Apple Open Directory

Last updated

Apple Open Directory is the LDAP directory service model implementation from Apple Inc. A directory service is software which stores and organizes information about a computer network's users and network resources and which allows network administrators to manage users' access to the resources.

Contents

In the context of macOS Server, Open Directory describes a shared LDAPv3 directory domain and a corresponding authentication model composed of Apple Password Server and Kerberos 5 tied together using a modular Directory Services system. Apple Open Directory is a fork of OpenLDAP.

The term Open Directory can also be used to describe the entire directory services framework used by macOS and macOS Server. In this context, it describes the role of a macOS or macOS Server system when it is connected to an existing directory domain, in which context it is sometimes referred to as Directory Services.

Apple, Inc. also publishes an API called the OpenDirectory framework, permitting macOS applications to interrogate and edit the Open Directory data. [1]

With the release of Mac OS X Leopard (10.5), Apple chose to move away from using the NetInfo directory service (originally found in NeXTSTEP and OPENSTEP), which had been used by default for all local accounts and groups in every release of Mac OS X from 10.0 to 10.4. Mac OS X 10.5 now uses Directory Services and its plugins for all directory information. Local accounts are now registered in the Local Plugin, which uses XML property list (plist) files stored in /var/db/dslocal/nodes/Default/ as its backing storage. [2]

Implementation in macOS Server

macOS Server can host an Open Directory domain when configured as an Open Directory Master. In addition to its local directory, this OpenLDAP-based LDAPv3 domain is designed to store centralized management data, user, group, and computer accounts, which other systems can access. The directory domain is paired with the Open Directory Password Server and, optionally, a Kerberos realm. Either provides an authentication model and stores password information outside of the directory domain itself. [3]

For Kerberos authentication, the Kerberos realm can either be hosted by a Kerberos key distribution center (KDC) running on the server system, or the server can participate in an existing Kerberos realm.

For services that are not Kerberized, the Password Server provides the following Simple Authentication and Security Layer-based authentication methods: [4]

Any Mac OS X Server system prior to 10.7 (Lion) configured as an Active Directory Master can act as a Windows Primary Domain Controller (PDC), providing domain authentication services to Microsoft Windows clients. [5]

Directory services framework

In a more general sense, Open Directory can describe the plugins model used by Directory Utility and the directory services framework in macOS and macOS Server. This could be thought of as analogous to the Name Service Switch systems of some other Unix-like operating systems. When connected to a directory system, a macOS client or Server can authenticate users, lookup contacts, perform service discovery and name resolution with the following types of directories: [6]

History

Open Directory began with Mac OS X Server 10.2. In this initial form, Open Directory consisted of a network-visible NetInfo directory domain and a corresponding Authentication Manager service for storing passwords outside of the directory. Version 10.2 also included support for Kerberos. [7] Mac OS X versions 10.1 and 10.0 stored user password information within the directory domain using crypt password authentication authorities, but version 10.2 paved the way for the current Shadow Hash and Password Server mechanisms. [8]

Password Server is the successor to Authentication Manager, and was introduced in Open Directory 2 in Mac OS X Server 10.3. Open Directory 2 was also the first version to use LDAPv3 as the directory domain.

Mac OS X Server 10.4 includes Open Directory 3, which introduced Active Directory domain member support, trusted directory binding, and increased robustness. [9]

Mac OS X Server 10.5 features Open Directory 4 with support for cross-domain authorization and a built-in RADIUS server for managing AirPort base stations. [10] Open Directory 4 no longer includes elements of NetInfo. [11]

See More

Related Research Articles

Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was used only for centralized domain management. However, Active Directory eventually became an umbrella title for a broad range of directory-based identity-related services.

Kerberos is a computer-network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed it primarily at a client–server model, and it provides mutual authentication—both the user and the server verify each other's identity. Kerberos protocol messages are protected against eavesdropping and replay attacks.

