Apple OS X Server: How to set up Open Directory

Due to the positive reception of my previous post on setting up OS X Server, I’m going to continue with some additional configuration tips. After having installed OS X Server and having a chance to experiment with all the possible service configurations, I felt it a natural progression to cover the setup of Open Directory.

A directory service is not a requirement to run any of OS X Server’s services by any means; however, the purpose of a setting up a directory is to have a centralized point of management for all network resources -- users, nodes, shares, and more -- all have their place in the directory database. This makes network/system admin management tasks simpler to perform since all the data is stored and organized in one container, from a handful of computers on your SOHO (Small Office, Home Office) LAN to one that spans the WAN (Wide Area Network) infrastructure of the entire enterprise.

Anyone with experience in setting up or managing Active Directory from Microsoft will feel right at home working with Apple’s Open Directory. Even those configuring OD for the first time will pick it right up, as Apple’s design sense makes this task as easy as a few keystrokes and mouse clicks.

Prerequisites to configure Open Directory

• Apple Computer or Server running OS X 10.7 (Lion) or 10.8 (Mountain Lion)
• OS X Server 10.7 (Lion) or 10.8 (Mountain Lion) installed
• Network connection*
• Static IP Address assigned to network connection**

Note*: Best practices recommend a wired, Ethernet connection is used for any server that will be providing services on a network to other nodes. Due to the higher bandwidth offered by a NICs (Network Interface Cards) Gigabit port, this allows the most amount of data to be sent/received without possibly becoming a bottleneck. While wireless connections have become ubiquitous, they also suffer severely from bandwidth reduction as more and more users access network resources from the Wi-Fi connections on their computer, smartphones and tablets.

This quickly becomes an issue that increases latency – causing the end-users to have to wait longer for the requests to be processed by the server – and that’s never good!

Note**: Assigning a static IP address to a network connection, while optional for configuring Open Directory, is highly advised. The main reason for this being that while nodes and mobile devices come and go on the network, typically, servers do not. Furthermore, the services being provided by these servers are used constantly by network devices; this means having a specific address assigned to the server/service will always allow the devices relying on said service to always find their way since the IP address does not change.

As we delve into other services in the future, such as DNS or Email, static IP assignments will not be optional, but rather a requirement. After all, what good is an email service when its users cannot send/receive messages?

Configuring Open Directory

#1 Launch Server.app and choose the OS X Server from the list, the click continue. (Figure A)

#2 Authenticate with your administrative account. (Figure B)(For the purposes of this article, I’ve enabled automatic remembering of the user account/password credential in Keychain. However, in a production environment, this is not recommended and does not follow security best practices).

#3 Once authenticated, scroll down the list of services and select the Open Directory pane. Adjust the slider to the ON position to get started. (Figure C)

#4 A wizard will appear to guide you through the initial setup of the OD. For the first OD in your organization, select the radio button for “Create a new Open Directory Domain” and click next. (Figure D)

#5 Next, you’ll be prompted to create a Directory Administrator (often referred to as Domain Administrator) account. This will serve to manage directory-related tasks. One can accept the defaults or create your own, just don’t forget the credentials since it will be the network equivalent to the local computer’s admin account. Click next to create the account. (Figure E)

#6 The following step asks for the Organization information and an Administrator email address. This information will be displayed to end-users allowing them to identify the server on the network. Click next to continue. (Figure F)

#7 Last, the setup confirmation screen will display all the information entered for review, prior to committing them to create the OD Master. The Master is designated as the first Open Directory server in the group. Additional OD servers in the same group are called Replicas, since directory services function to replicate data across other directory servers in the same group as a form of fault-tolerance in the event a server goes offline. If the settings are correct, click Setup. (Figure G)

#8 The configuration process, which includes the creation of the service account, configuring links to services, and directory database may take some time. This depends on the specifications of your server, but typically should not take more than a few minutes on modern nodes. (Figure H)

#9 After the setup process has completed, viewing the Open Directory service pane will list all the available directory servers in the group, as well as, their master or replica designation. (Figure I)

Joining Nodes to Open Directory (10.7+)

#1 Open System Preferences.

#2 Click on Users & Groups. (Figure J)

#3 Click the padlock to authenticate in order to make changes. (Figure K)

#4 Once authenticated, select Login Options, next click the Edit… button. (Figure L)

#5 The Network Account Server menu will appear. Click the “+” sign to add a logon server. (Figure M)

#6 Locate the desired server from the drop-down list and click OK. (If an SSL message prompt appears, click OK to move on. This warning indicates that there is no valid 3rd-party SSL certificate installed.)(Figure N)

#7 The selected server should now appear in the list of logon servers; click Done to complete the task. Now computers will be joined to the Open Directory Domain created in the previous steps and more importantly, allow them to access network resources and services, as they are added.

That’s it! Open Directory has been officially setup on the server and is now ready to accept network objects joined to the domain. With OD properly configured, management over computer accounts, users and groups, and network-based resources are all possible from the Server.app interface. Furthermore, an added benefit for enterprises lies in how it dovetails into other OS X services -- such as File Sharing, Mail, and Profile Manager -- forming a cohesive, single-point of contact for all server-based services, whether located on a single, local file-server or across multiple servers hosted around the world.