Managing Multiple User Accounts

Many processes on Mac OS X require user account information. Applications often ask for your identity and for a means of authenticating that identity. The Finder needs to translate user and group IDs to user and group names when displaying file information. The identification information and the authentication information (or methods) must be stored in a way that makes it easy for applications to access.

In a networked environment, a user will regularly access different servers, including servers for mail and file sharing. For each of these servers, the user will also need to provide a user name and password to gain access. In a corporate environment, a user can quickly become overwhelmed with having to track a different user name and password for each server. It is much simpler for the user if the account information is also stored in a way that it could be shared with servers.

Instead of each application or service storing its own copy of user account information, Mac OS X uses directory services to allow different processes to access a common set of user account information. Directory services is a database service that keeps track of the resources that are available to the users of that database. In addition to providing service discovery, Open Directory also provides directory services for Mac OS X.

Using Local User Accounts

Each Mac OS X computer has a database that contains records for the local user accounts, such as the main administrator account. When a process such as the login window needs to access account information, it calls Open Directory, which is responsible for retrieving the data from the local directory service database. Because the different applications all use Open Directory, they all have access to the same user account information.

You do not need to do any configuration for local directory services. Open Directory is preconfigured to store local directory information using the NetInfo protocol. If you use Directory Access to turn off NetInfo, you are only turning off access to networked NetInfo directories; NetInfo will still be used for local directory service data.

Using Network User Accounts

Because processes such as loginwindow don't access the directory service database directly, a database doesn't have to be stored on the local computer. With the proper configuration, Open Directory can retrieve user records from a network database in addition to those in the local database.

The advantage of network user accounts is that a user in your network can log in to any computer on the network using the same user name and password and, if used in conjunction with network home folders, the user environment will look the same on each computer. A user is no longer tied to a single computer, but can log in from any computer that has access to the networked database.

There are some things to keep in mind when using networked user accounts. Networked user accounts used to require constant access to the directory server where the user account information was stored. To help manage accounts on computers that are not always connected to the network, such as portable computers, Mac OS X Server allows you to create mobile user accounts. A mobile user account is a Mac OS X Server user account that resides in a shared domain but is copied to the local computer. This allows a user of a portable computer to log in using a network account even when the computer is not connected to a network.

There are a number of ways to implement a networked directory service, but the industry has mostly settled on Lightweight Directory Access Protocol (LDAP). Closely related to LDAP is Microsoft's Active Directory. Active Directory is based on LDAP, with some additional extensions that are specific to Microsoft clients.

Setting up a networked directory service is a job for the server administrator (and it is covered in the Mac OS X Server course). You will learn how to set up Mac OS X to connect to the directory services that you are most likely to encounter.

Sharing User Accounts with Directory Services

Another advantage of storing user accounts on a directory server is that multiple servers can access the directory server's user accounts for authentication. Just as a directory server allows a user to access the same user account on different computers, sharing the user account with different servers allows the user to access different services using the same user name and password.

Multiple user accounts become an issue when a number of systems use their own private user information to authenticate users. When you check your mail, the mail server doesn't know what user name and password you used to log in. The login window checks your user name and password against its local users list. The mail server has its own user list for authentication. The login name and password for one service isn't necessarily related to the login name and password for another service.

One way to approach this problem is to make one list of users available to all of these different systems. If the login window, the email server, and the AFP server all look to the same list of users, they can all accept the same user name and password. If your password is changed on that master list, all of those services will recognize the change at once and use your new password.

Using Static Directory Discovery

A directory server can provide more than just user account information. It can also provide a list of available services.

Earlier you learned that Mac OS X uses dynamic service discovery to scan the network and locate available services. Mac OS X can also query a directory server for a list of services that the server knows about. This is called static service discovery because the server has to be explicitly queried to show any changes to it. Each time a service is added to the network, the administrator has to manually edit the static list of services.