Apple Open Directory is the

LDAP The Lightweight Directory Access Protocol (LDAP ) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. Directory servi ...

directory service In computing, a directory service or name service maps the names of network resources to their respective network addresses. It is a shared information infrastructure for locating, managing, administering and organizing everyday items and network r ...

model implementation from

Apple Inc. Apple Inc. is an American multinational technology company headquartered in Cupertino, California, United States. Apple is the largest technology company by revenue (totaling in 2021) and, as of June 2022, is the world's biggest company ...

A directory service is

software Software is a set of computer programs and associated documentation and data. This is in contrast to hardware, from which the system is built and which actually performs the work. At the lowest programming level, executable code consists ...

which stores and organizes information about a

computer network A computer network is a set of computers sharing resources located on or provided by network nodes. The computers use common communication protocols over digital interconnections to communicate with each other. These interconnections are ...

's users and network resources and which allows network administrators to manage users' access to the resources. In the context of

macOS Server macOS Server, formerly Mac OS X Server and OS X Server, is a discontinued series of Unix-like server operating systems developed by Apple Inc., based on macOS and later add-on software packages for the latter. macOS Server added serv ...

, ''Open Directory'' describes a shared LDAPv3 directory domain and a corresponding authentication model composed of Apple Password Server and Kerberos 5 tied together using a modular Directory Services system. Apple Open Directory is a

fork In cutlery or kitchenware, a fork (from la, furca 'pitchfork') is a utensil, now usually made of metal, whose long handle terminates in a head that branches into several narrow and often slightly curved tines with which one can spear foods ei ...

OpenLDAP OpenLDAP is a free, open-source implementation of the Lightweight Directory Access Protocol (LDAP) developed by the OpenLDAP Project. It is released under its own BSD-style license called the OpenLDAP Public License. LDAP is a platform-independe ...

. The term ''Open Directory'' can also be used to describe the entire directory services framework used by

macOS macOS (; previously OS X and originally Mac OS X) is a Unix operating system developed and marketed by Apple Inc. since 2001. It is the primary operating system for Apple's Mac computers. Within the market of desktop and lapt ...

and macOS Server. In this context, it describes the role of a macOS or macOS Server system when it is connected to an existing directory domain, in which context it is sometimes referred to as ''Directory Services''. Apple, Inc. also publishes an

API An application programming interface (API) is a way for two or more computer programs to communicate with each other. It is a type of software interface, offering a service to other pieces of software. A document or standard that describes how ...

called the ''OpenDirectory'' framework, permitting macOS applications to interrogate and edit the Open Directory data. With the release of

Mac OS X Leopard Mac OS X Leopard (version 10.5) is the sixth software versioning, major release of macOS, Apple Inc., Apple's desktop and server operating system for Macintosh computers. Leopard was released on October 26, 2007 as the successor of Mac OS X Tig ...

(10.5), Apple chose to move away from using the

NetInfo NetInfo is the system configuration database in NeXTSTEP and Mac OS X versions up through Mac OS X v10.4 "Tiger". NetInfo replaces most of the Unix system configuration files, though they are still present for running the machine in single user mo ...

directory service (originally found in

NeXTSTEP NeXTSTEP is a discontinued object-oriented, multitasking operating system based on the Mach kernel and the UNIX-derived BSD. It was developed by NeXT Computer in the late 1980s and early 1990s and was initially used for its range of proprieta ...

and

OPENSTEP OpenStep is a defunct object-oriented application programming interface (API) specification for a legacy object-oriented operating system, with the basic goal of offering a NeXTSTEP-like environment on non-NeXTSTEP operating systems. OpenStep was ...

), which had been used by default for all local accounts and groups in every release of

Mac OS X macOS (; previously OS X and originally Mac OS X) is a Unix operating system developed and marketed by Apple Inc. since 2001. It is the primary operating system for Apple's Mac (computer), Mac computers. Within the market of ...

from 10.0 to 10.4. Mac OS X 10.5 now uses Directory Services and its plugins for all directory information. Local accounts are now registered in the Local Plugin, which uses XML property list (plist) files stored in /var/db/dslocal/nodes/Default/ as its backing storage.

Implementation in macOS Server

can host an ''Open Directory domain'' when configured as an ''Open Directory Master''. In addition to its local directory, this OpenLDAP-based LDAPv3 domain is designed to store centralized management data, user, group, and computer accounts, which other systems can access. The directory domain is paired with the ''Open Directory Password Server'' and, optionally, a Kerberos realm. Either provides an authentication model and stores password information outside of the directory domain itself. For Kerberos authentication, the Kerberos realm can either be hosted by a Kerberos

key distribution center {{cleanup, date=November 2011 In cryptography, a key distribution center (KDC) is part of a cryptosystem intended to reduce the risks inherent in exchanging keys. KDCs often operate in systems within which some users may have permission to use cer ...

(KDC) running on the server system, or the server can participate in an existing Kerberos realm. For services that are not Kerberized, the Password Server provides the following

Simple Authentication and Security Layer Simple Authentication and Security Layer (SASL) is a framework for authentication and data security in Internet protocols. It decouples authentication mechanisms from application protocols, in theory allowing any authentication mechanism supported ...

-based authentication methods: *

APOP Apop may refer to: *APOP (Email Protocol) *APOP Kinyras Peyias FC, a Cypriot football club *Apoptygma Berzerk Apoptygma Berzerk (; commonly abbreviated to APB or APOP) is a Norwegian musical group. They have achieved success with a brand of sy ...

