Summary of the content on the page No. 1
Open Directory Programming Guide
N et w ork ing > M ac OS X S er v er
2007-01-08
Summary of the content on the page No. 2
ASSUMING THE ENTIRE RISK AS T O IT S QU ALIT Y AND A C CUR A CY . Apple Inc. IN NO E VENT WILL APPLE BE LIABLE FOR DIRECT , © 2007 Apple Inc. INDIRECT , SPECIAL, INCIDENT AL, OR C ONSEQUENTIAL DAMA GES RESUL TING FR OM ANY All rights reserved. DEFECT OR INA C CUR A CY IN THIS DOCUMENT , e v en if advised of the p ossibilit y of such damage s . No part of this publication may be reproduced, THE W ARR ANT Y AND REMEDIES SET FOR TH ABO VE stored in a retrieval system, or transmitted, in ARE EX CL U
Summary of the content on the page No. 3
Contents In tr o duc tion In tr o duc tion 7 Organization of This Document 7 See Also 7 C hapt er 1 C onc epts 9 Open Directory Overview 9 Nodes 10 Search Policies and Search Nodes 12 Record Types 12 Standard Attribute Types 14 Native Attribute Types 15 Authentication 15 Directory Proxy 21 Open Directory, lookupd, and NetInfo 22 Directory Service Command Line Utility 24 Debugging 24 C hapt er 2 W ork ing with N o de s 25 Listing Registered Nodes 25 Finding a Node 27 Opening and Closing a Node 28
Summary of the content on the page No. 4
C ONTENT S 4 2007-01-08 | © 2007 Apple Inc. All Rights Reserved.
Summary of the content on the page No. 5
Figures, Tables, and Listings C hapt er 1 C onc epts 9 Figure 1-1 Flow of an Open Directory request 10 Figure 1-2 An Open Directory request over a network 11 Figure 1-3 lookupd and NetInfo interaction when using SSH 23 Figure 1-4 lookupd, NetInfo, and Open Directory interaction when using SSH 23 Table 1-1 Standard record types 13 Table 1-2 Standard attribute types 14 C hapt er 2 W ork ing with N o de s 25 Listing 2-1 Listing registered nodes 25 Listing 2-2 Finding the node for a pathname 27 List
Summary of the content on the page No. 6
FIGURES, T ABLES, AND LISTINGS 6 2007-01-08 | © 2007 Apple Inc. All Rights Reserved.
Summary of the content on the page No. 7
INTR ODUCTION Introduction This manual describes the Open Directory application programming interface for Mac OS X v10.4. Open Directory is a directory service architecture whose programming interface provides a centralized way for applications and services to retrieve information stored in directories. The Open Directory architecture consists of the DirectoryServices daemon, which receives Open Directory client API calls and sends them to the appropriate Open Directory plug-in. Organization of
Summary of the content on the page No. 8
INTR ODUCTION Introduction See Also 8 2007-01-08 | © 2007 Apple Inc. All Rights Reserved.
Summary of the content on the page No. 9
CHAPTER 1 Concepts Open Directory is a directory service architecture whose programming interface provides a centralized way for applications and services to retrieve information stored in directories. Often, the information that is being sought is configuration information stored in a NetInfo database or in flat files, with each file having its own record format and field delimiters. Examples of configuration information include users and groups (/etc/passwd and/etc/group), and automount inform
Summary of the content on the page No. 10
CHAPTER 1 Concepts F igur e 1-1 Flow of an Open Directory request Open Directory client DirectoryServices daemon Open Directory plug-ins Request Response The Open Directory programming interface identifies the basic features that are common to many directory services and provides the functions necessary to support the development of high-quality applications that can work with a wide range of dissimilar directory services. Nodes From the viewpoint of Open Directory, a directory service is a coll
Summary of the content on the page No. 11
CHAPTER 1 Concepts F igur e 1-2 An Open Directory request over a network Open Directory client DirectoryService daemon Local System LDAP plug-in NetInfo plug-in public.example.com Remote System Publications private.example.com Marketing Engineering Request Response Service-specific protocol over the Internet or intranet Given the topology shown in Figure 1-2, the Open Directory function for listing registered nodes (dsGetDirNodeList) might return the following list: /NetInfo/root/AppleMarketing
Summary of the content on the page No. 12
CHAPTER 1 Concepts N ot e:An Open Directory plug-in is not required to return information that conforms exactly to the information that the directory service maintains. A plug-in can generate information “on the fly.” In addition, a plug-in may not return information about certain nodes; the plug-in's behavior in this respect can be configurable. Search Policies and Search Nodes A search policy defines the locations that are to be searched and the order in which those locations are searched in o
