Manualshelf

Specifications

ManualsBrandsApple ManualsComputer equipmentMac OS X Server Version 10.3 or Later
41424344454647484950
Chapter 4 Open Directory Planning 47
Replicating Open Directory Services
Mac OS X Server supports replication of the LDAP directory service, the Open Directory
Password Server, and the Kerberos KDC.
By replicating your directory and authentication services you can:
Move directory information closer to a population of users in a geographically
distributed network, improving performance of directory and authentication services
to these users.
Achieve redundancy, so that users see little disruption in service if a directory system
fails or becomes unreachable.
One server has a primary copy of the shared LDAP directory domain, Open Directory
Password Server, and Kerberos Key Distribution Center (KDC). This server is called an
Open Directory master. Each Open Directory replica is a separate server with a copy of
the master’s LDAP directory, Open Directory Password Server, and Kerberos KDC.
Access to the LDAP directory on a replica is read only. All changes to user records and
other account information in the LDAP directory can be made only on the Open
DIrectory master.
The Open Directory master automatically updates its replicas with changes to the LDAP
directory. The master can update the replicas every time a change occurs, or you can
set up a schedule so that updates occur only at regular intervals. The fixed schedule
option is best if replicas are connected to the master by a slow network link.
Passwords and password policies can be changed on any replica. If a users password or
password policy is changed on more than one replica, the most recent change prevails.
The updating of replicas relies on the clocks of the master and all replicas being in sync.
If replicas and the master have a wildly different notion of time, updating could be
somewhat arbitrary. The date, time, and time zone information needs to be correct on
the master and replicas, and they all should use the same network time service to keep
their clocks in sync.
Replication in a Multi-Building Campus
A network that spans multiple buildings may have slower network links between
buildings than within each building. The network links between buildings may also be
overloaded. These conditions can adversely affect the performance of computers that
get Open Directory services from a server in another building. Accordingly, you may
want to set up an Open Directory replica in each building. Depending on need, you
may even want to set up an Open Directory replica on each floor of a multistory
building. Each replica provides efficient directory and authentication services to client
computers in its vicinity. The client computers do not have to make connections with
an Open Directory server across the slow, crowded network link between buildings.
LL2352.Book Page 47 Friday, August 22, 2003 3:12 PM