Where you store your server’s user information and other administrative data is determined by whether the data must be shared. This information can be stored in the server’s local directory domain or in a shared directory domain.
About the local directory domain
Every Mac computer has a local directory domain. A local directory domain’s administrative data is visible only to apps and system software on the computer where the domain resides. It’s the first domain consulted when a user logs in or performs any operation that requires data stored in a directory domain.
When the user logs in to a Mac computer, Open Directory searches the computer’s local directory domain for the user’s record. If the local directory domain contains the user’s record (and if the user entered the correct password), the login process proceeds and the user gets access to the computer.
After login, the user could choose “Connect to Server” from the Go menu and connect to a Mac server for file service. In this case, Open Directory on the server searches for the user’s record in the server’s local directory domain.
If the server’s local directory domain has a record for the user (and if the user enters the correct password), the server grants the user access to file services, as shown in the following figure:
When you set up a Mac computer, its local directory domain is created and populated with records. For example, a user record is created for the user who performed the installation. It contains the user name and password entered during setup and other information, such as a unique ID for the user and the location of the user’s home folder.
About shared directory domains
Although Open Directory on any Mac can store administrative data in the computer’s local directory domain, the real power of Open Directory is that it lets multiple Mac computers share administrative data by storing the data in shared directory domains.
When a computer is configured to use a shared domain, administrative data in the shared domain is also visible to apps and system software on that computer.
If Open Directory doesn’t find a user’s record in the local directory domain of a Mac computer, Open Directory can search for the user’s record in any shared domains the computer has access to.
In the following figure, the user can access both computers because the shared domain accessible from both computers contains a record for the user.
Shared domains generally reside on servers because directory domains store extremely important data, such as the data for authenticating users.
Access to servers is usually tightly restricted to protect the data on them. In addition, directory data must always be available. Servers often have extra hardware features that enhance their reliability, and servers can be connected to uninterruptible power sources.
Shared data in existing directory domains
Some organizations—such as universities and worldwide corporations—maintain user information and other administrative data in directory domains on UNIX or Windows servers. Open Directory can search these non-Apple domains and shared Open Directory domains of OS X Server computers, as shown in the following figure:
The order in which OS X searches directory domains is configurable. A search policy determines the order in which OS X searches directory domains. Search policies are explained in Open Directory search policies.
