Provide Open Directory service

Open Directory provides a central repository for information about users and resources in an organization. Centralizing information about users and resources reduces the system administrator’s burden and provides each user with a centralized account for logging in on any authorized computer on the network. Use the Open Directory pane of the Server app to create an Open Directory domain, join an Open Directory domain, add and remove Open Directory replicas, add and remove users and groups, set password policies, add, remove, and edit locales, and create Open Directory archives.

Open Directory requires that DNS be available on the network and be correctly configured to resolve the fully qualified DNS name of the Open Directory server to its IP address. DNS must also be configured to resolve the IP address to the server’s fully qualified DNS name.

Set up Open Directory

When you start Open Directory service for the first time, use the assistant to set up an Open Directory domain to join an Open Directory domain as a replica.

  1. Select Open Directory in the Server app sidebar.

  2. Turn on Open Directory.

    In the assistant dialog, you can create a new Open Directory domain or join an existing domain as a replica.

Add a replica

You can add replicas of your Open Directory domain. These replicas provide the same directory and authentication information as your Open Directory server to other computers. Replicas provide failover and load balancing for Open Directory clients.

You can have 32 replicas of your master Open Directory domain. Each replica can have 32 of its own replicas (also known as relays).

The replica server you’re adding must have remote administration access enabled before you can add it as a replica. For more information, see Allow remote access to your server.

If the computers on your network are using different versions of OS X Server, one version can’t be a replica of a master of another version:

Replica version

OS X Server master with Server app 3.x

OS X Server master with Server app 4

OS X Server with Server app 3.x replica

Yes

No

OS X Server with Server app 4 replica

No

Yes

  1. Select Open Directory in the Server app sidebar.

  2. Click Settings, then click Add add.

  3. Enter the following information:

    • Server Address: Enter the IP address or DNS name of the replica server.

    • Server Admin Name: Enter the name of the local administrator account of the replica.

    • Password: Enter the password for the replica server.

    • Parent Server: Click the pop-up menu, then choose the parent server.

    • Directory Admin Name: Enter the name of the directory domain administrator for the parent server.

    • Password: Enter the password for the parent server.

  4. Click Next.

  5. Confirm your settings, then click Set Up.

Edit global password policies

There are two types of policies: disabling login when specific conditions are met, and password restrictions.

The server enforces password policies for users. For example, a user’s password policy can specify a password expiration interval. If the user tries to log in and the server determines that the user’s password has expired, the user must set a new password to log in.

Password policies can disable a user account on a specified date, after a number of days, after a period of inactivity, or after a number of failed login attempts. Password policies can also require passwords to be a minimum length, contain at least one letter, contain at least one numeral, differ from the account name, differ from recent passwords, or be changed periodically.

Password policies don’t affect administrator accounts. Administrators are exempt from password policies, because they can change these policies, and because enforcing password policies on administrators could subject them to denial-of-service attacks.

  1. Select Open Directory in the Server app sidebar.

  2. Click Servers.

  3. Click the Action pop-up menu gear, then choose Edit Global Password Policy.

    You can set global policies for user logins and passwords. To define your global policy, select a restriction or requirement, then enter a value as needed.

  4. Click OK.

    The policy is applied the next time a user who isn’t an administrator logs in.

Promote a replica to Open Directory master

If an Open Directory master fails and you can’t recover it from a backup, you can promote a replica to be a master. The new master (promoted replica) uses the directory and authentication databases of the replica.

  1. Select Open Directory in the Server app sidebar.

  2. Click Servers.

  3. Select a replica to promote, then click the Action pop-up menu gear, then choose Promote Replica to Master.

  4. Enter the directory administrator name and password.

  5. If you archived Open Directory data with certificate authority keys, you can restore them by entering the Open Directory archive location or by clicking Choose to locate the archive.

  6. Click Next.

  7. Enter the user name and password for the replica that’s being promoted, then click Connect.

See also
About locales
Archive and restore Open Directory data
Kerberize services with an Active Directory server
Connect to another network account server