There's not much in Leopard that you could call new, as in never seen before. What I see instead is what I call a revolution of evolution. There are many things that suddenly work better than ever before, or just more efficiently, or, in some cases, finally work properly. None of this is new, per se, but it's the product of years of hard, diligent work by the development teams at Apple.

Unlike Microsoft, which backed themselves into a corner with the numerous delays on Windows Vista, Apple has been on a fairly disciplined release schedule. While the two-odd years between Mac OS X 10.4 and Leopard is the longest period between releases we've had in the history of Mac OS X, Apple didn't have to make everything look new to satisfy discriminating users.

With this in mind, I'm going to focus this article on the changes in Leopard which will make my life as a sysadmin and user easier and better. Some of these changes will be the ones you've heard about, others, not so much.

Netinfo is Dead

By dead, I mean gone. Doesn't exist. No legacy mode. No "just there for pre-existing accounts." It's dead; all the ni* utilities are gone. The Netinfo databases in /var/db are gone, too. So is the lookupd process?

What has taken its place? Directory Services, and, specifically, the DirectoryService and related processes.

While Netinfo was, for its time, a really solid system, it had a number of issues that made it unable to fit well in a modern computing environment. Were these issues fixable? Probably, but the question then becomes, "What does Netinfo have that other directory systems in far wider use, such as OpenLDAP, Active Directory, and eDirectory don't? Once you get beyond legacy support and liking Netinfo because you're familiar with it, the answer is really nothing. So Apple gradually moved Netinfo out, and in Leopard, it's gone, along with lookupd and the rest.

There are two benefits to the new system. First, without the Netinfo database, all local records formerly managed by Netinfo are now XML .plist files. If you look in /var/db/ you'll see a new directory, dslocal. This is the root container for all local Directory Services records. Drilling down into /var/db/dslocal/nodes/Default/ we see the following:

drwx------ 10 root wheel 340 Oct 11 19:30 aliases
drwx------ 3 root wheel 102 Oct 30 10:42 computers
drwx------ 7 root wheel 238 Oct 30 17:04 config
drwx------ 73 root wheel 2482 Oct 30 10:42 groups
drwx------ 4 root wheel 136 Oct 11 19:30 machines
drwx------ 3 root wheel 102 Oct 11 19:30 networks
drwx------ 45 root wheel 1530 Oct 28 10:13 users

If I go into computers, I see an entry for my machine, with all its Directory Services information, local, and for the Active Directory and Open Directory domains it's bound to. If I look in config, I see a number of things, such as the KerberosKDC.plist file, which is used to auto-generate the /Library/Preferences/edu.mit.kerberos file, the Kerberos plist that is specific to my domain, including my KDC and other information. The Sharepoints directory in config contains one .plist file for every share point you create in Leopard, with things like the name of the share point, the mask for create permissions, etc. The machines subdirectory contains the information for the localhost and broadcast host. The networks subdirectory contains the loopback info, groups and users are fairly self evident.

Now, I know you're thinking that this was all in Netinfo too. That's correct. However, with Leopard, if I have a machine with a local user record that's corrupt, I can fix that by editing an XML file, or replacing the whole thing from a backup. If I find spurious local user records, I can delete them, archive, them, whatever, without needing any kind of utilities or manager application. By getting rid of Netinfo, Apple has made Mac OS X more maintainable. (Face it, XML is child's play to script compared to Netinfo.) It's also more repairable, because now I can fix local Directory Service entries with nothing more than a text editor.

A second benefit is that all the problems you had with binding laptops to Directory Services like LDAP and Active Directory in Mac OS X 10.4 and earlier versions, are gone. Even in Mac OS X 10.4, if your machine was bound to a directory service, and you booted in a situation where the domain controller for that service was unreachable and/or unresolvable, you had problems. You might not ever get to a login screen, you might not ever get logged in, or even if you did, you'd lock up the first time you did anything that required any information from lookupd and friends.

In Leopard, it all just works. My work laptop is bound to both an Active Directory and (Tiger) Open Directory service that doesn't exist outside our firewall, yet I can reboot, shut down and start, and there are no problems and no delays. In Leopard, it all just works, and for the first time, you can have mobile systems bound to a directory without goofy workarounds. That right there will make many, many IT managers extremely happy.