Each Mac has a search policy, also commonly referred to as a search path, that specifies which directory domains Open Directory can access, such as the computer’s local directory domain and a particular shared directory.
The search policy also specifies the order in which Open Directory accesses directory domains. Open Directory searches each directory domain and stops searching when it finds a match. For example, Open Directory stops searching for a user record when it finds a record whose user name matches the name it’s looking for.
Search policy levels
A search policy can include only the local directory domain, the local directory domain and a shared directory, or the local directory domain and multiple shared directories.
On a network with a shared directory, several computers generally access the shared directory. This arrangement can be depicted as a tree-like structure with the shared directory at the top and local directories at the bottom.
Local directory domain search policy
The simplest search policy consists only of a computer’s local directory domain. In this case, Open Directory looks for user information and other administrative data only in the local directory domain of each computer.
If a server on the network hosts a shared directory, Open Directory doesn’t look there for user information or administrative data because the shared directory isn’t part of the computer’s search policy.
The following figure shows two computers on a network that only search their own local directory domain for administrative data.
Two-level search policies
If one server on the network hosts a shared directory, all computers on the network can include the shared directory in their search policies. In this case, Open Directory looks for user information and other administrative data first in the local directory domain. If Open Directory doesn’t find the information it needs in the local directory domain, it looks in the shared directory.
The following figure shows two computers and a shared directory domain on a network. The computers are connected to the shared directory domain and have it in their search policy.
Here’s a scenario in which a two-level search policy might be used:
Each class (English, math, science) has its own computer. The students in each class are defined as users in the local domain of that class’s computer. All three of these local domains have the same shared domain, in which all instructors are defined.
Instructors, as members of the shared domain, can log in to all class computers. The students in each local domain can log in to only the computer where their local account resides.
Local domains reside on their respective computers but a shared domain resides on a server accessible from the local domain’s computer. When an instructor logs in to any of the three class computers and cannot be found in the local domain, Open Directory searches the shared domain.
In the following figure, there’s only one shared domain, but in more complex networks, there may be more shared domains.
Multilevel search policies
If more than one server on the network hosts a shared directory, the computers on the network can include two or more shared directories in their search policies.
As with simpler search policies, Open Directory looks for user information and other administrative data first in the local directory domain. If Open Directory doesn’t find the information it needs in the local directory domain, it searches each shared directory in the sequence specified by the search policy.
Here’s a scenario in which more than one shared directory might be used:
Each class (English, math, science) has a server that hosts a shared directory domain. Each classroom computer’s search policy specifies the computer’s local domain, the class’s shared domain, and the school’s shared domain.
The students in each class are defined as users in the shared domain of that class’s server, so each student can log in to any computer in the class. Because the instructors are defined in the shared domain of the school server, they can log in to any classroom computer.
You can affect an entire network or a group of computers by choosing the domain in which to define administrative data. The higher the administrative data resides in a search policy, the fewer places it must be changed as users and system resources change.
Probably the most important aspect of directory services for administrators is planning directory domains and search policies. These should reflect the resources to share, the users to share them among, and the way you want to manage your directory data.
Automatic Search policies
You can configure Mac computers to set search policies automatically. An automatic search policy consists of two parts, one of which is optional:
Local directory domain
Shared LDAP directory (optional)
A computer’s automatic search policy always begins with the computer’s local directory domain. If a Mac computer isn’t connected to a network, the computer searches its local directory domain for user accounts and other administrative data.
The automatic search policy then determines whether the computer is configured to connect to a shared local directory domain. The computer can be connected to a shared local directory domain, which can in turn be connected to another shared local directory domain, and so on.
A local directory domain connection, if any, constitutes the second part of the automatic search policy. For more information, see Inside a directory domain.
An automatic search policy offers convenience and flexibility, especially for portable computers. If a computer with an automatic search policy is disconnected from the network, connected to a different network, or moved to a different subnet, the automatic search policy can change.
If the computer is disconnected from the network, it uses its local directory domain. If the computer is connected to a different network or subnet, it can change its local directory domain connection.
With an automatic search policy, a computer doesn’t need to be reconfigured to get directory and authentication services in its new location.
Custom search policies
A custom search policy for example, could specify that an Active Directory domain be searched before an Open Directory server’s shared directory domain. Users can configure their computer to log in using their user records from the Active Directory domain and have their preferences managed by group and computer records from the Open Directory domain.
A custom search policy generally doesn’t work in multiple network locations or while not connected to a network because it relies on the availability of specific directory domains on the network.
If a portable computer is disconnected from its usual network, it no longer has access to the shared directory domains on its custom search policy. However, the disconnected computer still has access to its local directory domain because it’s the first directory domain on every search policy.
The portable computer user can log in using a user record from the local directory domain, which can include mobile user accounts. These mirror user accounts from the shared directory domain that the portable computer accesses when it’s connected to its usual network.
Search policies for authentication and contacts
A Mac computer has a search policy for finding authentication information and it has a separate search policy for finding contact information:
Open Directory uses the authentication search policy to locate and retrieve user authentication information and other administrative data from directory domains.
Open Directory uses the contacts search policy to locate and retrieve name, address, and other contact information from directory domains. Contacts uses this contact information, and other apps can be programmed to use it as well.
Each search policy can be automatic, custom, or local directory domain only.