Apple Open Directory
Encyclopedia
Apple Open Directory is the LDAP directory service
model implementation from Apple Inc. A directory service is software
which stores and organizes information about a computer network
's users and network resources and which allows network administrators to manage users' access to the resources.
In the context of Mac OS X Server, Open Directory describes a shared LDAPv3
directory domain based on OpenLDAP
and a corresponding authentication model composed of Apple Password Server and Kerberos 5 tied together using a modular Directory Services system.
The term Open Directory can also be used to describe the entire directory services framework used by Mac OS X and Mac OS X Server. In this context, it describes the role of a Mac OS X or Mac OS X Server system when it is connected to an existing directory domain, in which context it is sometimes referred to as Directory Services.
Apple, Inc. also publishes an API called the OpenDirectory framework, permitting Mac OS X applications to interrogate and edit the Open Directory data.
With the release of Mac OS X Leopard (10.5) Apple chose to move away from using the NetInfo
directory service (originally found in NeXTSTEP
and OpenStep
) which had been used by default for all local accounts and groups in every release of Mac OS X from 10.0 to 10.4. Mac OS X 10.5 now uses Directory Services and its plugins for all directory information. Local accounts are now registered in the Local Plugin, which uses XML property list (plist) files stored in /var/db/dslocal/indices/Default/ as its backing storage.
can host an Open Directory domain when configured as an Open Directory Master. In addition to its local directory, this OpenLDAP-based LDAPv3 domain is designed to store centralized management data, user, group, and computer accounts, which other systems can access. The directory domain is paired with the Open Directory Password Server and, optionally, a Kerberos realm. Either provides an authentication model and stores password information outside of the directory domain itself.
For Kerberos authentication, the Kerberos realm can either be hosted by a Kerberos key distribution center
(KDC) running on the server system, or the server can participate in an existing Kerberos realm.
For services that are not Kerberized, the Password Server provides the following Simple Authentication and Security Layer
-based authentication methods:
Any Mac OS X Server system prior to 10.7 (Lion) configured as an Open Directory Master can act as a Windows Primary Domain Controller (PDC), providing domain authentication services to Microsoft Windows
clients.
systems of some other Unix-like
operating system
s. When connected to a directory system, a Mac OS X client or Server can authenticate users, lookup contacts, perform service discovery
and name resolution with the following types of directories:
Password Server is the successor to Authentication Manager, and was introduced in Open Directory 2 in Mac OS X Server 10.3. Open Directory 2 was also the first version to use LDAPv3 as the directory domain.
Mac OS X Server 10.4 includes Open Directory 3, which introduced Active Directory domain member support, trusted directory binding, and increased robustness.
Mac OS X Server 10.5 features Open Directory 4 with support for cross-domain authorization and a built-in RADIUS
server for managing AirPort
base stations. Open Directory 4 no longer includes elements of NetInfo.
Directory service
A directory service is the software system that stores, organizes and provides access to information in a directory. In software engineering, a directory is a map between names and values. It allows the lookup of values given a name, similar to a dictionary...
model implementation from Apple Inc. A directory service is software
Computer software
Computer software, or just software, is a collection of computer programs and related data that provide the instructions for telling a computer what to do and how to do it....
which stores and organizes information about a computer network
Computer network
A computer network, often simply referred to as a network, is a collection of hardware components and computers interconnected by communication channels that allow sharing of resources and information....
's users and network resources and which allows network administrators to manage users' access to the resources.
In the context of Mac OS X Server, Open Directory describes a shared LDAPv3
Lightweight Directory Access Protocol
The Lightweight Directory Access Protocol is an application protocol for accessing and maintaining distributed directory information services over an Internet Protocol network...
directory domain based on OpenLDAP
OpenLDAP
OpenLDAP Software is a free, open source implementation of the Lightweight Directory Access Protocol developed by the OpenLDAP Project. It is released under its own BSD-style license called the OpenLDAP Public License. LDAP is a platform-independent protocol. Several common Linux distributions...
and a corresponding authentication model composed of Apple Password Server and Kerberos 5 tied together using a modular Directory Services system.
