entries in the standard /etc/passwd file. However, a directory domain stores
much additional data to support functions that are unique to Mac OS X, such as support for
managed clients and Apple Filing Protocol (AFP) directories.
Data Distribution
Another characteristic of UNIX configuration files is that the administrative data they contain
is available only to the computer on which they are stored. Each computer has its own UNIX
configuration files. With UNIX configuration files, each computer that someone wants to use
must have that person’s user account settings stored on it, and each computer must store
the account settings for every person who may want to use the computer. To set up a
computer’s network settings, the administrator needs to go to the computer and directly
enter the IP address and other information that identifies the computer on the network.
Similarly, when user or network information needs to be changed in UNIX configuration files,
the administrator must make the changes on the computer where the files reside. Some
changes, such as network settings, require the administrator to make the same changes on
multiple computers. This approach becomes unwieldy as networks grow in size and complexity.
Directory Services 69
Open Directory solves this problem by letting you store administrative data in a directory
domain that can be managed by a system administrator from one location. Open Directory
lets you distribute the information so that it is visible on a network to the computers that
need it and the administrator who manages it:
Directory
domain
Directory
services
System
administrator
Users
Uses of Directory Data
Open Directory makes it possible to consolidate and maintain network information easily in
a directory domain, but this information has value only if application and system software
processes running on network computers actually access the information. The real power of
Open Directory is not that it provides directory services, but the fact that Mac OS X software
accesses data through Open Directory.
Here are some of the ways in which Mac OS X system and application software use directory
data:
m Authentication. As mentioned already, the Accounts module of Workgroup Manager
or the Accounts pane of System Preferences creates user records in a directory domain,
and these records are used to authenticate users who log in to Mac OS X computers.
When a user specifies a name and a password in the Mac OS X login window, the login
process asks Open Directory for the user record that corresponds to the name that the
user specified. Open Directory finds the user record in a directory domain and retrieves
the record.
70 Chapter 2
m Folder and file access. After logging in successfully, a user can access files and folders.
Mac OS X uses another data item from the user record—the user ID (UID)—to determine
the user’s access privileges for a file or folder that the user wants to access. When a user
accesses a folder or file, the file system compares this user’s UID to the UID assigned to
the folder or file. If the UIDs are the same, the file system grants owner privileges (usually
read and write privileges) to the user. If the UIDs are different, the user doesn’t get owner
privileges.
m Home directories. Each user record in a directory domain stores the location of the user’s
home directory, which is also known as the user’s home folder. This is where the user
keeps personal files, folders, and preferences. A user’s home directory can be located on
a particular computer that the user always uses or on a network file server.
m Automount share points. Share points can be configured to automount (appear
automatically) in the /Network folder (the Network globe) in the Finder windows of client
computers. Information about these automount share points is stored in a directory
domain. Share points are folders, disks, or disk partitions that you have made accessible
over the network.
m Mail account settings. Each user’s record in a directory domain specifies whether the
user has mail service, which mail protocols to use, how to present incoming mail,
whether to alert the user when mail arrives, and more.
m Resource usage. Disk, print, and mail quotas can be stored in each user record of a
directory domain.
m Managed client information. A user’s personal preference settings, as well as preset
preferences that affect the user, are stored in a directory domain.
m Group management. In addition to user records, a directory domain also stores group
records. Each group record affects all users who are in the group. Information in group
records specifies preferences settings for group members. Group records also determine
access to files, folders, and computers.
Inside a Directory Domain
Information in a directory domain is organized into record types, which are specific categories
of records, such as users, machines, and mounts. For each record type, a directory domain may
contain any number of records. Each record is a collection of attributes, and each attribute has
one or more values. If you think of each record type as a spreadsheet that contains a category of
information, then records are like the rows of the spreadsheet, attributes are like spreadsheet
columns, and each spreadsheet cell contains one or more values.
Directory Services 71
For example, when you define a user by using the Accounts module of Workgroup Manager,
you are creating a user record (a record of the user’s record type). The settings that you
configure for the user—short name, full name, home directory location, and so on—become
values of attributes in the user record. The user record and the values of its attributes reside
in a directory domain.
Discovery of Network Services
Open Directory can provide more than administrative data from directories. Open Directory
can also provide information about services that are available on the network. For example,
Open Directory can provide information about file servers that are currently available.
File server
Directory
services
File server
Information about file servers and other services tends to change much more frequently than
information about users. Therefore, information about network services typically isn’t stored
in directory domains. Instead, information about file servers and other network servers is
discovered as the need arises.
Open Directory can discover network services that make their existence and whereabouts
known. Services make themselves known by means of standard protocols. Open Directory
supports the following service discovery protocols:
m Rendezvous, the Apple protocol that uses multicast DNS
m AppleTalk, the legacy Mac OS protocol for file services
m Service Location Protocol (SLP), an open standard for discovering file and print services
m Server Message Block (SMB), the protocol used by Microsoft Windows
72 Chapter 2
In fact, Open Directory can provide information about network services both from service
discovery protocols and from directory domains. To accomplish this, Open Directory simply
asks all its sources of information for the type of information requested by a Mac OS X
process. The sources that have the requested type of information provide it to Open
Directory, which collects all the provided information and hands it over to the Mac OS X
process that requested it.
For example, if Open Directory requests information about file servers, the file servers on the
network respond via service discovery protocols with their information. A directory domain
that contains relatively static information about some file servers also responds to the
request. Open Directory collects the information from the service discovery protocols and
the directory domains.
