Set Up OS X Lion Server - Open Directory and Network Users

01
of 03

Set Up OS X Lion Server - Open Directory and Network Users

Open Directory and Network Users
Network users, as indicated by the globe next to the user's name. Courtesy of Coyote Moon, Inc.

OS X Lion Server includes support for Open Directory, a service that must be in place and running for many other Lion services to work correctly. That's why one of the first things I suggest you do with Lion Server is create an Open Directory administrator, enable the service, and, if you wish, add network users and groups.

If you're wondering what Open Directory is and what it's used for, read on; otherwise, you can skip to page 2.

Open Directory

Open Directory is one of many methods of providing directory services. You may have heard of some of the others, such as Microsoft's ​Active Directory and LDAP (Lightweight Directory Access Protocol). A directory service stores and organizes sets of data that can then be used by devices.

That's a very simple definition, so let's look at a common use that would involve your Lion Server and a group of networked Macs. This could be a home or small business network; for this example, we'll use a home network. Imagine you have Macs in the kitchen, the study, and your entertainment room, as well as a portable Mac that moves around as needed. There are three individuals who regularly use the Macs. Since home computers, at least, are usually thought of as belonging to a particular individual, we'll say the Mac in the study is Tom's, the portable is Mary's, the Mac in the kitchen is Molly's, and the entertainment Mac, which everyone uses, has a common user account called Entertainment.

If Tom needs to use the portable, Mary may let him use her account or a guest account to log in. Even better, the portable may have user accounts for both Tom and Mary, so Tom can log in with his own account. The problem is that when Tom logs into Mary's Mac, even with his own account, his data isn't there. His mail, web bookmarks and other data are stored on his Mac in the study. Tom can copy the files he needs from his Mac to Mary's Mac, but the files will soon be out of date. He can use a syncing service, but even then, he may have to wait for updates.

Network Users

A better solution would be if Tom could log in to any Mac in the home and access his personal data. Mary and Molly like this idea, and they want in on it, too.

They can accomplish this goal by using Open Directory to set up network-based user accounts. Account information for network users, including usernames, passwords, and the location of the user's home directory, is stored on the Lion Server. Now when Tom, Mary, or Molly log in to any Mac in the home, their account information is supplied by the Mac running the Open Directory service. Because the home directory and all personal data can now be stored anywhere, Tom, Mary, and Molly always have access to their email, browser bookmarks, and the documents they've been working on, from any Mac in the house. Pretty nifty.

02
of 03

Configure Open Directory on Lion Server

Configure Open Directory on Lion Server
Create an Open Directory Administrator account. Courtesy of Coyote Moon, Inc.

Before you can create and manage network accounts, you must enable the Open Directory service. To do this, you must create an Open Directory administrator account, configure a bunch of directory parameters, configure search strings…well, it can get a bit complex. In fact, while using Open Directory is pretty easy, setting it up was always a trouble spot for new OS X Server admins, at least in previous versions of OS X Server.

Lion Server, however, was designed for ease of use for both end users and administrators. You can still set up all of the services using text files and the older server admin tools, but Lion gives you the option of using a simpler approach, and that is how we are going to proceed.

Create Open Directory Administrator

  1. Start by launching the Server app, located at Applications, Server.
  2. You may be asked to choose the Mac that is running the Lion Server you wish to use. We're going to assume that Lion Server is running on the Mac you are currently using. Select the Mac from the list, and click Continue.
  3. Supply the Lion Server administrator name and password (these are not the Open Directory admin and password you will create in a bit). Click the Connect button.
  4. The Server app will open. Select "Manage Network Accounts" from the Manage menu.
  5. A drop-down sheet will advise you that you are about to configure your server as a network directory. Click the Next button.
  6. You will be asked to provide account information for the new directory administrator. We'll use the default account name, which is diradmin. Enter a password for the account, and then enter it again to verify it. Click the Next button.
  7. You will be asked to enter organization information. This is the name that will be displayed to network account users. The purpose of the name is to allow users to identify the correct Open Directory service on a network that is running multiple directory services. We don't need to worry about that on our home or small business network, but we should still create a useful name. By the way, I like to create a name that has no spaces or special characters. That's just my own personal preference, but it can also make any advanced administration tasks easier down the road.
  8. Enter the organization's name.
  9. Enter an email address associated with the directory administrator, so the server can send status emails to that administrator. Click Next.
  10. The directory setup process will confirm the information you provided. If it's correct, click the Set Up button; otherwise, click the Back button to make any corrections.

The Open Directory setup assistant will do the rest of the work, configuring all of the necessary directory information, creating search paths, etc. That's a lot easier than it used to be and no longer fraught with danger, or at least the possibility of Open Directory not working correctly and requiring a few hours to troubleshoot the problem.

03
of 03

Using Network Accounts - Bind OS X Clients to Your Lion Server

Using Network Accounts - Bind OS X Clients to Your Lion Server
Click the Join button next to Network Account Server. Courtesy of Coyote Moon, Inc.

In previous steps, we explained how you can use Open Directory on a home or small business server, and we showed you how to enable the service. Now it's time to bind your client Macs to your Lion Server.

Binding is the process of setting up Macs running the client version of OS X to look to your server for directory services. Once a Mac is bound to the server, you can log in using a network username and password and access all of your home folder data, even if your home folder isn't located on that Mac.

Connecting to a Network Account Server

You can bind various versions of OS X clients to your Lion Server. We're going to use a Lion client in this example, but the method is about the same regardless of the version of OS X you're using. You may find that a few names are slightly different, but the process should be close enough to get it working.

On the client Mac:

  1. Launch System Preferences by clicking its Dock icon, or selecting System Preferences from the Apple menu.
  2. In the System section, click the Users & Groups icon (or the Accounts icon in earlier versions of OS X).
  3. Click the lock icon, located in the bottom left corner. When requested, provide an administrator name and password, and then click the Unlock button.
  4. In the left-hand pane of the Users & Groups window, click the Login Options item.
  5. Use the drop-down menu to set Automatic Login to "Off."
  6. Click the Join button next to Network Account Server.
  7. A sheet will drop down, telling you to enter the address of an Open Directory server. You will also see a disclosure triangle to the left of the Address field. Click the disclosure triangle, select the name of your Lion Server from the list, and then click OK.
  8. A sheet will drop down, asking if you wish to trust the SSL (Secure Sockets Layer) certificates issued by the selected server. Click the Trust button.
  9. If you have not yet set up your Lion Server to use SSL, you will probably see a warning telling you that the server is not providing a secure connection, and asking if you wish to continue. Don't worry about this warning; you can set up SSL certificates on your server at a later date if you have a need for them. Click the Continue button.
  10. Your Mac will access the server, gather any necessary data, and then the drop-down sheet will disappear. If all went well, and it should have, then you will see a green dot and the name of your Lion Server listed just after the Network Account Server item.
  11. You can close your Mac's System Preferences.

Repeat the steps in this section for any additional Macs you wish to bind to your Lion Server. Remember, binding a Mac to the server doesn't prevent you from using local accounts on that Mac; it just means you can also log in with network accounts.

That's it for this guide to setting up Open Directory on your Lion Server. But before you can actually use the network accounts, you will need to set up users and groups on your server. We will cover that in the next guide to setting up your Lion Server.