In-Depth with Mac OS X Lion Server
by Andrew Cunningham on August 2, 2011 8:00 AM ESTThe first thing I want to walk through is Open Directory, OS X’s directory services implementation (roughly analogous to Microsoft’s Active Directory). Many of OS X Server’s other services rely upon or make use of a directory in some way, so it’s important to know how it works.
For those of you who have no experiences with directory services, a brief explanation: imagine you’re the IT support person for a business of, say, 50 employees, and each of those employees has a computer. So you don’t have to manage all of the user accounts on those computers manually, you want to have all of their usernames and passwords stored on your server so that you can keep better track of them. You can also organize users into groups, so that if you have one particular attribute to apply to many different accounts, you can do it once to the group instead of once for every member of the group. This is the essence of Open Directory and other directory services.
It goes further than that: with centrally stored credentials, you can also more easily manage access permissions on file shares or enable your employees to use the same username and password to login to multiple computers. You can control password requirements and store relevant information (email addresses, etc.) about your users. You can also tie other products into your directory so that your users can use the same credentials to access email or internal websites. The list goes on.
OS X Server can either host its own directory (using Open Directory), tie into another, pre-existing directory service (like Active Directory), or both (using Active Directory to manage credentials but Open Directory to manage Apple-specific functionality - Apple calls this a “golden triangle” configuration, and it’s a bit outside the scope of this review). For our purposes, we’ll setup a standalone Open Directory that we’ll then use with other services throughout the review.
Open Directory setup is one of the few things that can still be done with both Server.app and Server Admin, though the approaches differ:
In Server.app: Go to the Manage menu and click Manage Network Accounts.
Enter your organization’s name and your admin’s email address, and click through the rest of the prompts - you’ll have a quick and easy directory setup with a minimum of fuss.
In Server Admin: To enable Open Directory in Server Admin, make sure the Open Directory service is viewable, and select it. In the Settings tab, click the Change button next to the server’s Role.
Here, you’re given three choices. We’ll want to set up an Open Directory master, but you can also connect your Mac to another directory (like Active Directory) or set up an Open Directory replica here. For the uninitiated, an Open Directory replica connects to an existing Open Directory master and mirrors every change made to the master - this can provide for load balancing (in an organization with many Macs) or automatic failover in the event that one or the other server crashes (Macs connected to an Open Directory master will automatically fall back to the replica if the master fails and vice-versa).
Anyway, elect to setup an Open Directory master, input your desired Directory Administrator credentials, input your organization name and admin email address, and you’re set, same as with Server.app. If you want to set a different Kerberos realm or LDAP search base, you can also do it here (but if you don’t know what that means, the default settings are fine).
(screenshot)
You can also use Server Admin to backup or destroy a directory you’ve made - to backup, just use the Archive tab to save and restore copies of your directory’s data. To delete the directory, go to the Settings tab, click Change next to the server’s Role, and select Set up a standalone directory.
Once it's running, you can go ahead and bind client computers to it: in OS X, this is accomplished by going to the Accounts preference pane, clicking Login Options, and clicking the Join button next to Network Account Server.
Enter your server's address in the box that pops up and click OK. If successful, you should now see a green dot followed by your server's address, and you should be able to login to your client computer with any of the user accounts you create (we'll go over that next).
Facebook
Twitter
RSS
77 Comments
View All Comments
the_engineer - Thursday, August 4, 2011 - link
Indeed, and that's the plan, assuming nothing else I like more comes along. I was really sort of tantalized by the possibility of software RAID in OSX, and still haven't been able to get a straight answer on it. Currently it is looking like it's a no go.tff - Tuesday, August 2, 2011 - link
As a home user, I've been frustrated by the inability to have two users edit a shared calendar in OS X/iOS without using 3rd party software.How would it differ using Lion server to accomplish this rather than Lion and iOS 5 clients using iCloud?
Typical Mac home user- iPhones, iPads, Mac laptops.
Omegabet - Tuesday, August 2, 2011 - link
You can install server.app on a client. Just copy the app over from the server. The first time you launch it, choose connect to a server. It will then run server.app from your client. Otherwise it will upgrade lion to the server version. This was recommended in the apple documentation (can't remember where though).qiankun - Tuesday, August 2, 2011 - link
One instance I found frustrating is that non-HSF+ volumes like NTFS and exFat cannot be accessed from other computers using SMB or AFP. You can add the volume to the file sharing list, pick whatever protocol you like, but when you try to access it you'll get an error. Same thing applies to the bootcamp partition.I like to use NTFS or exFat on external drives, for simple fact that whenever needed you can simply disconnect them from the mac server and plug into a PC. I know there are software that allows reading HSF+ partitions on windows, but it's not installed everywhere, very unlikely if you want to use the drive on a random computer you or your friend uses.
damianrobertjones - Tuesday, August 2, 2011 - link
Windows Home Server. That's all I have to add.justinf79 - Friday, August 5, 2011 - link
WHS isn't even in the same league...rs2 - Tuesday, August 2, 2011 - link
I've used a number of different wiki solutions, and the one included on OS X Server is a toy compared to most other popular wikis. There's just no comparison between the OS X wiki and something like Confluence or MediaWiki.gamoniac - Tuesday, August 2, 2011 - link
At first glance, this looks impressive, given the price tag and the myriad of features provided. However, the author should note the huge maintenance costs of this at best rudimentary product. Anyone who has used Apache or IIS 7 knows the Lion web server is years away from catching up.What good is a cheap product if you have to to spend, say, 40 hours, trying to get something to work. The TCO is too high even at $10/hour, and even for home users.
gamoniac - Tuesday, August 2, 2011 - link
PS: Good article nonetheless. Thank you AT. Keep them coming!repoman27 - Wednesday, August 3, 2011 - link
What's good about a cheap product with a myriad of features is that if even one or two work as advertised out of the box, it was worth it. If not, you're only out $50. I configured Snow Leopard Client on a MacBook Pro to work as a NetBoot / NetRestore server because I happened to find that functionality useful, and although it was trivial to do so, I'm perfectly inclined to shell out the $50 for Lion Server going forward rather than monkey around with another client version.In general, you're right though, it's stupid to cheap out on a capital expenditure and then spend an order of magnitude more trying to get someone who knows what they're doing to make it work.
Really, though, who doesn't spend at least 40 hours setting up a new server for the first time?