Directory
domain
Directory
File server
services
File server
When Open Directory requests information about a user, service discovery protocols don’t
respond because they don’t have user information. (Theoretically, AppleTalk, Rendezvous,
SMB, and SLP could provide user information, but in practice they don’t have any user
information to provide.) The user information that Open Directory collects comes from
whatever sources have it—from directory domains.
Directory Domain Protocols
Administrative data needed by directory services is stored on Mac OS X Servers in Open
Directory databases. An Open Directory database is one type of directory domain. Open
Directory can use either of two protocols to store and retrieve directory data:
Directory Services 73
m Lightweight Directory Access Protocol (LDAP), an open standard commonly used in
domain
domain
mixed environments
m NetInfo, the Apple directory services protocol for Mac OS X
The directory services of Mac OS X version 10.2—Open Directory—can also store and
retrieve administrative data that resides in existing directory domains on other servers. Open
Directory can read and write data in the following domains:
m Shared NetInfo domains on other Mac OS X computers (servers or clients)
m OpenLDAP directories on various UNIX servers
m Active Directory domains on Windows servers
m Other LDAPv3-compliant directories that are configured to allow remote administration
and read and write access
In addition, Open Directory can retrieve but not store administrative data in the following
domains:
m BSD configuration files located on the Mac OS X Server
m LDAPv2 domains and read-only LDAPv3 domains on other servers
Local and Shared Directory Domains
Where you store your server’s user information and other administrative data is determined
by whether the data needs to be shared.
Local Data
Every Mac OS X computer has a local directory domain. A local domain’s administrative data
is visible only to applications and system software running on the computer where the
domain resides. It is the first domain consulted when a user logs in or performs some other
operation that requires data stored in a directory domain.
When the user logs in to a Mac OS X computer, Open Directory searches the computer’s
local directory domain for the user’s record. If the local directory domain contains the user’s
record (and the user typed the correct password), the login process proceeds and the user
gets access to the computer.
Log in to
Mac OS X
74 Chapter 2
Local
Connect to
Mac OS
X Server
Local
After login, the user may choose Connect To Server from the Go menu and connect to a file
domain
domain
server on a computer running Mac OS X Server. In this case, Open Directory on the server
searches for the user’s record in the server’s local directory domain. If the server’s local
directory domain has a record for the user (and the user types the correct password), the
server grants the user access to the file services.
When you first set up a Mac OS X computer, its local directory domain is automatically
created and populated with records. For example, a user record is created for the user who
performed the installation. It contains the user name and password entered during setup, as
well as other information, such as a unique ID for the user and the location of the user’s
home directory.
Shared Data
While Open Directory on any Mac OS X computer can store administrative data in the
computer’s local directory domain, the real power of Open Directory is that it lets multiple
Mac OS X computers share administrative data by storing the data in shared directory domains.
When a computer is configured to use a shared domain, any administrative data in the shared
domain is also visible to applications and system software running on that computer.
If Open Directory does not find a user’s record in the local domain of a Mac OS X computer,
Open Directory automatically searches for the user’s record in any shared domains to which
the computer has access. In the following example, the user can access both computers
because the shared domain accessible from both computers contains a record for the user.
Shared
domain
Log in to
Mac OS X
Local
Connect to
Mac OS
X Server
Local
Shared domains generally reside on Mac OS X Servers, because servers are equipped with
the tools, such as Workgroup Manager and Server Settings, that facilitate managing network
resources and network users.
Directory Services 75
Similarly, you can make network resources such as printers visible to certain computers by
setting up printer records in a shared domain accessed by those computers. For example,
graphic artists in a company might need to access color printers, while copy center personnel
need to use high-speed laser printers. Rather than configuring printer access for each
computer individually, you could use the Print module of Server Settings to add printers to
two shared domains: Graphics and Repro.
Graphics
domain
Graphic artists Copy center personnel
Repro
domain
Printers visible in the Print Center of graphic artists’ computers would be those in the
Graphics domain, while printers in the Repro domain would be visible to computers used by
copy center personnel. Printers that have records in shared domains appear in the Directory
Services printer list in Print Center.
76 Chapter 2
While some devices may need to be used only by specific departments, other resources, such
as personnel forms, may need to be shared by all employees. You could make a folder of
those forms available to everybody by setting up a share point for the folder in another
shared domain that all computers can access.
Company
domain
Graphics
domain
Graphic artists Copy center personnel
Repro
domain
The shared domain at the top of a hierarchy of directory domains is sometimes called the
root domain.
Directory Services 77
Shared Data in Existing Directory Domains
3
Some organizations—such as universities and worldwide corporations—maintain user
information and other administrative data in directory domains on UNIX or Windows servers.
Open Directory can be configured to search these non-Apple domains as well as shared
Open Directory domains of Mac OS X Servers.
Mac OS X Server
Mac OS 9 user
Local
domain
Shared
domain
Mac OS X user
LDAP server
1
Windows user
When a user logs in to a computer on your network, Open Directory still searches for the
user in the computer’s local domain and in shared domains on Mac OS X Servers. But if the
user is not found and Open Directory has been configured to search an LDAP domain on a
UNIX server, Open Directory consults the LDAP domain for information about the user.
Directory Domain Hierarchies
Local and shared domains are organized into hierarchies, tree-like topologies that have a
shared domain at the top and local domains at the bottom of the tree. A hierarchy can be as
simple as a local domain and a shared domain, or it can contain more shared domains.
