How to Create an Open Directory Master Using Lion’s Server Admin

By John Rizzo

You can create an Open Directory master using Lion’s Server App, but you won’t have access to a number of the options that are available in Server Admin on Lion Server. Follow these steps to create an Open Directory master and a shared directory domain using Server Admin:

  1. Open Server Admin on the server that will become the Open Directory master and click the server in the left column.

  2. Click the Settings icon in the toolbar, click the Services tab, select the Open Directory check box, and click the Save button.

    Skip this step if you previously enabled the service, and it’s already listed in the server’s expanded list of services.

  3. Click Open Directory in the expanded service list and observe the service’s current status by clicking the Overview icon.

    This screen shows the status of directory services. If a server hasn’t yet been configured for a shared Open Directory domain, the first line says Standalone Directory, which indicates that only a local directory is available.


  4. Click the Settings icon in the toolbar and then click the General tab.

  5. Next to the status Role: Standalone Directory, click the Change button.

    The Open Directory Assistant opens and walks you through changing the server’s Open Directory role. You can see the initial screen of the Open Directory Assistant.


  6. Select Set Up an Open Directory Master from the three options and click the Continue button.

    The Open Directory may alert you to a DNS problem if it detects one.

  7. View and optionally change the directory administrator name, short name, and user ID and then enter a password; click Continue when finished.

    The directory administrator is capable of creating accounts in the directory, modifying the directory, adding and removing replica servers, serving as the Kerberos KDC administrator, and more. Directory administrator’s default name and short name work fine in any Open Directory domain. For stronger security — making it more difficult for someone to guess your administrator’s credentials — use a unique name and short name on your server.

    The Name default setting is Directory Administrator, the Short Name is diradmin, and the User ID is 1000.


  8. Set the Kerberos Realm name and LDAP Search Base path for the shared domain.

    By default, the Kerberos Realm and LDAP Search Base boxes match the fully qualified hostname of your master server. Advanced users may need to modify these settings, but for most domains, the default options are perfectly acceptable. You can see the correct Kerberos Realm and LDAP Search Base boxes, automatically populated, that match the server’s hostname.


    When the realm’s name and search base path don’t match your server’s hostname, it’s a good indication that something’s gone wrong with your DNS settings. This is your last chance to resolve DNS problems before you continue with your shared domain. Failing to do so likely results in a domain with a broken Kerberos or LDAP, or both.

  9. Type an organization name and administrator e-mail address at the bottom of the window and then click the Continue button.

  10. Confirm your settings so far in the final screen of the Open Directory Assistant and then click the Continue button.

    The Open Directory Assistant now processes your entries and creates the resources needed on the Open Directory master. The LDAP database, Password Server database, and Kerberos KDC are created, and their supporting background processes are started.

  11. Click the Done button after your server’s been configured as an Open Directory master.

    The Open Directory Assistant closes, returning you to Server Admin. Congratulations — you’ve successfully created a shared directory.

Server Admin now shows: The Open Directory Is: Open Directory Master, and LDAP server, Password Server, and Kerberos are all Running. Also note the green dot next to Open Directory in the expanded list of services.