CRAM-MD5 In cryptography, CRAM-MD5 is a challenge–response authentication mechanism (CRAM) based on the HMAC-MD5 algorithm. As one of the mechanisms supported by the Simple Authentication and Security Layer (SASL), it is often used in email software as pa ...

Diffie–Hellman key exchange Diffie–Hellman key exchangeSynonyms of Diffie–Hellman key exchange include: * Diffie–Hellman–Merkle key exchange * Diffie–Hellman key agreement * Diffie–Hellman key establishment * Diffie–Hellman key negotiation * Exponential key exc ...

* Digest-MD5 *

MS-CHAPv2 MS-CHAP is the Microsoft version of the Challenge-Handshake Authentication Protocol, CHAP. The protocol exists in two versions, MS-CHAPv1 (defined in RFC 2433) and MS-CHAPv2 (defined in RFC 2759). MS-CHAPv2 was introduced with pptp3-fix that was in ...

NTLM In a Windows network, NT (New Technology) LAN Manager (NTLM) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. NTLM is the successor to the authentication protocol in Microsoft L ...

v1 and v2 *

Lan Manager LAN Manager is a discontinued network operating system (NOS) available from multiple vendors and developed by Microsoft in cooperation with 3Com Corporation. It was designed to succeed 3Com's 3+Share network server software which ran atop a heavi ...

* WebDAV-Digest Any

Mac OS X Server macOS Server, formerly Mac OS X Server and OS X Server, is a discontinued series of Unix-like server operating systems developed by Apple Inc., based on macOS and later add-on software packages for the latter. macOS Server added serve ...

system prior to 10.7 (Lion) configured as an Active Directory Master can act as a Windows Primary Domain Controller (PDC), providing domain authentication services to

Microsoft Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for serv ...

clients.

Directory services framework

In a more general sense, Open Directory can describe the plugins model used by Directory Utility and the directory services framework in macOS and macOS Server. This could be thought of as analogous to the

Name Service Switch The Name Service Switch (NSS) connects the computer with a variety of sources of common configuration databases and name resolution mechanisms. These sources include local operating system files (such as , , and ), the Domain Name System (DNS), th ...

systems of some other

Unix-like A Unix-like (sometimes referred to as UN*X or *nix) operating system is one that behaves in a manner similar to a Unix system, although not necessarily conforming to or being certified to any version of the Single UNIX Specification. A Unix-li ...

operating system An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs. Time-sharing operating systems schedule tasks for efficient use of the system and may also in ...

s. When ''connected to a directory system'', a macOS client or Server can authenticate users, lookup contacts, perform

service discovery Service discovery is the process of automatically detecting devices and services on a computer network. This reduces the need for manual configuration by users and administrators. A service discovery protocol (SDP) is a network protocol that hel ...

and name resolution with the following types of directories: * Authentication and contacts ** Microsoft

Active Directory Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was used only for centralize ...

** LDAPv3, including an Open Directory domain or RFC 2307-compliant system ** Apple/NeXT

domains ** BSD flat files and

NIS Nis, Niš, NiS or NIS may refer to: Places * Niš, a city in Serbia * Nis, Iran, a village * Ness, Lewis ( gd, Nis, links=no), a village in the Outer Hebrides islands Businesses and organizations * Naftna Industrija Srbije, Petroleum Industry o ...

* Service discovery and name resolution **

AppleTalk AppleTalk is a discontinued proprietary suite of networking protocols developed by Apple Computer for their Macintosh computers. AppleTalk includes a number of features that allow local area networks to be connected with no prior setup or the n ...

** Windows (NetBIOS and WINS) ** Service Location Protocol (SLP) ** Multicast DNS (Bonjour/Zeroconf)

History

Open Directory began with Mac OS X Server 10.2. In this initial form, Open Directory consisted of a network-visible NetInfo directory domain and a corresponding Authentication Manager service for storing passwords outside of the directory. Version 10.2 also included support for Kerberos. Mac OS X versions 10.1 and 10.0 stored user password information within the directory domain using crypt password authentication authorities, but version 10.2 paved the way for the current Shadow Hash and Password Server mechanisms. Password Server is the successor to Authentication Manager, and was introduced in Open Directory 2 in Mac OS X Server 10.3. Open Directory 2 was also the first version to use LDAPv3 as the directory domain. Mac OS X Server 10.4 includes Open Directory 3, which introduced Active Directory domain member support, trusted directory binding, and increased robustness. Mac OS X Server 10.5 features Open Directory 4 with support for cross-domain authorization and a built-in

RADIUS In classical geometry, a radius ( : radii) of a circle or sphere is any of the line segments from its center to its perimeter, and in more modern usage, it is also their length. The name comes from the latin ''radius'', meaning ray but also the ...

server for managing

AirPort An airport is an aerodrome with extended facilities, mostly for commercial air transport. Airports usually consists of a landing area, which comprises an aerially accessible open space including at least one operationally active surface ...

base stations. Open Directory 4 no longer includes elements of NetInfo.

See More

List of LDAP software The following is a list of software programs that can communicate with and/or host directory services via the Lightweight Directory Access Protocol (LDAP). Client software Cross-platform * Admin4 - an open source LDAP browser and directory cl ...

FreeIPA FreeIPA is a free and open source identity management system. FreeIPA is the upstream open-source project foRed Hat Identity Management Overview FreeIPA aims to provide a centrally managed Identity, Policy, and Audit (IPA) system. It uses ...

References

{{MacOS Server Directory services MacOS MacOS Server Open Directory Open Directory