78 Chapter 2
Two-Level Hierarchies
The simplest hierarchy is a two-level hierarchy:
Shared
directory domain
Local directory
domain
Here’s a scenario in which a two-level hierarchy might be used:
Shared domain
Local domain on
English department’s
computer
Local domain on
Math department’s
computer
Local domain on
Science department’s
computer
Each department (English, Math, Science) has its own computer. The students in each
department are defined as users in the local domain of that department’s computer. All three
of these local domains have the same shared domain, in which all the instructors are defined.
Instructors, as members of the shared domain, can use services on all the departmental
computers. The members of each local domain can only use services on the server where
their local domain resides.
Directory Services 79
While local domains reside on their respective servers, a shared domain can reside on any
Mac OS X Server accessible from the local domain’s computer. In this example, the shared
domain can reside on any server accessible from the departmental servers. It can reside
on one of the departmental servers, or—as shown here—on an entirely different server on
the network:
Faculty Mac OS X
Server
Local
domain
Shared
domain
Local
domain
English department’s
computer
Science department’s
computer
Local
domain
Local
domain
Math department’s
computer
When an instructor logs in to any of the three departmental servers and cannot be found in
the local domain, the server searches the shared domain. In this example, there is only one
shared domain, but in more complex hierarchies, there may be many shared domains.
80 Chapter 2
More Complex Hierarchies
Open Directory also supports multilevel domain hierarchies. Complex networks with large
numbers of users may find this kind of organization useful, although it’s much more complex
to administer.
Campus domain
Graduates
domain
Employees
domain
Faculty
domain
Students
domain
Undergraduates
domain
Local domains on Mac OS X clients or servers
In this scenario, an instructor defined in the Campus domain can use Mac OS X computers on
which any of the local domains reside. A student defined in the Students domain can log in to
any Mac OS X computers that are below the Graduates domain or Undergraduates domain.
A directory domain hierarchy affects which Mac OS X computers can see particular
administrative data. The “subtrees” of the hierarchy essentially hide information from other
subtrees in the hierarchy. In the education example, computers using the subtree that
includes the Graduates domain do not have access to records in the Undergraduates domain.
But records in the Campus domain are visible to any computer.
Directory domain visibility depends on the computer, not the user. So when a user logs in to
a different computer, administrative data from different directory domains may be visible to
that computer. In the education scenario described here, an undergraduate can log in to a
graduate student’s computer if the undergraduate’s user record resides in the Students
domain. But the devices that are defined in the Undergraduates domain are not visible unless
they are also defined in the Graduates, Students, or Campus domain.
Directory Services 81
You can affect an entire network or just a group of computers by choosing which domain to
publish administrative data in. The higher the administrative data resides in a directory
domain hierarchy, the fewer places it needs to be changed as users and system resources
change. Probably the most important aspect of directory services for administrators is
planning directory domains and hierarchies. These should reflect the resources you want to
share, the users you want to share them among, and even the way you want to manage your
directory data.
Search Policies for Directory Domain Hierarchies
In a hierarchy of directory domains, each Mac OS X computer has a search policy that
specifies the order in which Open Directory searches the domains. A search policy, also
known as a search path, is simply a list of directory domains. On a Mac OS X computer, Open
Directory goes down this list of directory domains whenever an application or system
software running on the computer needs administrative data. The list of directory domains
defines the computer’s search policy. The search policy effectively establishes the
computer’s place in the hierarchy.
A computer’s local directory domain is always first on the list. It may be followed by shared
Open Directory domains on Mac OS X Servers and LDAP domains on other servers. It may
also include a set of BSD configuration files that are on the computer.
For example, when someone tries to log in to a Mac OS X computer, Open Directory
searches the computer’s local domain for the user’s record. The local directory domain is
always first on a computer’s search policy.
Graduates
domain
Is the user
defined here?
82 Chapter 2
Local domain
If the local domain does not contain the user’s record, Open Directory goes to the next
directory domain in the search policy.
Is the user
defined here?
No
Graduates
domain
Local domain
If the second directory domain also does not contain the user’s record, Open Directory
searches the remaining directory domains in the search policy one by one until it searches
the last shared domain.
Is the user
defined here?
No
No
Campus domain
Students domain
Graduates domain
No
Local domain
The Automatic Search Policy
Initially, every computer with Mac OS X version 10.2 is set to use an automatic search policy.
It consists of three parts, two of which are optional:
m local directory domain
m shared NetInfo domains (optional)
m shared LDAPv3 domains (optional)
A computer’s automatic search policy always begins with the computer’s local directory
domain.
Directory Services 83
Next the automatic search policy looks at the binding of shared NetInfo domains. The
computer’s local domain may be bound to a shared NetInfo domain, which may in turn be
bound to another shared NetInfo domain, and so on. The NetInfo binding, if any, constitutes
the second part of the automatic search policy. See “Configuring NetInfo Binding” on
page 111 for additional information.
The third and final part of a computer’s automatic search policy consists of shared LDAPv3
domains. They are included only if the computer uses a DHCP service that’s configured to
supply the addresses of one or more LDAPv3 servers. The DHCP service of Mac OS X Server
can supply LDAPv3 servers. See “Setting the LDAP Server for DHCP Clients” on page 479 in
Chapter 11, “DHCP Service.”
A computer’s automatic search policy may change if the computer is moved to a part of the
network served by a different DHCP service. When the user logs in at the new location, the
computer connects to the new DHCP service. The new DHCP service may change the
NetInfo binding and may supply a different list of LDAPv3 servers than the DHCP service at
the former location.
Custom Search Policies
If you don’t want a Mac OS X version 10.2 computer—server or client—to use the automatic
search policy supplied by DHCP, you can define a custom search policy for the computer.
