So You Want to Be a Mac OS X Server Admin? Understanding the Building Blocks of Open Directory and Mac OS X User Management
- Understanding Open Directory
- What About Older Macs Running Mac OS 9?
- Replication: What to Do When One Server Isnt Enough
- Keeping Passwords and Your Infrastructure Safe and Secure
- The Basics of Setting Up an Open Directory Server
- Getting Practical About Open Directory and User Accounts
- Users in Workgroup Manager: The Mac OS X Server Tool for Account Management
Getting Practical About Open Directory and User Accounts
Users and groups are both objects within the Open Directory schema. User and group accounts are created in a shared directory using Workgroup Manager, and they both require three pieces of information to function: full name, shortname(s), and user or group ID numbers. In the case of a user account full name and shortname are used by the shared directory to identify the user for authentication while the user ID is used by the file system, which imprints only the user ID number (also called the UID) into a file or folder to identify the owner of that file or folder. Likewise, the group ID number (also called the GID) is attached to a file or folder to identify the group setting. If you are using Mac OS X Server 10.4’s Access Control Lists for increased permission options on shared items, each user or group account will also require a global user ID (GUID) number. The global user ID is used to assign multiple users or multiple groups to an item using Access Control Lists, as opposed to assigning a single user as the owner of the file and a single group as having access to the file (as was the only option in previous Mac OS X Server versions).
Although the file system relies on the UID, GUID, and GID attributes to do its job, human beings work better by actually looking at a list of people’s names. The full name attribute can be almost anything you want, although it is usually set to a user’s full name, making locating users within Workgroup Manager’s user list easier. Workgroup Manager displays users based on full name and UID in its user list, and you can also search and sort users based on full name. My advice is to assign the full name in a last-name-first format because this makes locating users in the users list easier in most cases (particularly when dealing with great numbers of users) than by first-name-first. You can change the full name in a user account at any time.
With Mac OS X 10.2 and later, shortnames can contain any ASCII characters and can be up to 255 characters long. However, many operating systems, including earlier Mac OS X versions, don’t support usernames that long or with that diverse a character set. Almost all operating systems support usernames of up to eight alphanumeric characters (the limitation in earlier versions of Mac OS X). If you are supporting classic Mac OS workstations with Mac Manager, you should use shortnames no longer than the 31 characters.