Manualshelf

Specifications

ManualsBrandsApple ManualsComputer equipmentMac OS X Server Command-Line
71727374757677787980
Chapter 4 Open Directory Planning and Management Tools 71
If you must use an Open Directory server to manage users in another servers directory
domain, make sure the other directory domain is not part of the Open Directory
servers authentication search policy.
To further avoid a Kerberos conguration le conict, don’t use an Open Directory
server to provide services that access a dierent Kerberos servers directory domain.
For example, if you congure AFP le service to access Open Directory and Active
Directory, don’t use an Open Directory server to provide the le service. Use another
server and join it to the Kerberos realm of one directory service or the other.
Theoretically, servers or clients can belong to two Kerberos realms, such as an Open
Directory realm and an Active Directory realm. Multiple-realm Kerberos authentication
requires very advanced conguration, which includes setting up the Kerberos servers
and clients for cross-realm authentication, and revising Kerberized service software so
it can belong to multiple realms.
If you want to congure you network to use one Kerberos realms providing single
sign-on for two directory domains, such as an Active Directory and Open Directory,
you can disable Kerberos on your Open Directory master and connect it to the Active
Directory domain.
This provides a Kerberos realm for both directory domains and any Kerberized services.
Also, users on either domain can use single sign-on authentication.
For more information about disabling Kerberos on an Open Directory master, see
“Disabling Kerberos After Setting Up an Open Directory Master on page 99.
Improving Performance and Redundancy
You can improve the performance of Open Directory services by adding memory to
the server and having it provide fewer services. This strategy also applies to every
other service of Mac OS X Server. The more you can dedicate an individual server to a
specic task, the better its performance is.
Beyond that general strategy, you can also improve Open Directory server
performance by assigning the LDAP database to its own disk and the Open Directory
logs to another disk.
If your network includes replicas of an Open Directory master, you can improve
network performance by scheduling less-frequent updates of replicas. Updating less
frequently means the replicas have less up-to-date directory data, so you must strike a
balance between higher network performance and less accuracy in your replicas.
For greater redundancy of Open Directory services, set up extra servers as Open
Directory replicas or use servers with RAID sets.