Campus domain
Students domain
LDAP Server 1
Graduates domain
Local domain
In this scenario, a custom search policy specifies that LDAP Server 1 be consulted when a
user record or other administrative data cannot be found in the directory domains of the
automatic search policy. The custom search policy also specifies that if the user information
or other administrative data is not found on the LDAP server, a shared Open Directory
domain named “Campus” is searched.
84 Chapter 2
Directory Domain Planning
domain
domain
domain
domain
Keeping information in shared directory domains gives you more control over your network,
allows more users access to the information, and makes maintaining the information easier for
you. But the amount of control and convenience depends on the effort you put into planning
your shared domains. The goal of directory domain planning is to design the simplest hierarchy
of shared domains that gives your Mac OS X users easy access to the network resources they
need and minimizes the time you spend maintaining administrative data.
General Planning Guidelines
If you do not need to share user and resource information among multiple Mac OS X
computers, there is very little directory domain planning necessary. Everything can be accessed
from local directory domains. Just ensure that all individuals who need to use a particular
Mac OS X computer are defined as users in the local directory domain on the computer.
Log in to
Mac OS X
Local
Connect to
Mac OS
X Server
Local
If you want to share information among Mac OS X computers, you need to set up at least one
shared domain.
Shared
domain
Log in to
Mac OS X
Local
Connect to
Mac OS
X Server
Local
A hierarchy this simple may be completely adequate when all your network computer users
share the same resources, such as printers and share points for home directories,
applications, and so forth.
Directory Services 85
Larger, more complex organizations can benefit from a deeper directory domain hierarchy.
Students
domain
Under-
graduates
domain
Controlling Data Accessibility
Campus
domain
Graduates
domain
Employees
domain
Faculty
domain
Hierarchies that contain several shared domains let you make directory information visible to
only subsets of a network’s computers. In the foregoing example hierarchy, the administrator
can tailor the users and resources visible to the community of Mac OS X computers by
distributing directory information among six shared domains.
If you want all computers to have access to certain administrative data, you store that data in
the shared domain at the top of your hierarchy, where all computers can access it. To make
some data accessible only to a subset of computers, you store it in a shared domain that only
those computers can access.
You might want to set up multiple shared directory domains to support computers used by
specific groups within an organization. For example, you might want to make share points
containing programming applications and files visible only to engineering computers. On the
other hand, you might give technical writers access to share points that store publishing
software and document files. If you want all employees to have access to each other’s home
directories, you would store mount records for all the home directories in the topmost
shared domain.
Simplifying Changes to Data in Directory Domains
If you need more than one shared directory domain, you should organize your hierarchy of
shared domains to minimize the number of places data has to change over time. You should
also devise a plan that addresses how you want to manage such ongoing events as
m new users joining and leaving your organization
m file servers being added, enhanced, or replaced
86 Chapter 2
m printers being moved among locations
You’ll want to try to make each directory domain applicable to all the computers that use it
so you don’t have to change or add information in multiple domains. In the education
hierarchy example, all students may have user records in the Students domain and all
employees have accounts in the Employees domain. As undergraduate students leave or
become graduate students, or as employees are hired or retire, the administrator can make
adjustments to user information simply by editing one domain.
If you have a widespread or complex hierarchy of directory domains in a network that is
managed by several administrators, you need to devise strategies to minimize conflicts. For
example, you can predefine ranges of user IDs (UIDs) to avoid inadvertent file access. (For
more information, see “Defining User IDs” on page 144 in Chapter 3, “Users and Groups.”)
Identifying Computers for Hosting Shared Domains
If you need more than one shared domain, you need to identify the computers on which
shared domains should reside. Shared domains affect many users, so they should reside on
Mac OS X Servers that have the following characteristics:
m restricted physical access
m limited network access
m equipped with high-availability technologies, such as uninterruptible power supplies
You should select computers that will not be replaced frequently and that have adequate
capacity for growing directory domains. While you can move a shared domain after it has
been set up, you may need to reconfigure the search policies of computers that bind to the
shared domain so that their login hierarchies remain intact.
Open Directory Password Server
Besides providing directory services on Mac OS X Servers and other Mac OS X computers,
Open Directory can also provide authentication services. An Open Directory Password Server
can store and validate user passwords for login and other network services that require
authentication. A Password Server supports basic authentication as well as authentication
protocols that protect the privacy of a password during transmission on the network. A
Password Server lets you set up specific password policies for each user, such as automatic
password expiration and minimum password length.
Your Mac OS X Server can host a Password Server, or it can get authentication services from a
Password Server hosted by another Mac OS X Server.
Directory Services 87
Authentication With a Password Server
When a user’s account is configured to use a Password Server, the user’s password is not
stored in a directory domain. Instead, the directory domain stores a unique password ID
assigned to the user by the Password Server. To authenticate a user, directory services pass
the user’s password ID to the Password Server. The Password Server uses the password ID to
find the user’s actual password and any associated password policy.
For example, the Password Server may locate a user’s password but discover that it has
expired. If the user is logging in, the login window asks the user to replace the expired
password. Then the Password Server can authenticate the user.
A Password Server can’t authenticate a user during login on a computer with Mac OS X
version 10.1 or earlier.
You’ll find more information about configuring user accounts to use a Password Server in
“Understanding Password Validation” on page 189 of Chapter 3, “Users and Groups.”
