Chapter 7. Identification and Authorization in Open Directory Server

LDAP (the lightweight directory access protocol) plays a key role in Open Directory Server, providing identification services and some authorization data to various client-side systems. In keeping with what has become a fairly common trend in Mac OS X Server, it is supported by the Open Source OpenLDAP package. This in itself is not new; Jaguar Server also shipped with an OpenLDAP implementation. Panther, however, brings a much more standardized and securable architecture, storing its data in a fast, programmatic database rather than in NetInfo. This and other fundamental changes give Open Directory Server room to scale to hundreds of thousands of users, groups and other objects.


Jaguar-based Open Directory Masters (which store their data in NetInfo and share it using OpenLDAP) should not have more than 10,000 objects (users, groups, and machines). Additionally note that attributes in NetInfo (such as a group’s user list) are limited to 1,024 values.

This chapter begins with a generalized analysis of LDAP as a protocol, progresses into a number of aspects of OpenLDAP configuration, and ends with a look at the kind of data that can be found in most Open Directory shared domains.

LDAP: A Communication Protocol

LDAP is one of those words that’s taken on a lot of baggage in the information technology field. Eager sales people have latched onto it as a sort of silver bullet, using it as a buzzword whenever feasible, ...

Get Essential Mac OS X Panther Server Administration now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.