Since we're talking about Directory, does anyone know where to find
some
good documentation on this nifty little app?
The Help menu is the best I've found so far. There are a couple
references to the Directory app from, I believe, the web technologies
PDF, but that's about all I've found so far (to be fair, I have not
read ALL the PDFs, just the ones that appear relevant). Directory
definitely deserves its own entire manual, if only because many of
the intended users are not administrators and so shouldn't be
expected to read the other server docs. The biggest thing I see
missing is sort of an overall positioning document, describing what
Directory app is, how you use it, and perhaps outlining some typical
use cases with examples. The built-in Help does a decent job at this,
but there is room for something more expository.
The short version: Directory app is for creating and modifying
records in a shared directory. The records you create or modify may
be of type: user, group, location, resource, where 'resource' is an
open-ended provision for any resource (e.g. projector) that needs a
directory entry so that it can be looked up / scheduled, in a
calendaring context. Though Directory has some overlap with workgroup
manager, there are several important differences. WGM is more for
managing directory data from a technical administrative perspective,
whereas Directory is much more about workflow and end-user
friendliness, fully intended to be used by non-administrators.
Directory is an interesting app, but the extreme utility it provides
may not be readily apparent at first glance, so here's a few
highlights from my perspective.
It's interesting to see that OD bound clients can add groups which
show up
as normal groups in WGM. This is for non-administrative client
connections
too. Seems like some kind of security hole, but then I don't have a
wealth
of info on Directory.
This is actually a huge, HUGE feature, and represents a very large
step towards enabling self-service on the part of directory services
users. For example, the following dialog never has to happen in Leopard:
User: "Hey Mr. Bearded Network Administrator Guy? Yes, it's me again.
I need a new group called ClickHarder, and I'm faxing you a list of
people who need to be added. A new conference room is being built for
that group, and they'll be needing to book it often using iCal
Server. Also, we need to make sure that I approve all uses of that
room, so that it's not first-come first-serve. Finally, I'd like to
allow other users to add themselves to the group without my
intervention."
Mr. Bearded Network Admin Guy: <big sigh, this is the 4th time this
week!> "I'll get right on that! Just need to put more paper in my fax
machine..."
So prehistoric :) Now the user would do all that stuff by himself
using Directory, which means less work on the part of the admin, and
probably faster turnaround for the user. And of course, fewer dead
trees.
The ability to create new group records requires an authenticated
connection, so presumably there is a paper trail on who is doing the
creating. In any case, you'd have to be a mighty fast clicker to do
any sort of damage to the directory services just by creating
groups... I know that OpenLDAP does ok with 100k+ user records, so...
yeah, I don't think it's a huge problem. Namespace squatting might be
a problem, though ;) I'm sure some enterprising individual will
figure out how to use the DS API to script the creation of eleventy
billion records at once, and release it as FunkBomb or something...
but I feel reasonably sure that any decently monitored server would
altert its administrator well before things went really wrong. Even
if the creator identity is not logged by default, enable logging of
that data, restart the ldap service, identify the user, disable their
account, done deal.
Getting back to groups for a second, I did find one somewhat odd
thing: Directory allows you to set a group owner, which is stored as
an attribute (OwnerGUID) of the group record. The group owner is
allowed to edit membership of the group using Directory, but not WGM.
However, the 'owner' bit is only settable from Directory, and NOT
from WGM. Even though WGM has no UI for this bit, at least the
attribute is preserved when exporting / importing users, as those
operations work on a record-by-record basis, and include all valid
attributes in the record.
