Can Open Directory be used enterprise wide?

by on January 15, 2010 » Add the second comment.

A few years ago, before I started at my employer, a project was started for an enterprise-wide Open Directory setup. Each business unit within the university has a decent number of Macs that were mostly unmanaged. The project passed governance and a budget was set aside to fund the implementation. This was back in the Tiger days and for some reason, everyone involved decided to wait for Leopard to be released. In the mean time, I had a Tiger OD setup so we could manage a handful of classrooms that needed to be managed.

When we were ready to get the project going again well after Leopards release, I built an evaluation OD setup and kicked it around a bit. Apple added a great new (at the time) feature that allows computer groups to be members of other computer groups. As well as allowing computers to be members of multiple computer groups. However, because of this, there is no feasible way to manage delegated administration. Computer group nesting is nothing like Active Directory OU’s, there’s no hierarchy structure. Whereas Tiger Server had the ability to give an admin control to only certain computer lists. The change to Leopard meant that if someone needs to manage preferences, add computer accounts or anything else having to do with computer groups, the admin would need to be given full domain admin rights.

In our non-centralized environment, this wouldn’t work. I came to the conclusion that Apple did not design Open Directory for the enterprise. Apple’s typical target market is K-12 and departments within an enterprise (higher education or corporate). We all throw out states like “if Apple wants to compete in the enterprise, they need to do….”. Apple is not an enterprise company, and they don’t pretend to be. Apple makes assumptions about how their customers will use their products. In the case of OD, they assume the IT departments involved are either small and localized or centralized and that everyone works well together.

Often times, enterprises that implement Macs try to bend Apple’s server offerings to fit their environment. Then complain to Apple when it doesn’t bend the way they think it should. This is especially true in higher education, where the customers (faculty and staff) get to choose their platform. Many are going to choose Macs and it is our job to do what we need to do in order to manage them. In the case of OD, it’s just not something that can easily be centralized unless you’re willing to give every admin the equivalent of domain admin. Could you imagine doing that with Active Directory?

So everyone involved decided to not use a central offering. We have recently implemented OD in our area and it’s working really well for us for the most part. Delegation is still an issue as we don’t want everyone to be a domain admin but I’ve developed some methods for computer accounts to be added without granting admin rights on the domain. Stay tuned, I’ll be posting that script soon.

How have you implemented OD in your enviornment? Have you centralized, or localized?

Find more like this: AD Integration, Directory Services, Mac, Open Directory , , , ,

One Response to Can Open Directory be used enterprise wide?

  • Jaime Gago says:

    I work for a PK-12 institution so my case is a little different. When I arrived at French American School in 2005 there were no directory services, no groupware for the academic side and all the machines were Macs.
    At that time it was 10.4 and the school had a brand new X Serve that was sitting alone in the server room. Seeing that the SysAdmin knowledge was limited to basic Windows skills, I started to read Apple docs while having in mind to reproduce the setup I had in my Windows environment in my previous 100% windows position (PDC, Replicas, GPOs, etc).
    Even though we had a w2k3 server at that time the “Magic Triangle” was still having some glitches here and there, since I was basically starting from scratch I went for the most stable and easiest way (keep it simple stupid…) a full Os X design.
    Long story short now I manage about 350+ Macs, 1000+ students,100+ teachers in 2 locations, with 3 X Serves and 2 Vtraks everything via OD.
    I am the only Apple Sys Admin so I don’t have any problem with admin levels, however while it’s true computers management delegation is lacking Apple fixed users mgmt admin levels which is imho more important.
    While I understand your wording about the “Domain” it tends to induce some misleading as you are referring to a Windows Server concept in a OS X server article.

    Maybe Apple didn’t think OS X Server for the businesses but then with their shipping so many Open Source Software and with the Unix based Kernel at least you get better security, stability and flexibility than this other totally closed OS, so what OS is the more business oriented then?
    Isn’t the fact that you have been able to script,at no cost except this of the required HR, and tap into OD for your custom mgmt needs a proof of a business oriented system?

    Serious SaaS company use Unix/Linux servers for the core of their data center (e.g. Google), when a business need to manage Apple computers they should get an X Serve which has learned to play nice with his friends in the server rack.
    The real scalable and flexible technologies out there are not AD nor OD, they are the embedded Open one (i.e. LDAP, Kerberos, etc)

    You can’t make a generalization like the one on your post (I mean you can it’s your blog =D) without more rigor…What kind of businesses? How many computers? How many users? How many locations? What are the HR needs? et cetera et cetera.

    I guess I don’t have to say by now that I disagree with your underlying message implying that Windows Server is more adapted to businesses than Os X Server.
    It might be that *you* need to have mixed server environment but stating that ” Apple did not design Open Directory for the enterprise” just because of it, is kind of bold, isn’t it?

    It’s true that Windows is still the OS the most used out there and so IT guys need AD but that doesn’t mean AD is the most adapted tool for businesses, it’s just the monopole way…

    By the way no, not all of us are saying “if Apple wants to compete in the enterprise, they need to do….”, I don’t at least ;-P.

    Hey don’t get mad always nice to get comments and criticism is what makes us move forward!

Leave a Reply

Your email address will not be published. Required fields are marked *