Open Directory—What it Means to You 
12 November 2002
Open Directory is Apple’s name for a suite of integrated directory services in Mac OS X 10.2. Fair enough, but what’s a directory service?
A directory service allows you to provide names, passwords, telephone numbers, and a whole host of other information to other machines, running a variety of operating systems. This information can control who logs onto a machine, what permissions they have when they log in, what DNS servers they use, and what addresses appear in their address books, among other things.
Apple’s Open Directory uses NetInfo as the data store for all of this information. This is nothing new to Mac OS X, or for that matter NeXT users. What is new in 10.2 is that NetInfo can now hold a lot more information. In addition to users and groups, we now have the ability to manage preferences for the users. Another new feature in 10.2, which really makes Open Directory “open,” is the inclusion of an LDAP front end to NetInfo. LDAP (lightweight directory access protocol) has been around for a while. It is an open standard for accessing directory information. Microsoft’s Active Directory and Novell’s eDirectory are both based on LDAP.
Apple actually uses a version of openLDAP to translate your NetInfo database into an LDAP database. This allows all of the information that you have available to NetInfo to be made available to most any operating system that understands LDAP—which is most of the operating systems out there. This is all very good for allowing Apple to play nice with other systems.
It is important to keep in mind that you don’t have a separate LDAP database. Everything is still stored in NetInfo, it can just be accessed in different ways. A good example of this is our article on sharing e-mail addresses through LDAP.
We’ll explore connecting other operating systems to Mac OS X and Mac OS X to other operating systems over LDAP later as we get more time to set it up in our lab, although we’re more than happy to hear from others that have successfully done this.
In addition to the LDAP functionality, we also got a password server with Mac OS X Server 10.2. Prior to this all of the user’s passwords were stored as a one-way hash in the NetInfo database. This was alright, but not great security. While it is not trivial to crack the hashes it can be done with enough patience and a good dictionary of passwords. The password server gets around this by securing all of the passwords in a separate database that can only be accessed in limited ways.
This allows Mac OS X Server to actually save the original password in a recoverable form which allows for two flavors of Windows passwords and other stronger forms of password encryption. We also get the ability to age passwords and force users to change their passwords the first time that they log in.
Keep in mind that these great features are only available to users with password server passwords. In other words: no password server password, no MD5 encryption for IMAP, no APOP encryption for POP, and certainly no Windows connections without messing with the registry.
New to 10.2.2 is the fact that all new users, at least in the network domain, get password server passwords. This is a good thing since these passwords are probably what you want.
For backwards compatibility, the tim authentication manager is still included. Tim passwords were two-way passwords stored in the NetInfo database for each user. They were enabled when you selected to use the authentication manager when setting up the machine. You can set the tim server to run at startup by specifying that in /etc/hostconfig.