The Lightweight Directory Access Protocol is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. Directory services play an important role in developing intranet and Internet applications by allowing the sharing of information about users, systems, networks, services, and applications throughout the network. As examples, directory services may provide any organized set of records, often with a hierarchical structure, such as a corporate email directory. Similarly, a telephone directory is a list of subscribers with an address and a phone number.

<span class="mw-page-title-main">Mac OS X Server</span> Server software for macOS

Mac OS X Server, is a discontinued series of Unix-like server operating systems developed by Apple Inc. based on macOS. It provided server functionality and system administration tools, and provided tools to manage both macOS-based computers and iOS-based devices.

In computing, a directory service or name service maps the names of network resources to their respective network addresses. It is a shared information infrastructure for locating, managing, administering and organizing everyday items and network resources, which can include volumes, folders, files, printers, users, groups, devices, telephone numbers and other objects. A directory service is a critical component of a network operating system. A directory server or name server is a server which provides such a service. Each resource on the network is considered an object by the directory server. Information about a particular resource is stored as a collection of attributes associated with that resource or object.

Server Message Block (SMB) is a communication protocol originally developed in 1983 by Barry A. Feigenbaum at IBM and intended to provide shared access to files and printers across nodes on a network of systems running IBM's OS/2. It also provides an authenticated inter-process communication (IPC) mechanism. In 1987, Microsoft and 3Com implemented SMB in LAN Manager for OS/2, at which time SMB used the NetBIOS service atop the NetBIOS Frames protocol as its underlying transport. Later, Microsoft implemented SMB in Windows NT 3.1 and has been updating it ever since, adapting it to work with newer underlying transports: TCP/IP and NetBT. SMB implementation consists of two vaguely named Windows services: "Server" and "Workstation". It uses NTLM or Kerberos protocols for user authentication.

<span class="mw-page-title-main">Virtual Network Computing</span> Graphical desktop-sharing system

Virtual Network Computing (VNC) is a graphical desktop-sharing system that uses the Remote Frame Buffer protocol (RFB) to remotely control another computer. It transmits the keyboard and mouse input from one computer to another, relaying the graphical-screen updates, over a network.

The Apple Filing Protocol (AFP), formerly AppleTalk Filing Protocol, is a proprietary network protocol, and part of the Apple File Service (AFS), that offers file services for macOS, classic Mac OS, and Apple IIs. In OS X 10.8 Mountain Lion and earlier, AFP was the primary protocol for file services. Starting with OS X 10.9 Mavericks, Server Message Block (SMB) was made the primary file sharing protocol, with the ability to run an AFP server removed later in macOS 11 Big Sur. The latest version of Apple's OS at the time of writing, macOS Ventura, is still able to authenticate with and connect to AFP servers. AFP supports Unicode file names, POSIX and access control list permissions, resource forks, named extended attributes, and advanced file locking.

Integrated Windows Authentication (IWA) is a term associated with Microsoft products that refers to the SPNEGO, Kerberos, and NTLMSSP authentication protocols with respect to SSPI functionality introduced with Microsoft Windows 2000 and included with later Windows NT-based operating systems. The term is used more commonly for the automatically authenticated connections between Microsoft Internet Information Services, Internet Explorer, and other Active Directory aware applications.

<span class="mw-page-title-main">Single sign-on</span> Authentication scheme

Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems.

LAN Manager is a discontinued network operating system (NOS) available from multiple vendors and developed by Microsoft in cooperation with 3Com Corporation. It was designed to succeed 3Com's 3+Share network server software which ran atop a heavily modified version of MS-DOS.

NX technology, commonly known as NX or NoMachine, is a proprietary cross-platform software application for remote access, desktop sharing, virtual desktop and file transfer between computers. It is developed by the Luxembourg-based company NoMachine.

<span class="mw-page-title-main">Keychain (software)</span> Password management system in macOS

Keychain is the password management system in macOS, developed by Apple. It was introduced with Mac OS 8.6, and has been included in all subsequent versions of the operating system, now known as macOS. A Keychain can contain various types of data: passwords, private keys, certificates, and secure notes.

