其实,在OS X Tiger 10.4中,原来有两个应用程序一个叫NetInfo,一个是Directory Access一个主要用于管理本地用户的,另一个用来设置绑定网络Directory服务的,这次的Directory Utility是把这两个的功能合并了。
还有其他的一些相关文章和具体命令使用的文章,相继贴过来,以备查用。
用户要 注意的是,虽然从本文介绍的来说Leopard绑定AD要比Tiger容易了很多,但是其实依然还有好多问题目前还有待解决,用户很可能需要作一些workaround的工作。
注:其中的图片和两行代码显示是我加入的。
While the general Mac user community is ooh-ing and ahh-ing over Mac OS X 10.5 features like Time Machine, or opining about the new Dock, Stacks, et al, those of us who support Mac users are deep into learning about one of the biggest below-the-hood changes to happen in any version of Mac OS X: The end of Netinfo.
When I say “end,” I mean it in the most “end-ish” sense. In Mac OS X 10.5, Netinfo is gone. Not “deprecated,” not “hidden away for only the most advanced users.” It’s gone. Deleted. It does not exist. No more Netinfo database, no more Netinfo Utilities such as nicl, no more Netinfo Manager. The entire structure for managing local users, groups, and other such things has been completely replaced by local Directory Services, and the Netinfo Database is now a series of XML files living in /var/db/dslocal/.
Netinfo is—well, was —a directory service used for user and computer management. Originally created for NeXTStep, Netinfo was able to
manage not only individual machines, but entire networks. Its biggest problem was that the rest of the world turned to LDAP for doing the same thing.
Why is the end of Netinfo such an important change? Because when it came to managing local users and groups—that is users you created on your Mac, or network accounts that were mapped to local accounts (a.k.a. mobile accounts)—Netinfo handled all that. When you created a new user in System Preferences, that was all just a nicer interface into Netinfo. When you enabled sharing on your Mac, managing access to shares was handled by Netinfo. Now, it’s all done by Directory Services.
This may seem like a sudden change to some, but the truth is, Apple’s been actively easing Netinfo out of the picture since Mac OS X 10.2. Starting with that release, and continuing into Mac OS X 10.4, Netinfo was reduced from the primary mechanism for managing not just local users and groups, but entire network directories, ala Microsoft’s Active Directory or Novell’s eDirectory, to being only used for local user management. With Mac OS X 10.5, that easing out is complete.
So what does this mean? Well to the average user—whatever that means anymore—not much. The things you used to manage users, file sharing, and so forth are all still there—they just talk to different plumbing. There are some new features in those areas in Mac OS X 10.5, such as the “Advanced Options” in Accounts in System Preferences that allow you to configure a user’s home directory, login shell, add/remove login aliases, and so forth; you used to have to go to Netinfo Manager for these. There’s also the new ability to share any folder on your hard drive, but that could have been done with Netinfo too. The real changes here are in other areas
The most obvious change for most is the death of the Netinfo database. With Mac OS X 10.5, all the Netinfo database information are in a series of plist files in /var/db/dslocal/ under nodes/Default/. Within there, you see a set of directories:
bash-3.2# ls -l Default/
total 0
drwx------ 10 root wheel 340 Oct 11 19:30 aliases
drwx------ 2 root wheel 68 Nov 3 10:15 computers
drwx------ 10 root wheel 340 Nov 13 14:56 config
drwx------ 72 root wheel 2448 Nov 13 08:49 groups
drwx------ 4 root wheel 136 Oct 11 19:30 machines
drwx------ 3 root wheel 102 Oct 11 19:30 networks
drwx------ 44 root wheel 1496 Nov 13 14:11 users
Note: the above two lines is added by Tony Liu, Nov 18, 2008
Within each of these is a set of plist files where the data for that directory is kept, so in users/, there’s one plist per user, in groups/, one plist per group, and so on. Looking at the entry for the “staff’ group in staff.plist, (staff is the default group for all local users you create in Mac OS X), we see the following:
bash-3.2# cat staff.plist <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>generateduid</key> <array> <string>ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000014</string> </array> <key>gid</key> <array> <string>20</string> </array> <key>name</key> <array> <string>staff</string> </array> <key>passwd</key> <array> <string>*</string> </array> <key>realname</key> <array> <string>Users</string> </array> <key>smb_sid</key> <array> <string>S-1-5-32-545</string> </array> <key>users</key> <array> <string>root</string> <string>tempadmin</string> <string>jwelch</string> </array> </dict> </plist>
It’s pretty easy to decipher. You have a UUID, or Universally Unique Identifier, a unique number that identifies the group outside of conventional Unix group IDs. You have the GID (or Group ID), the Unix group identifier number, the name of the group, the password for the group, (in this case, there isn't one), the realname (or the more human friendly name), a sid number used for windows file sharing, and then a list of users in this group, including my own, jwelch. If you go looking through all the other plists, they all look like this, more or less.
But so what? Why does anyone care about this stuff? Well, for one, these are all text xml files. You can view or edit them in anything that can handle text files, from Apple’s own Text Edit and Property List Editor, to BBEdit, to Emacs or vi. You don’t need a special database 
application to view or work with these files. This makes them more easily maintainable and fixable. It also makes it easier for network administrators to manage local-only accounts on their network. The XML structure of these files makes it easier to integrate the data they contain into various kinds of user management tools, since almost everything out there, commercial and home-built can handle XML data.
Network administrators trying to manage Mac laptops on directories also benefit from the elimination of Netinfo. Prior to Mac OS X 10.5, binding a laptop to a directory was a painful process. Because of the way directory services worked in Mac OS X 10.4 and earlier, if your laptop was bound, or attached to a directory service, and you had to boot up or log in when you couldn’t see the network that directory service was on, you were in a world of pain, and would probably never actually log in, or get anything done. There were a few workarounds, but it was all very wonky, due to how Netinfo and its associated processes—in particular, lookupd—worked. With Mac OS X 10.5, all that is fixed, and now you can have a laptop bound to a directory, and it just works.
For those of you wondering what command line utilities you use, now that all the ni* utilities and lookupd are gone, it’s pretty simple. For general needs, you use dscl. If you want to see what group a user or another group are a member of, or check user/group UUIDs, you use dsmemberutil. To edit, create, manipulate, or delete groups, you use dseditgroup. To work with various Directory Service caches, including LDAP and DNS, you use dscacheutil. Finally, to enable root, you use dsenableroot.
The removal of Netinfo from Mac OS X is a major change from both the operational and historical perspectives. But in end, I think it’s one that was long in coming, and it will make Mac OS X much nicer to deal with from the administrator point of view—something that will aid Apple as it continues to establish a greater presence in the business world.
[ John C. Welch is a Unix/Open Systems Administrator for Kansas City Life Insurance and a long-time Mac IT pundit. ]
原文链接: http://blog.csdn.net/afatgoat/article/details/3332017