Specifications
Password type Authentication authority Attribute in user record
Open Directory Open Directory Password Server
and Kerberos
1
Either or both:
;
 ApplePasswordServer;
;
 Kerberosv5;
Shadow password Password le for each user,
readable only by the root user
account
Either:
;
 ShadowHash;
2
;
 ShadowHash;<list of enabled
authentication methods>
Crypt password Encoded password in user
record
Either:
;
 basic;
 no attribute at all
User accounts from Mac OS X Server v10.2 must be reset to include the Kerberos
authentication authority attribute. See “Enabling Single Sign-On Kerberos
Authentication for a User” on page 110 .
If the attribute in the user record is ;ShadowHash; without a list of enabled
authentication methods, default authentication methods are enabled. The list of
default authentication methods is dierent for Mac OS X Server and Mac OS X.
The authentication authority attribute can specify multiple authentication options.
For example, a user account with an Open Directory password type normally has an
authentication authority attribute that species both Kerberos and Open Directory
Password Server.
A user account doesn’t need to include an authentication authority attribute. If a user’s
account contains no authentication authority attribute, Mac OS X Server assumes a
crypt password is stored in the user’s account. For example, user accounts created
using Mac OS X v10.1 or earlier contain a crypt password but not an authentication
authority attribute.
About Password Policies
Open Directory enforces password policies for users whose password type is Open
Directory or shadow password. For example, a user’s password policy can specify a
password expiration interval. If the user is logging in and Open Directory determines
that the user’s password has expired, the user must replace the expired password.
Then Open Directory can authenticate the user.
Password policies can disable a user account on a specied date, after a number of
days, after a period of inactivity, or after a number of failed login attempts. Password
policies can also require passwords to be a minimum length, contain at least one
letter, contain at least one numeral, dier from the account name, dier from recent
passwords, or be changed periodically.
42 Chapter 3 Open Directory Authentication