Network Authentication Protocols
The Password Server is based on a standard known as Simple Authentication and Security
Layer (SASL). This standard enables a Password Server to support the wide range of network
user authentication protocols used by various network services of Mac OS X Server, such as
mail service and file services. Here are a few of the network authentication protocols that the
Password Server supports:
m CRAM-MD5
m MD5
m APOP
m NT and LAN Manager (for SMB)
m SHA-1
m DHX
m AFP 2-Way Random
m WebDAV Digest
Password Server Database
The Password Server maintains a record for each user that includes the following:
m Password ID, a 128-bit value assigned when the password is created. The value includes a
key for finding a user’s Password Services record.
88 Chapter 2
m The password, stored in recoverable or hashed form. The form depends on the network
authentication protocols enabled for the Password Server (using Open Directory
Assistant). If APOP or 2-Way Random is enabled, the Password Server stores a recoverable
(encrypted) password. If neither of these methods is enabled, only hashes of the
passwords are stored.
m Data about the user that is useful in log records, such as the user’s short name.
m Password policy data.
Password Server Security
The Password Server stores passwords, but never allows passwords to be read. Passwords can
only be set and verified. Malicious users who want to gain access to your server must try to
log in over the network. Invalid password instances, logged by the Password Server, can alert
you to such attempts.
Using a Password Server offers flexible and secure password validation, but you need to make
sure that the server on which a Password Server runs is secure:
m Set up Password Servers on a server that is not used for any other activity.
m Since the load on a Password Server is not particularly high, you can have several (or even
all) of your Open Directory server domains share a single Password Server.
m Set up IP firewall service so nothing is accepted from unknown ports. Password Server
uses a well-known port.
m Make sure that the Password Server’s computer is located in a physically secure location,
and don’t connect a keyboard or monitor to it.
m Equip the server with an uninterruptible power supply.
The Password Server must remain available to provide authentication services. If the
Password Server goes down, password validation cannot occur, because you cannot replicate
a Password Server.
Overview of Directory Services Tools
The following applications help you set up and manage directory domains and Password
Servers.
m Open Directory Assistant. Use to create and configure shared or standalone Open
Directory domains (NetInfo or LDAPv3) and to set up Open Directory Password Servers.
Located in /Applications/Utilities.
m Directory Access. Use to enable or disable individual directory service protocols; define
a search policy; configure connections to existing LDAPv3, LDAPv2, and NetInfo
domains; and configure data mapping for LDAPv3 and LDAPv2 domains. Located in
/Applications/Utilities.
Directory Services 89
m Server Status. Use to monitor directory services and view directory services logs. Located
in /Applications/Utilities.
Experts can also use the following applications to manage directory domains:
m Property List Editor. Use to add BSD configuration files that you want Open Directory to
access for administrative data, and change the mapping of the data in each BSD
configuration file to specific Mac OS X record types and attributes. Located in /Developer/
Applications if you have installed the developer tools from the Developer Tools CD.
m NetInfo Manager. Use to view and change records, attributes, and values in an Open
Directory domain (LDAPv3 or NetInfo) or in a NetInfo domain; manage a NetInfo
hierarchy; and back up and restore a NetInfo domain. Located in /Applications/Utilities.
m Terminal. Open to use UNIX command-line tools that manage NetInfo domains. Located
in /Applications/Utilities.
Setup Overview
Here is a summary of the major tasks you perform to set up and maintain directory services.
See the pages indicated for detailed information about each task.
Step 1: Before you begin, do some planning
See “Before You Begin” on page 91 for a list of items to think about before you start
configuring directory domains.
Step 2: Set up Open Directory domains and Password Servers
Create shared directory domains on the Mac OS X Servers that you want to host them. At the
same time, set up Open Directory Password Servers. See the following sections:
m “Setting Up an Open Directory Domain and Password Server” on page 92
m “Deleting a Shared Open Directory Domain” on page 93
Step 3: Set up access to directory domains on other servers
If some of your user information and other administrative data will not reside in Open
Directory domains, you must make sure your other sources of data are set up for Mac OS X.
For instructions, see the following sections of this chapter:
m “Configuring Access to Existing LDAPv3 Servers” on page 98
m “Using an Active Directory Server” on page 104
m “Accessing an Existing LDAPv2 Directory” on page 106
m “Using NetInfo Domains” on page 110
m “Using Berkeley Software Distribution (BSD) Configuration Files” on page 115
90 Chapter 2
Step 4: Implement search policies
Set up search policies so that all computers have access to the shared directory domains they
need. Note that if all computers have Mac OS X version 10.2 and can use the automatic
search policy, there is nothing to set up. Otherwise, see “Setting Up Search Policies” on
page 94.
If your network includes computers with Mac OS X versions earlier than 10.2, configure the
local domain on each of them so that it binds to a shared NetInfo domain. See “Using
NetInfo Domains” on page 110.
Step 5: Configure Open Directory service protocols (optional)
You may want to disable some of the protocols that Open Directory uses to access directory
domains and to discover network services. See “Configuring Open Directory Service
Protocols” on page 93.
Before You Begin
Before setting up directory services for the first time:
m Understand why clients need directory data, as discussed in the first several sections of
this chapter.
m Assess your server access requirements.
Identify which users need to access your Mac OS X Servers.
Users whose information can be managed most easily on a server should be defined in a
shared Open Directory domain on a Mac OS X Server. Some of these users may instead be
defined in Active Directory domains or LDAP domains on other servers.
For more information, see “Local and Shared Directory Domains” on page 74 and
“Directory Domain Hierarchies” on page 78.
m Understand search policies, as described in “Search Policies for Directory Domain
Hierarchies” on page 82.
m Design the hierarchy of shared directory domains.
