Manualshelf

Specifications

ManualsBrandsApple ManualsComputer equipmentMac OS X Server Command-Line
51525354555657585960
Replicating Open Directory Services
Mac OS X Server supports replication of the LDAP directory service, the Open Directory
Password Server, and the Kerberos KDC.
By replicating your directory and authentication services you can:
Move directory information closer to a population of users in a geographically Â
distributed network, improving performance of directory and authentication
services to these users.
Achieve redundancy, so users see little disruption in service if a directory system fails Â
or becomes unreachable.
One server has a primary copy of the shared LDAP directory domain, Open Directory
Password Server, and Kerberos KDC. This server is referred to as an Open Directory
master. Each Open Directory replica is a separate server with a copy of the master’s
LDAP directory, Open Directory Password Server, and Kerberos KDC.
A Mac OS X Open Directory server can have up to 32 replicas. Each replica can have
"32 replicas of itself, providing you with 1,056 replicas in a two-tier hierarchy.
Access to the LDAP directory on a replica is read only. Changes to user records and
other account information in the LDAP directory can be made only on the Open
Directory master.
The Open Directory master updates its replicas when there are changes to the LDAP
directory. The master can update replicas every time a change occurs, or you can set
up a schedule so updates occur at regular intervals. The xed schedule option is best
if replicas are connected to the master by a slow network link.
Passwords and password policies can be changed on any replica. If a user’s password
or password policy are changed on more than one replica, the most recent change
prevails.
The updating of replicas relies on the clocks of the master and replicas being in sync.
If replicas and the master have dierent times, updating could be arbitrary. The date,
time, and time zone information must be correct on the master and replicas, and they
should use the same network time service to keep their clocks in sync.
Avoid having only one replica on either side of a slow network link. If a replica is
separated from all other replicas by a slow network link and the one replica fails,
clients of the replica will fail over to a replica on the other side of the slow network
link. As a result, their directory services can slow markedly.
If your network has a mix of Mac OS X Server v10.4 and v10.5 or later, one version
can’t be a replica of a master of the other version. An Open Directory master of v10.5
or later won’t replicate to v10.4, nor will an Open Directory master of v10.4 replicate
to v10.5 or later:
60 Chapter 4 Open Directory Planning and Management Tools