Open Directory , the directory services layer of Mac OS X (see Figure 7-1 for a detailed view), offers the essential service of providing information to the system about users, machines, printers, and more. It’s also something that most people know very little about. To many, Open Directory is mysterious because its name connotes a tie to the idea of a filesystem directory. In reality, Open Directory doesn’t have much at all to do with the filesystem other than the fact that its data is arranged in a hierarchical tree.
For the most part, however, Open Directory is an enigma, because the role it plays is central enough to the system that it’s hard to distinguish what it’s doing. At Apple’s 2003 Worldwide Developer’s Conference (WWDC), an Apple employee retold a story about how management always wanted to see a demo of directory services. His response was simply, “Did you make it past the login window? [If so,] well, that’s the demo.”
Every time you log in, whether through a local or a network account, and every time you browse for Macintosh- or Windows-based file servers, you are using Open Directory. When you log into your Mac using the login window, the login window consults Open Directory to see whether you have a valid username and password for the system. If Open Directory indicates that the username and password are okay, login proceeds. If not, you’re challenged until you either get it right or your entry is refused. When you want to connect to a server, the Finder consults Open Directory for a list of server-based filesystems. In large networks, Open Directory can be used to configure printers, mail settings, and much more.
This chapter gives you an overview of what directory services are, where they came from, and what problems they solve. It also shows you how directory services are used in Mac OS X by Open Directory and how to connect to servers that provide directory information like Mac OS X Server, Active Directory, and NetInfo.
To help explain how Open Directory is used in Mac OS X, let’s look at a few examples. When you enter your username and password into the login window, the following steps happen:
The login window calls Open Directory with a request to authenticate the user.
Open Directory takes the username and password and, if the user exists, looks up the authentication method.
Using the proper process governed by the authentication method, Open Directory attempts to validate the password.
Open Directory indicates whether the user was authenticated to the login window.
If the user was authenticated, the login window proceeds to create a GUI session for the user.
As the GUI session is created, Open Directory is queried to give the location of the user’s Home folder.
This basic process of querying Open Directory for user information is followed by all parts of the system that either know how to use Open Directory or are using it behind the scenes by using the PAM (pluggable authentication modules) functionality built into many Unix-based applications. For example, when you log into your computer remotely via SSH, the following steps occur:
sshd(the SSH server daemon) gets the username and password for the user requesting to log in.sshdthen makes a PAM call to authenticate the user. This is handled by Open Directory.Open Directory takes the username and password and, if the user exists, looks up the authentication method.
Using the proper process governed by the authentication method, Open Directory attempts to validate the password.
Open Directory indicates whether the user was authenticated to
sshd.
In addition, the act of browsing the network for filesystems when you use the Finder’s Go → Connect to Server (
-K) menu causes a lookup into Open Directory, which then presents the information that it finds using LDAP, NetInfo, Bonjour, SMB, SLP, and AppleTalk. Open Directory is also used by Terminal’s File → Connect to Server (Shift--K) command, which allows you to create a connection to Bonjour-enabled computers that advertise SSH and Telnet services.