Determine whether user information should be stored in a local directory domain or in a
directory domain that can be shared among servers. Design your directory domain
hierarchy, identifying the shared and local domains you want to use, the servers on which
the shared domains should reside, and the relationships between shared domains. In
general, try to limit the number of users associated with any directory domain to no more
than 10,000.
“Directory Domain Planning” on page 85 provides some guidelines that will help you
decide what your directory domain hierarchy should look like.
m Assess your authentication needs.
Directory Services 91
Decide whether to use an Open Directory Password Server. Decide which Mac OS X
Server will host the Password Server. See “Open Directory Password Server” on page 87.
m Consider the best equipment and location for your servers.
Choose computers and locations that are reliable and accessible.
If possible, use a dedicated Mac OS X Server for directory services.
Make the server physically secure. It shouldn’t have a keyboard or monitor, especially if it
hosts a Password Server.
m Pick server administrators very carefully. Give only trusted people administrator
passwords.
Have as few administrators as possible. Don’t delegate administrator access for minor
tasks, such as changing settings in a user record.
Always remember: directory information is authoritative. It vitally affects everyone whose
computers use it.
Setting Up an Open Directory Domain and Password Server
You can use the Open Directory Assistant application to configure how a Mac OS X Server
works with directory information and a Password Server. This application can configure a
server to use a directory domain in one of the following ways:
m Use a shared directory domain hosted by another server.
m Host a shared Open Directory domain.
m Use only the server’s own local directory domain.
m Delete the server’s shared directory domain.
In addition, Open Directory Assistant can configure a server to use a Password Server in one
of the following ways:
m Use an existing Password Server.
m Host a Password Server.
m Don’t use a Password Server.
Open Directory Assistant runs automatically as part of the installation and setup process of
Mac OS X Server. At any other time, you can open Open Directory Assistant from the Finder.
To configure how your server works with directory information and a Password
Server:
1 Open the Open Directory Assistant application.
It is located in the /Applications/Utilities folder.
2 Enter the connection and authentication information for the Mac OS X Server that you want
to configure, then click Connect.
92 Chapter 2
For Address, enter the DNS name or IP address of the server that you want to configure.
For User Name, enter the user name of an administrator on the server.
For Password, enter the password for the user name you entered.
3 Follow the self-guided steps for configuring the server’s use of a directory domain and a
Password Server.
Deleting a Shared Open Directory Domain
You can delete a shared Open Directory domain that is hosted by a Mac OS X Server. Use
Open Directory Assistant to do this.
Warning When you delete a directory domain, all user account information and other
administrative data that it contains is lost.
To delete a shared directory domain hosted by a Mac OS X Server:
1 Start Open Directory Assistant.
2 Enter the connection and authentication information for the Mac OS X Server that hosts the
shared domain you want to delete, then click Connect.
For Address, enter the DNS name or IP address of the server.
For User Name, enter the user name of an administrator on the server.
For Password, enter the password for the user name you entered.
3 Choose Delete Hosted Domain from the Domain menu.
After deleting a shared domain that is supplied automatically by DHCP, you must remove it
from the DHCP service. Otherwise client computers may pause for long periods of time
while trying to access the deleted domain. For instructions, see “Setting the LDAP Server for
DHCP Clients” on page 479 in Chapter 11, “DHCP Service.”
Configuring Open Directory Service Protocols
Open Directory uses many protocols to access administrative data in directory domains and
discover services on the network. You can enable or disable each of the protocols individually
by using the Directory Access application. The protocols include
m AppleTalk, the legacy Mac OS protocol for file and print services
m BSD Configuration Files, the original method still used by some organizations for
accessing administrative data on UNIX computers
m Lightweight Directory Access Protocol version 2 (LDAPv2), an open standard that Open
Directory can use to access (read-only) directory domains on a variety of servers
Directory Services 93
m LDAPv3, a newer version of the popular directory services protocol, which Open
Directory uses to access (read and write) data in Open Directory domains on computers
and servers with Mac OS X version 10.2, Active Directory domains on Windows servers,
and directory domains on various other servers
m NetInfo, an Apple directory services protocol that Open Directory can use to access (read
and write) data in directory domains on all Mac OS X computers
m Rendezvous, an Apple protocol for discovering file, print, and other services on Internet
Protocol (IP) networks
m Service Location Protocol (SLP), an open standard for discovering file and print services
on IP networks
m Server Message Block (SMB), a protocol used by Microsoft Windows for file and print
services
If you disable a protocol on a computer, Open Directory does not use it for directory access or
service discovery on the computer. Other network services may still use the protocol,
however. For example, if you disable the AppleTalk protocol, Open Directory does not use it to
discover file servers, but you can still connect to an AppleTalk file server if you know its URL.
To enable or disable protocols used by Open Directory:
1 In Directory Access, click the Services tab.
2 If the lock icon is locked, click it and type the name and password of a server administrator.
3 Click the checkbox next to the protocol that you want to enable or disable.
4 Click Apply.
Setting Up Search Policies
This section describes how to configure the search policy that Open Directory uses when it
retrieves authentication information and other administrative data from directory domains.
The search policy can also include protocols for discovering services on the network, such as
file and print services.
A Mac OS X computer—server or client—actually has more than one search policy. The
authentication search policy is used to find authentication information and most other
administrative data. The contacts search policy is used by mail, address book, personal
information manager, and similar applications to locate name, address, and other contact
information.