The term Open Directory can also be used to describe the entire directory services framework used by Mac OS X and Mac OS X Server. In this context, it describes the role of a Mac OS X or Mac OS X Server system when it is connected to an existing directory domain, in which context it is sometimes referred to as Directory Services.
Apple, Inc. also publishes an API called the OpenDirectory framework, permitting Mac OS X applications to interrogate and edit the Open Directory data.
With the release of Mac OS X Leopard (10.5) Apple chose to move away from using the NetInfo
NetInfo
NetInfo is the system configuration database in NeXTSTEP and Mac OS X versions up through Mac OS X v10.4 "Tiger". NetInfo replaces most of the Unix system configuration files, though they are still present for running the machine in single user mode; most Unix APIs wrap around NetInfo instead...
directory service (originally found in NeXTSTEP
NEXTSTEP
NeXTSTEP was the object-oriented, multitasking operating system developed by NeXT Computer to run on its range of proprietary workstation computers, such as the NeXTcube...
and OpenStep
OpenStep
OpenStep was an object-oriented application programming interface specification for an object-oriented operating system that used a non-NeXTSTEP operating system as its core, principally developed by NeXT with Sun Microsystems. OPENSTEP was a specific implementation of the OpenStep API developed...
) which had been used by default for all local accounts and groups in every release of Mac OS X from 10.0 to 10.4. Mac OS X 10.5 now uses Directory Services and its plugins for all directory information. Local accounts are now registered in the Local Plugin, which uses XML property list (plist) files stored in /var/db/dslocal/indices/Default/ as its backing storage.
Implementation in Mac OS X Server
Mac OS X ServerMac OS X Server
Mac OS X Server is a Unix server operating system from Apple Inc. The server edition of Mac OS X is architecturally identical to its desktop counterpart, except that it includes work group management and administration software tools...
can host an Open Directory domain when configured as an Open Directory Master. In addition to its local directory, this OpenLDAP-based LDAPv3 domain is designed to store centralized management data, user, group, and computer accounts, which other systems can access. The directory domain is paired with the Open Directory Password Server and, optionally, a Kerberos realm. Either provides an authentication model and stores password information outside of the directory domain itself.
For Kerberos authentication, the Kerberos realm can either be hosted by a Kerberos key distribution center
Key distribution center
In cryptography, a key distribution center is part of a cryptosystem intended to reduce the risks inherent in exchanging keys. KDCs often operate in systems within which some users may have permission to use certain services at some times and not at others.-Security overview:For instance, an...
(KDC) running on the server system, or the server can participate in an existing Kerberos realm.
For services that are not Kerberized, the Password Server provides the following Simple Authentication and Security Layer
Simple Authentication and Security Layer
Simple Authentication and Security Layer is a framework for authentication and data security in Internet protocols. It decouples authentication mechanisms from application protocols, in theory allowing any authentication mechanism supported by SASL to be used in any application protocol that uses...
-based authentication methods:
- APOPApopAPop may refer to:*Apoptygma Berzerk a Norwegian electronica band*APOP *Apop Records is an independent record label based in Houston, Texas*APOP Kinyras Peyias FC a Cypriot football club...
- CRAM-MD5CRAM-MD5In cryptography, CRAM-MD5 is achallenge-response authentication mechanism defined in RFC 2195 based on theHMAC-MD5 MACalgorithm...
- Diffie–Hellman key exchange
- Digest-MD5MD5The MD5 Message-Digest Algorithm is a widely used cryptographic hash function that produces a 128-bit hash value. Specified in RFC 1321, MD5 has been employed in a wide variety of security applications, and is also commonly used to check data integrity...
- MS-CHAPv2
- NTLMNTLMIn a Windows network, NTLM is a suite of Microsoft security protocols that provides authentication, integrity, and confidentiality to users....
v1 and v2 - Lan ManagerNTLMIn a Windows network, NTLM is a suite of Microsoft security protocols that provides authentication, integrity, and confidentiality to users....
- WebDAV-DigestWebDAVWeb-based Distributed Authoring and Versioning is a set of methods based on the Hypertext Transfer Protocol that facilitates collaboration between users in editing and managing documents and files stored on World Wide Web servers...
