So You Want to Be a Mac OS X Server Admin? Understanding the Building Blocks of Open Directory and Mac OS X User Management
- Understanding Open Directory
- What About Older Macs Running Mac OS 9?
- Replication: What to Do When One Server Isnt Enough
- Keeping Passwords and Your Infrastructure Safe and Secure
- The Basics of Setting Up an Open Directory Server
- Getting Practical About Open Directory and User Accounts
- Users in Workgroup Manager: The Mac OS X Server Tool for Account Management
Replication: What to Do When One Server Isn’t Enough
Beginning with Mac OS X Server 10.3, Apple introduced the capability to replicate a directory domain across multiple servers. This capability provides three critical advantages. First, it provides fault tolerance. Should a single directory server fail, there are others with exact copies of the same domain that will keep a network functioning until the original server can be repaired or replaced. Second, for networks spanning multiple locations or that include slow links between switches or routers, it prevents a bottleneck in which workstations need to send directory service requests (authentication requests, requests for home directory location, information about group or workgroup membership, and so on) across these slow network links. The same directory information is replicated at each branch of the physical network, allowing for high-speed access to the same directory wherever you are (previously, the best solution was to create separate directories for each location). Third, it provides capacity planning and scalability as networks grow to contain more users, workstations, servers, and other resources.
When using Open Directory replication, one server is defined as an Open Directory master, and any other servers are defined as replicas. Even if there are no replicas, there is still an Open Director master that maintains the shared LDAP domain. The master server hosts the shared LDAP domain and related databases and files. Each replica hosts a copy of the master that is updated either whenever a change occurs or at defined intervals (you can also replicate data manually at any time). Only the master will allow an administrator to make changes. User-initiated changes, however, such as a password change, can occur on a replica. If this happens, the user-initiated changes are replicated to the master when the next replication occurs. If the same change is made to multiple replicas, the most recent information is stored. (Here again is a reason to use a network time server: To ensure all replicas and the master have the same time.)