94 Chapter 2
You can configure the authentication search policy for a Mac OS X Server or other Mac OS X
computer by using the Directory Access application. You can use the same application to
configure the computer’s contacts search policy. (The Open Directory Assistant application
also configures the authentication search policy of a Mac OS X Server, but does not offer as
many options as Directory Access.)
You can configure the search policy of the computer on which you are running Directory
Assistant as follows:
m Use the automatic search policy—shared NetInfo domains, list of LDAP servers supplied
by DHCP, or both.
m Define a custom search policy for the computer if it needs to search additional directory
servers, BSD configuration files, or service discovery protocols.
m Use only the computer’s local directory domain.
Using the Automatic Search Policy
You can configure a Mac OS X computer to use the automatic search policy. This is the
default configuration. You can configure a computer to use the automatic search policy by
using the Directory Access application on the computer.
The automatic search policy always includes the local directory domain. The automatic
search policy also includes shared NetInfo domains to which the computer is bound and
shared LDAPv3 domains supplied by DHCP. The shared NetInfo domains are optional, as are
the shared LDAPv3 domains. For more information, see “Using NetInfo Domains” on
page 110 and “Setting the LDAP Server for DHCP Clients” on page 479.
To use the automatic search policy supplied by DHCP:
1 In Directory Access, click the Authentication tab or the Contacts tab.
Click Authentication to configure the search policy used for authentication and most other
administrative data.
Click Contacts to configure the search policy used for contact information in some mail,
address book, and personal information manager applications.
2 If the lock icon is locked, click it and type the name and password of a server administrator.
3 Choose Automatic from the Search pop-up menu, then click Apply.
Defining a Custom Search Policy
You can configure a Mac OS X computer to search specific Open Directory servers, LDAP
servers, NetInfo domains, BSD configuration files, or directory service protocols in addition
to the servers in the automatic search policy. You define a custom search policy with the
Directory Access application on the computer that you want to configure.
Directory Services 95
Note: Make sure the computer has been configured to access the LDAP servers, Active
Directory servers, NetInfo domains, and BSD configuration files that you want to add to the
search policy. For instructions, see the subsequent sections of this chapter.
To define a custom search policy for the computer:
1 In Directory Access, click the Authentication tab or the Contacts tab.
Click Authentication to configure the search policy used for authentication and most other
administrative data.
Click Contacts to configure the search policy used for contact information in some mail,
address book, and personal information manager applications.
2 If the lock icon is locked, click it and type the name and password of a server administrator.
3 Choose “Custom path” from the Search pop-up menu.
4 Click Add.
5 Select from the list of available directories and click Add.
To add multiple directories, select more than one and click Add.
6 Change the order of the listed directory domains as needed, and remove listed directory
domains that you don’t want in the search policy.
Move a listed directory domain by dragging it up or down.
Remove a listed directory domain by selecting it and clicking Remove.
7 Click Apply.
Using a Local Directory Search Policy
If you want to limit the access that a computer has to authentication information and other
administrative data, you can restrict the computer’s authentication search policy to the local
directory domain. If you do this, users without local accounts on the computer will be unable
to log in or authenticate for any services it provides. You can configure a computer to use
only its local directory domain by using the Directory Access application on the computer.
To restrict a computer to its local directory domain:
1 In Directory Access, click the Authentication tab or the Contacts tab.
Click Authentication to configure the search policy used for authentication and most other
administrative data.
Click Contacts to configure the search policy used for contact information in some mail,
address book, and personal information manager applications.
2 If the lock icon is locked, click it and type the name and password of a server administrator.
3 Choose “Local directory” from the Search pop-up menu, then click Apply.
96 Chapter 2
Changing Basic LDAPv3 Settings
You can use the Directory Access application to change basic settings for accessing LDAPv3
servers, including the shared Open Directory domains of Mac OS X Servers:
m Enable or disable use of LDAPv3 servers supplied by DHCP.
m Reveal an intermediate level of LDAPv3 information and options.
The Open Directory Assistant application also configures use of LDAPv3 servers supplied by
DHCP, but does not offer as many options as Directory Access.
Enabling or Disabling Use of DHCP-Supplied LDAPv3 Servers
Your Mac OS X computer can automatically access LDAPv3 servers via DHCP. This automatic
access requires that the DHCP service be configured to supply an LDAPv3 server on request.
You can enable or disable this method of accessing an LDAPv3 server for each network
location that is defined in the Network pane of System Preferences.
To enable or disable automatic access to an LDAPv3 server:
1 In Directory Access, click the Services tab.
2 If the lock icon is locked, click it and type the name and password of a server administrator.
3 Select LDAPv3 in the list of services, then click Configure.
4 From the Location pop-up menu, choose the network location that you want to affect, or
use Automatic.
5 Click the checkbox to enable or disable use of the LDAPv3 server supplied by DHCP.
If you disable this setting, this computer doesn’t use any LDAPv3 servers supplied by DHCP.
However, the computer may automatically access shared NetInfo domains. See “Using
NetInfo Domains” on page 110 for more information.
If you enable this setting, the DHCP service should be configured to supply one or more
LDAPv3 server addresses. For instructions, see “Setting the LDAP Server for DHCP Clients”
on page 479 in Chapter 11, “DHCP Service.”
Showing or Hiding Available LDAPv3 Configurations
You can show or hide a list of available LDAPv3 server configurations. When you show the
list, you see and can change some settings for each LDAPv3 configuration.
To show or hide the available LDAPv3 configurations:
1 In Directory Access, click the Services tab.
2 If the lock icon is locked, click it and type the name and password of a server administrator.
3 Select LDAPv3 in the list of services, then click Configure.
Directory Services 97
4 From the Location pop-up menu, choose the network location that you want to see, or
use Automatic.