Summary of the content on the page No. 13
CHAPTER 1 Concepts T able 1-1 Standard record types C onstan t D e scription kDSStdRecordTypeUsers Standard record for describing users kDSStdRecordTypeGroups Standard record for describing groups kDSStdRecordTypeMachines Standard record for describing machines kDSStdRecordTypeHosts Standard record for describing hosts kDSStdRecordTypePrinters Standard record for describing printers kDSStdRecordTypeNetworks Standard record for describing records in the networks file kDSStdRecordTypeServices Stan
Summary of the content on the page No. 14
CHAPTER 1 Concepts C onstan t D e scription kDSStdRecordTypePrintServiceUser Standard record for storing quota usage for a user in the local node kDSStdRecordTypeBootp Standard record for storingbootp information kDSStdRecordTypeNetDomains Standard record for storing net domains kDSStdRecordTypeEthernets Standard record for storing Ethernets kDSStdRecordTypeNetGroups Standard record for storing net groups kDSStdRecordTypeHostServices Standard record for storing host services Standard Attribute T
Summary of the content on the page No. 15
CHAPTER 1 Concepts C onstan t D e scription kDS1AttrPort Standard attribute for storing the port number at which a service is available; commonly found inkDSStdRecordTypeAFPServer, kDSStdRecordTypeFTPServer, kDSStdRecordTypeLDAPServer, kDSStdRecordTypeWebServer, and other service discovery records kDSNAttrGroupMembership Standard attribute for storing group memberships kDSNAttrAuthentication- Standard attribute for storing authentication authorities; commonly found Authority in records of typekD
Summary of the content on the page No. 16
CHAPTER 1 Concepts ■ Kerberos Version 5 authentication, which is used to authenticate users to Kerberos v5 systems. For more information, see “Kerberos Version 5 Authentication” (page 19). ■ Disabled User authentication, which prevents any authentication from taking place. For more information, see “Disabled User Authentication” (page 20). N ot e: For compatibility with previous versions of Mac OS X, user records that do not have an authentication authority attribute are authenticated using Ba
Summary of the content on the page No. 17
CHAPTER 1 Concepts an appropriate network-based authentication method, such as CRAM-MD5, APOP, NT, LAN Manager, DHX, or Web-DAV Digest. Note that the Password Server’s administrator may disable some authentication methods in accordance with local security policies. The authority data field must contain two strings separated by a single colon (:) character. The first string begins with a SASL ID. The SASL ID is provided to the Password Server to identify who is attempting to authenticate. Apple’s
Summary of the content on the page No. 18
CHAPTER 1 Concepts Local Windows Hash Authentication The Local Windows Hash authentication type was used on Mac OS X v10.2 in combination with Basic authentication, but its use is superseded by Shadow Hash authentication in this version of Mac OS X. With Local Windows Hash authentication, hashes for NT and LAN Manager authentication are stored in a local file that is readable only by root. The local file is updated to contain the proper hashes when the password changes. This authentication type
Summary of the content on the page No. 19
CHAPTER 1 Concepts Local Cached User Authentication Local Cached User authentication is used for mobile home directories. The authority data field must be present. Its format is DS N o dename:DS R ec or dname: DS GUID where the colon (:) character delimits the three individual strings. All three strings are required. The first string is any valid node name in UTF-8 format. The second string is any valid record name in UTF-8 format. The third string is any valid generated unique identifier (GUID)
Summary of the content on the page No. 20
CHAPTER 1 Concepts Disabled User Authentication The Disabled User authentication is used to indicate that an account has been disabled. The complete previous authentication attribute value is retained in the authority data field and is enclosed by left and right angle brackets. If the authority data field is absent, Basic authentication is assumed. Here are some examples of properly formed authentication authority attribute values for Disabled User authentication: ;DisabledUser;;ShadowHash; ;Dis