How to Bind Lion Clients and Servers to Directories
Mac OS X Lion Servers can bind to a variety of directories, including the native Open Directory, Microsoft Active Directory, Novel eDirectory, various OpenLDAP systems running on other Unix and Linux servers, and the legacy Unix formats. Client computers can connect to any or all of these directory services through the Mac OS X Server.
To connect (bind) a server or client computer that needs to communicate with the shared directory first needs to know that the directory exists. The computer also must trust the directory and the account data it contains. Servers can also connect to a directory to use the same shared accounts for services, such as file sharing and e-mail accounts.
Connecting a client or server to a directory is referred to as binding. A client connected to a directory is said to be bound to the directory.
Binding comes in two types:
Anonymous bind: The most common type of bind. Client or server systems connect without first authenticating to the directory. Requests for information from the directory are sent in clear text, although authentication is encrypted by default. Anonymous connections are commonly used with Mac OS X Server’s Open Directory.
You can browse directory information without first binding — most directories are configured this way — from the local network. Using anonymous binding isn’t an additional security risk in a default configuration in which anyone can browse the data.
Authenticated bind: Just the opposite of anonymous. A directory administrator account is required to create an authenticated bind, creating two-way trust between the client and server. Authenticated binding reduces the risk of man-in-the-middle attacks, in which an evildoer on your network might attempt to gather information about directory and authentication requests. Authenticated binding would be important in a high-security network environment.
Many Microsoft Active Directory servers allow authenticated binding only. However, anonymous binding is far simpler and creates less network overhead.
To have a client running Mac OS X 10.6 and later join a shared directory, you no longer need to open Directory Access and make a number of setting changes. The connection process is consolidated in the Accounts pane (called Users & Groups in Lion) of System Preferences.
For advanced configuration of a Mac client, you employ the Directory Access utility, located in /System/Library/CoreServices. For clients running Mac OS X 10.5.x and earlier, you must use the Directory Access utility to bind to a shared directory.
The Users and Groups (or Accounts) pane in System Preferences shows the status of the directory with the use of a colored dot. Green indicates a good connection to the server. Red indicates an error in the link to the directory. If no connection exists, no dot is displayed.
Another location to look for the status is the login window. Click the gray text indicating the system’s name in the login window, just below the Mac OS X logo, to find additional information about the system. This data includes a green or red dot and the status of network accounts. Having this knowledge can help you troubleshoot directory connections right from the login window.