Master Open Directory — Part 2
If you've got a Macintosh server in your environment, chances are it was originally purchased as a file server. With a few local accounts and enough disk space, a centralized environment to share common documents can completely change the way a small department functions. As the needs of your workgroup and your network grow, however, you're likely looking towards collaboration, scheduling, and security features. That's when Open Directory becomes an important part of network management.
In part one of this article, we explored the basics of getting Open Directory up and running. This week, we'll set security policy to restrict access to your network services, then create or migrate user accounts to the LDAP directory for distribution and set up your workstations to use them.
Secure Open Directory Access:
By default, Open Directory will allow access to any machine on the network. This may work fine in an isolated academic environment, but most businesses have greater security requirements imposed upon them. Those requirements are fulfilled by Kerberos, an encrypted ticket-based authentication system developed at an isolated academic environment called MIT.
Open the Server Admin tool and select the "Open Directory" option from your server listing on the left. Click the "Settings" button in the Toolbar, followed by the "Policy" button on the strip below it, and the "Binding" button on the strip below that. Check the top two boxes to require authenticated binding for directory services, then the next four to enforce the strict Kerberos protocols for authentication.
Now click the "Passwords" button to define your organization's minimum password requirements. An ideal policy varies widely depending on each individual environment, but keep in mind that overly strict policies often lead to weaker passwords overall (or complex passwords taped to monitors and under keyboards). Whatever you choose, be sure to check "be reset on first user login" password. This allows you to assign the same default password to all new and imported accounts, rather than assign each account a new password individually, then forces users to create a new one immediately.
Migrate Users To Open Directory:
Now that you can insure account information will be communicated securely, the next step Launch Workgroup Manager and log in under the directory administration account created in part one (diradmin by default) with the fully qualified domain name of your server (such as www.example.com).
This will open into the server's /Local/Default directory, where non-network account information is stored. If you already have local user accounts, you'll see them listed down the left column. Select those you're transferring to the Open Directory service, then select "Export..." from the "Server" menu. The dialog will prompt you for a name and location to save your exported account listing. This export file will contain all the users' existing account information except passwords, hence the importance of requiring new ones at login.
To move the accounts to Open Directory, click the tiny globe on the far left of the Workgroup Manager window, in the thin stripe just below the toolbar. Choose /LDAPv3/127.0.0.1, indicating that you're now editing the LDAP (lightweight directory access protocol) settings. You should see your directory administrator account to the left, but no other users listed. Select "Import..." from the "Server" menu, and you'll be presented with the dialog to re-import your accounts. If you're moving accounts to an empty directory, you can safely leave these options at their defaults and click the "Import" button. Your exported local accounts should now be listed down the left hand side as Open Directory accounts. Only once you're sure the new network accounts work properly should you then delete their local counterparts.
If you're setting up a brand new server, there are no accounts to move around. Instead, just select the /LDAPv3/127.0.0.1 directory, and create your new users and groups.
Bind Clients To Open Directory:
Now that you've made accounts visible to the network, you'll want to configure your other machines to utilize them. On your client machines, open Directory Utility, and click the plus sign at the bottom of the window. Leave "Open Directory" selected in the pulldown menu, then enter the fully qualified domain name of your Open Directory server and hit "OK".
The window will then expand to accept credentials for the authenticated binding you've required. Enter the username and password of your directory administration account, as well as a unique machine identifier (most often the hostname or serial number), then hit OK again. If the binding process is successful, you'll be greeted with a reassuring green light and a message that the Open Directory server "is responding normally".
If you're unsure if a computer bound properly, or has become unbound, the simplest test is to open the Terminal and type:
id diradmin
If you named your directory administrator account differently, just substitute that for diradmin, but be sure to use an account that exists only in the directory service and not on the local machine. The response should contain the UID, GID, and groups that user is a member of. Should the response instead be "no such user", and the user exists on the server, then the machine has become unbound.
Now that you can login to all your machines with Open Directory network accounts, you can leverage those accounts for OS X security, collaboration, and management features.
