It can control your company’s user accounts, their password policies and preferences. It allows access to home directories from anywhere on the network, and mirror that data safely to your server. It forms the basis for features like shared calendaring and contacts, single sign-on to computing resources, and enterprise-level security for all your network services. In the past, Open Directory may have been Apple’s best-kept secret, but it’s now the essential element of business-class Macintosh deployment.

System administrators rely on services like Open Directory to keep down per-person support costs and prevent the need for repetitive tasks and individual maintenance. For users, however, Open Directory finally delivers on the promise of a Macintosh corporate network that “just works”. In this two-part series, we’ll make that happen.

DNS and Open Directory:

Like anything designed to look effortless, Open Directory implementation depends on a series of precise and carefully preformed steps. In the event of an error, most of those steps can be retraced, but having flawless Domain Name Service is essential to a successful Open Directory deployment. Improperly configured DNS isn’t just the reason Open Directory can fail at the very start, it’s most often the reason it fails during or even after the job is completed.

The most important determination to make is how DNS is controlled in your individual environment. If this is someone else’s responsibility and has been pre-configured, you’ll need to coordinate with them to be sure their name servers provide both forward and reverse listings for your planned Open Directory server. You can test this by opening the Terminal and typing:

nslookup HOSTNAME

Here HOSTNAME is replaced by the fully-qualified domain name of your server, such as server.makemacwork.com. This should return the IP address of the machine in question, without any error messages. Now repeat the test, replacing IP below with the IP address you just received:

nslookup IP

If reverse lookups are operating properly, the command will return the hostname you began with. If not, you’ll have to find a way to get it reconfigured, or take on the responsibility of configuring it yourself.

Deploy The Open Directory Service:

Now that you’ve confirmed your DNS is set up properly, open the service “Settings” in Server Admin, check the box for Open Directory, and save. This will bring you to the first configuration pane, reading “Role: Standalone Server”. Click the “Change…” button and you’ll be prompted to choose an Open Directory configuration. For basic set up, select “Open Directory Master” and hit “Continue”.

The Open Directory assistant will ask you to create a new user specifically to administer the network directory domain. By default, the username is diradmin and the UID is 1000, but you can change these to whatever best fits your existing management scheme. Once the directory service is in place, the right to administer it can be assigned to an existing user or divided amongst your management team.

The next window assigns both the Kerberos Realm (which controls the Open Directory security components) and the Search Base for your master domain. These should both fill in automatically. The realm is identical to your fully qualified host name, and should appear in capital letters. The search base is identical, except that each period is replaced by “dc=”, defining each portion of the name as a domain component. Double-check the information is correct and hit “Continue”. The assistant should confirm that your server has been promoted to an Open Directory Master.

With this foundation is in place, you can begin building on Open Directory to take control of your Macintosh network.

Next week in part two, we’ll secure Open Directory to restrict access, migrate user accounts to the directory service, and configure your machines to utilize them.