What is Open Directory and why is it important? It is the Apple multifunction directory services infrastructure. Open Directory consists of a number of different components that handle the information about all the users, groups, and computers on a Mac OS X computer or in a Mac OS X Server network. Open Directory sits as a layer of components between users, the Mac OS X file system, and any other processes running under Mac OS X. Each process or system relies on Open Directory to authenticate users based on their account information and authorizes them to access resources. Open Directory also acts as a gateway with other computing platforms.
In a Mac OS X Server infrastructure, Open Directory is the crucial repository of all user and computer information. Because it stores user accounts, information about computers and servers within the network, managed preferences, and password policies—just to name a few of its functions—it is one of the most mission-critical systems in a Mac network.
In a small network, there might be a single Mac OS X Server acting as an Open Directory server and also providing other services (such as file and print services). However, a large network might contain several Open Directory servers (many acting as replicas of a master server) and multiple master services, each hosting a directory domain that contains different sets of records for various departments or locations. A multiplatform network might even have customized Open Directory servers that actively exchange data with other directory servers for other computing platforms, such as Microsoft Active Directory or Novell eDirectory.
Because Open Directory is the most mission-critical component of a Mac OS X Server network, you must understand how to back up and restore its data.
Special Backup Concerns for Open Directory
Not only is Open Directory mission-critical for Mac OS X Server networks, it has some other special concerns as well. First, unlike the data on a file server (which is mostly static files instead of active databases), the data in Open Directory is constantly changing and (in larger networks) being passed between a master and replica servers. The data needs to conform to a specific blueprint known as the schema for it to be usable by the Open Directory servers. If any data becomes altered accidentally (or intentionally), individual records or the whole of an Open Directory domain can become corrupted. This introduces a level of concern for the data itself instead of hardware or operating system failure that goes beyond what you may need to worry about for other types of servers.
Overall, in its out-of-the-box format, Open Directory is not overly prone to corruption. It tends to handle discrepancies between data contained on master and replica servers well. It is also somewhat surprisingly good at reconciling discrepancies between its various component databases. However, given the complex interactions between those databases—including a primary database with user and computer records (which can store passwords in some rather insecure formats); a password server database that handles many forms of secure password transactions, but is stored separately from the main database with very limited points of congruity for very good security; and a Kerberos realm for secure single sign-on authentication—it’s no surprise that they can occasionally become out of sync.´ (Although usually this can be remedied by resetting a user password or password type using Workgroup Manager.)
If you begin customizing Open Directory by modifying the schema, which is often required to achieve heavy levels of integration with other platforms, you might create problems. I don’t advise anyone who is not adept at LDAP administration to even try to modify the schema on their own. Even some operating system updates that write changes to Open Directory can cause problems, particularly if you’ve modified the schema.
Open Directory is also permission-sensitive. You should not alter the permissions on any of its components unless you are very confident about what you’re doing. However, some installers (or well-meaning or malicious users) might try to alter those permissions, which can also create problems. Some of them can be resolved by using the Disk Utility Repair Permissions feature, but the changes can sometimes be more difficult to recover from. Adjusting Open Directory permissions might not only cause problems in operation but they can also compromise the security of user, password, and important network configuration information.
If you are making any changes to the schema or permissions of Open Directory, you should perform a backup beforehand. You should also perform a backup prior to installing any software updates. (Always a good idea, regardless of the role of a server.) Use a test environment when working with schema changes before rolling those changes out in a live network.