NetInfo is the system configuration database in NeXTSTEP and Mac OS X versions up through Mac OS X v10.4 "Tiger". NetInfo replaces most of the Unix system configuration files, though they are still present for running the machine in single user mode; most Unix APIs wrap around NetInfo instead. NetInfo stores system wide network-type configuration information, such as users and groups, in binary databases; while Mac OS X machine and application specific settings are stored as plist files.

In a Windows network, NT LAN Manager (NTLM) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. NTLM is the successor to the authentication protocol in Microsoft LAN Manager (LANMAN), an older Microsoft product. The NTLM protocol suite is implemented in a Security Support Provider, which combines the LAN Manager authentication protocol, NTLMv1, NTLMv2 and NTLM2 Session protocols in a single package. Whether these protocols are used or can be used on a system which is governed by Group Policy settings, for which different versions of Windows have different default settings.

CrushFTP is a proprietary multi-protocol, multi-platform file transfer server originally developed in 1999. CrushFTP is shareware with a tiered pricing model. It is targeted at home users on up to enterprise users.

Active Directory Federation Services, a software component developed by Microsoft, can run on Windows Server operating systems to provide users with single sign-on access to systems and applications located across organizational boundaries. It uses a claims-based access-control authorization model to maintain application security and to implement federated identity. Claims-based authentication involves authenticating a user based on a set of claims about that user's identity contained in a trusted token. Such a token is often issued and signed by an entity that is able to authenticate the user by other means, and that is trusted by the entity doing the claims-based authentication. It is part of the Active Directory Services.

<span class="mw-page-title-main">KeePass</span> Computer password management utility

KeePass Password Safe is a free and open-source password manager primarily for Windows. It officially supports macOS and Linux operating systems through the use of Mono. Additionally, there are several unofficial ports for Windows Phone, Android, iOS, and BlackBerry devices, which normally work with the same copied or shared (remote) password database. KeePass stores usernames, passwords, and other fields, including free-form notes and file attachments, in an encrypted file. This file can be protected by any combination of a master password, a key file, and the current Windows account details. By default, the KeePass database is stored on a local file system.

A domain controller (DC) is a server that responds to security authentication requests within a computer network domain. It is a network server that is responsible for allowing host access to domain resources. It authenticates users, stores user account information and enforces security policy for a domain. It is most commonly implemented in Microsoft Windows environments, where it is the centerpiece of the Windows Active Directory service. However, non-Windows domain controllers can be established via identity management software such as Samba and Red Hat FreeIPA.

References

  1. "OpenDirectory Release Notes at developer.apple.com" . Retrieved 2010-04-21.
  2. "Directory Services source code at www.opensource.apple.com" . Retrieved 2009-09-02.
  3. "Mac OS X Server: Open Directory Administration, page 40" (PDF). Archived from the original (PDF) on 2007-03-15. Retrieved 2007-06-07.
  4. "Mac OS X Server: Open Directory Administration, page 50" (PDF). Archived from the original (PDF) on 2007-03-15. Retrieved 2007-06-07.
  5. "Server Admin 10.4 Help: Setting Up a Server as a Primary Domain Controller" . Retrieved 2007-06-07.
  6. "Mac OS X Server: Open Directory Administration, chapter 7" (PDF). Archived from the original (PDF) on 2007-03-15. Retrieved 2007-06-07.
  7. "Apple - Mac OS X Server 10.2: How to Integrate Services With Kerberos". Archived from the original on 2008-02-18. Retrieved 2007-06-08.
  8. "Mac OS X Server: Open Directory Administration, page 41" (PDF). Archived from the original (PDF) on 2007-03-15. Retrieved 2007-06-08.
  9. "Apple - Mac OS X Server - Open Directory" . Retrieved 2007-06-08.
  10. "Apple - Mac OS X Server - Technology - Open Directory" . Retrieved 2007-12-21.
  11. "AFP548 - Leopard Server Part 2 - Local Directory Services". Archived from the original on 2009-04-15. Retrieved 2007-12-21.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.