More complex hierarchies – Apple Mac OS X Server (Administrator’s Guide) User Manual

Directory Services

81

More Complex Hierarchies

Open Directory also supports multilevel domain hierarchies. Complex networks with large
numbers of users may find this kind of organization useful, although it’s much more complex
to administer.

In this scenario, an instructor defined in the Campus domain can use Mac OS X computers on
which any of the local domains reside. A student defined in the Students domain can log in to
any Mac OS X computers that are below the Graduates domain or Undergraduates domain.

A directory domain hierarchy affects which Mac OS X computers can see particular
administrative data. The “subtrees” of the hierarchy essentially hide information from other
subtrees in the hierarchy. In the education example, computers using the subtree that
includes the Graduates domain do not have access to records in the Undergraduates domain.
But records in the Campus domain are visible to any computer.

Directory domain visibility depends on the computer, not the user. So when a user logs in to
a different computer, administrative data from different directory domains may be visible to
that computer. In the education scenario described here, an undergraduate can log in to a
graduate student’s computer if the undergraduate’s user record resides in the Students
domain. But the devices that are defined in the Undergraduates domain are not visible unless
they are also defined in the Graduates, Students, or Campus domain.

Employees

domain

Students

domain

Campus domain

Undergraduates

domain

Graduates

domain

Faculty

domain

Local domains on Mac OS X clients or servers