Lion Server’s Role in an Open Directory Deployment
Lion Server can play different roles in Open Directory: a master, a replica, or a relay. Another role a Mac server can have is to simply connect, or bind, to a directory. When planning your network, think about which you’ll use.
Open Directory masters
An Open Directory master is the primary Open Directory server on the network. If you have a single Lion Server hosting a shared list of users and groups, it is an Open Directory master.
A master contains a read/write LDAP-compatible database and hosts the Kerberos Key Distribution Center (KDC) and the Open Directory Password Server database. The Open Directory master is the only server that can make changes to the LDAP-compatible database. An Open Directory master is analogous to the Primary Domain Controller of Windows-based shared directory systems.
Open Directory replicas
After the Open Directory master, you can add one or more Open Directory replicas, which are mirror servers that create a distributed directory environment with redundancy and client failover. Each Open Directory replica has a read-only copy of the LDAP directory, the Password Server database, and the Kerberos KDC that are synchronized periodically with the master and each of the other replicas.
If you want to make changes to accounts in a domain, you must make them on the master server. However, password database changes, such as a user changing his password, are allowed while connected to any Open Directory server in the domain. Background synchronization among all the Open Directory servers updates the changed data across the domain.
Open Directory relays
You can deploy Open Directory servers in a topology sometimes referred to as a tree or nested approach. Each Open Directory master can have up to 32 replica servers. Additionally, each of these replica servers can have up to 32 replicas of its own. Thus, a theoretical limit of 1,057 Open Directory servers exists for a single domain:
1 master + 32 replicas + (32×32) nested replicas
When an Open Directory replica has its own replicas, that server is an Open Directory relay. A relay with additional replicas might be useful in a widely distributed network of client systems.
Open Directory replicas, including relays, that connect directly to the master are first-tier replicas. Replicas that connect to a relay are second-tier replicas.
A good example of the use of an Open Directory relay is a school system with multiple school buildings spread out in a city or a county. You’d install Open Directory relay and additional replicas in each school, while the Open Directory master remains safely installed at the school system’s data center.
Server connected to a directory but not hosting one
You don’t need Open Directory running on every server. Another Open Directory role is to bind to an Open Directory domain instead of hosting one. You avoid the overhead of running directory services on your server, and users still get access to domain resources. You might use this option if your server is running user services, such as file sharing, e-mail, or Lion Server’s wiki collaborative environment. Your services can also make use of Kerberos authentication from the bound server. To connect a server to a directory, you bind it to the domain and add it to the Kerberos realm.
After you configure an Open Directory domain, other servers and client systems utilize binding to connect and access the shared directory for authentication and authorization. Clients connect to the fastest responding Open Directory server, based on ping response times — the time required for a small packet of data to travel and return to the sender. If the master or any replica server fails, clients connect automatically to another Open Directory server in the domain without interruption to the user.