Any Mac OS X Server system prior to 10.7 (Lion) configured as an Open Directory Master can act as a Windows Primary Domain Controller (PDC), providing domain authentication services to Microsoft Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
clients.
Directory Services Framework
In a more general sense, Open Directory can describe the plugins model used by Directory Utility and the directory services framework in Mac OS X and Mac OS X Server. This could be thought of as analogous to the Name Service SwitchName Service Switch
The Name Service Switch is a facility in Unix-like operating systems that provides a variety of sources for common configuration databases and name resolution mechanisms...
systems of some other Unix-like
Unix-like
A Unix-like operating system is one that behaves in a manner similar to a Unix system, while not necessarily conforming to or being certified to any version of the Single UNIX Specification....
operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
s. When connected to a directory system, a Mac OS X client or Server can authenticate users, lookup contacts, perform service discovery
Service discovery
Service discovery protocols are network protocols which allow automatic detection of devices and services offered by these devices on a computer network....
and name resolution with the following types of directories:
- Authentication & Contacts
- Microsoft Active DirectoryActive DirectoryActive Directory is a directory service created by Microsoft for Windows domain networks. It is included in most Windows Server operating systems. Server computers on which Active Directory is running are called domain controllers....
- LDAPv3Lightweight Directory Access ProtocolThe Lightweight Directory Access Protocol is an application protocol for accessing and maintaining distributed directory information services over an Internet Protocol network...
, including an Open Directory domain or RFC 2307-compliant system - Apple/NeXT NetInfoNetInfoNetInfo is the system configuration database in NeXTSTEP and Mac OS X versions up through Mac OS X v10.4 "Tiger". NetInfo replaces most of the Unix system configuration files, though they are still present for running the machine in single user mode; most Unix APIs wrap around NetInfo instead...
domains - BSD flat files and NISNetwork Information ServiceThe Network Information Service, or NIS is a client–server directory service protocol for distributing system configuration data such as user and host names between computers on a computer network...
- Microsoft Active Directory
- Service Discovery & Name Resolution
- AppleTalkAppleTalkAppleTalk is a proprietary suite of protocols developed by Apple Inc. for networking computers. It was included in the original Macintosh released in 1984, but is now unsupported as of the release of Mac OS X v10.6 in 2009 in favor of TCP/IP networking...
- Windows (NetBIOS and WINS)
- Service Location Protocol (SLP)Service Location ProtocolThe Service Location Protocol is a service discovery protocol that allows computers and other devices to find services in a local area network without prior configuration. SLP has been designed to scale from small, unmanaged networks to large enterprise networks...
- Multicast DNS (Bonjour/Zeroconf)ZeroconfZero configuration networking , is a set of techniques that automatically creates a usable Internet Protocol network without manual operator intervention or special configuration servers....
- AppleTalk
History
Open Directory began with Mac OS X Server 10.2. In this initial form, Open Directory consisted of a network-visible NetInfo directory domain and a corresponding Authentication Manager service for storing passwords outside of the directory. Version 10.2 also included support for Kerberos. Mac OS X versions 10.1 and 10.0 stored user password information within the directory domain using crypt password authentication authorities, but version 10.2 paved the way for the current Shadow Hash and Password Server mechanisms.Password Server is the successor to Authentication Manager, and was introduced in Open Directory 2 in Mac OS X Server 10.3. Open Directory 2 was also the first version to use LDAPv3 as the directory domain.
Mac OS X Server 10.4 includes Open Directory 3, which introduced Active Directory domain member support, trusted directory binding, and increased robustness.
Mac OS X Server 10.5 features Open Directory 4 with support for cross-domain authorization and a built-in RADIUS
RADIUS
Remote Authentication Dial In User Service is a networking protocol that provides centralized Authentication, Authorization, and Accounting management for computers to connect and use a network service...
server for managing AirPort
AirPort
AirPort and AirPort Extreme are local area wireless networking products from Apple Inc. based on the IEEE 802.11 standard ....
base stations. Open Directory 4 no longer includes elements of NetInfo.