Manualshelf

Specifications

ManualsBrandsApple ManualsComputer equipmentMac OS X Server Command-Line
31323334353637383940
Chapter 3 Open Directory Authentication 39
User accounts in the following directory domains can have Open Directory passwords:
The LDAP directory of Mac OS X Server Â
The local directory domain of Mac OS X Server Â
Note: Open Directory passwords can’t be used to log in to Mac OS X v10.1 or
earlier. Users who log in using the login window of Mac OS X v10.1 or earlier must
be congured to use crypt passwords. The password type doesn’t matter for other
services. For example, a user of Mac OS X v10.1 could authenticate for AFP service with
an Open Directory password.
About Shadow Passwords
Shadow passwords support the same traditional authentication methods as Open
Directory Password Server. These authentication methods are used to send shadow
passwords over the network in a scrambled form, or hash.
A shadow password is stored as several hashes in a le on the same computer as the
directory domain where the user account resides. Because the password is not stored
in the user account, the password is not easy to capture over the network. Each user’s
shadow password is stored in a dierent le, named a shadow password le, and these
les are protected so they can be read only by the root user account.
Only user accounts that are stored in a computers local directory domain can have
a shadow password. User accounts that are stored in a shared directory can’t have a
shadow password.
Shadow passwords also provide cached authentication for mobile user accounts. For
complete information about mobile user accounts, see User Management.
About Crypt Passwords
A crypt password is stored in a hash in the user account. This strategy, historically
named basic authentication, is most compatible with software that needs to access
user records directly. For example, Mac OS X v10.1 and earlier expect to nd a crypt
password stored in the user account.
Crypt authentication supports a maximum password length of eight bytes (eight
ASCII characters). If a longer password is entered in a user account, only the rst eight
bytes are used for crypt password validation. Shadow passwords and Open Directory
passwords are not subject to this length limit.
For secure transmission of passwords over a network, crypt supports the DHX
authentication method.