Specifications
37
Use this chapter to learn how to use Open Directory
authentication, shadow and crypt passwords, Kerberos, LDAP
bind, and single sign-on.
Open Directory oers several options for authenticating users whose accounts
are stored in directory domains on Mac OS X Server, including Kerberos and the
traditional authentication methods that network services require. Open Directory can
authenticate users by one or more of the following methods:
Kerberos authentication for single sign-on Â
Traditional authentication methods and a password stored securely in the Â
Open Directory Password Server database
Traditional authentication methods and a shadow password stored in a secure Â
shadow password le for each user
A crypt password stored directly in the user’s account, for backward compatibility Â
with legacy systems
A non-Apple LDAP server for LDAP bind authentication Â
In addition, Open Directory lets you set up a password policy for all users and specic
password policies for each user, such as automatic password expiration and minimum
password length. (Password policies do not apply to administrators, crypt password
authentication, or LDAP bind authentication.)
About Password Types
Each user account has a password type that determines how the user account is
authenticated. In a local directory domain, the standard password type is shadow
password. On a server upgraded from Mac OS X Server v10.3, user accounts in the local
directory domain can also have an Open Directory password type.
For user accounts in the LDAP directory of Mac OS X Server, the standard password
type is Open Directory. User accounts in the LDAP directory can also have a password
type of crypt password.
3
Open Directory Authentication