Manualshelf

Hardware manual

ManualsBrandsApple ManualsComputer equipmentMac OS X Server Collaboration Services
31323334353637383940
32 Chapter 2 Inside Mac OS X Server
Authentication
You have several options for authenticating users:
 Open Directory authentication. Based on the standard Simple Authentication and
Security Layer (SASL) protocol, Open Directory authentication supports many
authentication methods, including CRAM-MD5, APOP, WebDAV, SHA-1, LAN Manager,
NTLMv1, and NTLMv2. Its the preferred way to authenticate Windows users.
Authentication methods can be selectively disabled to make password storage on
the server more secure. For example, if no clients will use Windows services, you can
disable the NTLMv1 and LAN Manager authentication methods to prevent storing
passwords on the server using these methods. Then someone who somehow gains
access to your password database can’t exploit weaknesses in these authentication
methods to crack passwords.
Open Directory authentication lets you set up password policies for individual users
or for all users whose records are stored in a particular directory, with exceptions if
required. Open Directory authentication also lets you specify password policies for
individual directory replicas.
For example, you can specify a minimum password length or require a user to
change the password the next time he or she logs in. You can also disable login for
inactive accounts or after a specified number of failed login attempts.
 Kerberos v5 authentication. Using Kerberos authentication allows integration into
existing Kerberos environments. The Key Distribution Center (KDC) on Mac OS X
Server offers full support for password policies you set up on the server. Using
Kerberos also provides a feature known as single sign-on, described in the next
section.
The following services on Mac OS X Server support Kerberos authentication: Apple
Filing Protocol (AFP), mail, File Transfer Protocol (FTP), Secure Shell (SSH), login
window, LDAPv3, Virtual Private Network (VPN), screen saver, and Apache (via the
SPNEGO Simple and Protected GSS-API Negotiation Mechanism, protocol).
 Storing passwords in user accounts. This approach may be useful when migrating
user accounts from earlier server versions. However, this approach may not support
clients that require certain network-secure authentication protocols, such as APOP.
 Non-Apple LDAPv3 authentication. This approach is available for environments that
already have an LDAPv3 server set up to authenticate users.
Single Sign-On
When a Mac OS X user is authenticated using Kerberos, the user doesn’t have to enter a
user name and password every time a Kerberized service is used.
The user enters the Kerberos name and password at login, but doesn’t need to reenter
it when using services that support Kerberos authentication.