5 Click Show Options or Hide Options.
Configuring Access to Existing LDAPv3 Servers
On a Mac OS X computer that is not configured to access an LDAPv3 server automatically via
DHCP, you can manually configure access to one or more LDAPv3 servers. You can do the
following:
m Create server configurations and enable or disable them individually. For instructions, see
“Creating an LDAPv3 Configuration” on page 98.
m Edit the settings of a server configuration. For instructions, see “Editing an LDAPv3
Configuration” on page 99.
m Duplicate a configuration. For instructions, see “Duplicating an LDAPv3 Configuration” on
page 99.
m Delete a configuration. For instructions, see “Deleting an LDAPv3 Configuration” on
page 100.
m Change the connection settings for an LDAPv3 configuration. For instructions, see
“Changing an LDAPv3 Configuration’s Connection Settings” on page 100.
m Define custom mappings of Mac OS X record types and attributes to LDAPv3 record types,
search bases, and attributes. For instructions, see “Configuring LDAPv3 Search Bases and
Mappings” on page 101.
m Populate LDAPv3 directory domains with records and data. For instructions, see
“Populating LDAPv3 Domains With Data for Mac OS X” on page 103.
Creating an LDAPv3 Configuration
You can use Directory Access to create a configuration for an LDAPv3 server.
To create an LDAPv3 server configuration:
1 In Directory Access, click the Services tab.
2 If the lock icon is locked, click it and type the name and password of a server administrator.
3 Select LDAPv3 in the list of services, then click Configure.
4 If the list of server configurations is hidden, click Show Options.
5 Click New and enter a name for the configuration.
6 Press Tab and enter the LDAPv3 server’s DNS name or IP address.
7 Choose a mapping template from the inline pop-up menu, or choose From Server.
98 Chapter 2
8 Enter the search base for your LDAPv3 server and click OK.
If you chose a template in step 7, you must enter a search base, or the LDAPv3 server will
not function.
If you chose From Server in step 7, you may be able to leave the search base blank and have
the LDAPv3 server function. In this case, Open Directory will look for the search base at the
first level of the LDAPv3 server.
9 Select the SSL checkbox if you want Open Directory to use Secure Sockets Layer (SSL) for
connections with the LDAPv3 server.
After creating a new server configuration, you should add the server to an automatic search
policy supplied by a DHCP server or to a custom search policy. A computer can access an
LDAP server only if the server is included in the computer’s search policy, either automatic
or custom. For more information, see “Setting Up Search Policies” on page 94 and “Setting
the LDAP Server for DHCP Clients” on page 479 of Chapter 11, “DHCP Service.”
Editing an LDAPv3 Configuration
You can use Directory Access to change the settings of an LDAPv3 server configuration.
To edit an LDAPv3 server configuration:
1 In Directory Access, click the Services tab.
2 If the lock icon is locked, click it and type the name and password of a server administrator.
3 Select LDAPv3 in the list of services, then click Configure.
4 If the list of server configurations is hidden, click Show Options.
5 Change any of the settings displayed in the list of server configurations.
Click an Enable checkbox to activate or deactivate a server.
To change a configuration name, double-click it in the list.
To change a server name or IP address, double-click it in the list.
Choose a mapping template from the inline pop-up menu.
Click the SSL checkbox to enable or disable Secure Sockets Layer (SSL) connections.
Duplicating an LDAPv3 Configuration
You can use Directory Access to duplicate an LDAPv3 server configuration. After duplicating a
configuration, you can change its settings.
To duplicate an LDAPv3 server configuration:
1 In Directory Access, click the Services tab.
2 If the lock icon is locked, click it and type the name and password of a server administrator.
Directory Services 99
3 Select LDAPv3 in the list of services, then click Configure.
4 If the list of server configurations is hidden, click Show Options.
5 Select a server configuration in the list, then click Duplicate.
6 Change any of the duplicate configuration’s settings.
Click an Enable checkbox to activate or deactivate a server.
To change a configuration name, double-click it in the list.
To change a server name or IP address, double-click it in the list.
Choose a mapping template from the inline pop-up menu.
Click the SSL checkbox to enable or disable Secure Sockets Layer (SSL) connections.
After duplicating a server configuration, you should add the duplicate to an automatic search
policy supplied by a DHCP server or to a custom search policy. A computer can access an
LDAP server only if the server is included in the computer’s search policy, either automatic
or custom. For more information, see “Setting Up Search Policies” on page 94 and “Setting
the LDAP Server for DHCP Clients” on page 479 of Chapter 11, “DHCP Service.”
Deleting an LDAPv3 Configuration
You can use Directory Access to delete an LDAPv3 server configuration.
To delete an LDAPv3 server configuration:
1 In Directory Access, click the Services tab.
2 If the lock icon is locked, click it and type the name and password of a server administrator.
3 Select LDAPv3 in the list of services, then click Configure.
4 If the list of server configurations is hidden, click Show Options.
5 Select a server configuration in the list, then click Delete.
Changing an LDAPv3 Configuration’s Connection Settings
You can use Directory Access to change the connection settings for an LDAPv3 server
configuration.
To change the connection settings of an LDAPv3 server configuration:
1 In Directory Access, click the Services tab.
2 If the lock icon is locked, click it and type the name and password of a server administrator.
3 Select LDAPv3 in the list of services, then click Configure.
4 If the list of server configurations is hidden, click Show Options.
5 Select a server configuration in the list, then click Edit.
100 Chapter 2
Loading...