Specifications
Chapter 3 Open Directory Authentication 51
Open Directory supports many authentication methods because each service that
requires authentication uses some methods but not others. For example, AFP service
uses one set of authentication methods, web services use another set of methods, mail
service uses another set, and so on.
Some authentication methods are more secure than others. The more secure methods
use stronger algorithms to encode the information they transmit between client
and server. The more secure authentication methods also store hashes, which can’t
easily be recovered from the server. Less secure methods store a recoverable, clear
text password.
No one—including an administrator and the root user account—can recover encrypted
passwords by reading them from the database. An administrator can use Workgroup
Manager to set a user’s password, but the administrator can’t read a user’s password.
If you connect Mac OS X Server v10.4 or later to a directory domain of Mac OS X Server
v10.3 or earlier, users dened in the older directory domain cannot be authenticated
with the NTLMv2 method. This method may be required to securely authenticate some
Windows users for the Windows services of Mac OS X Server v10.4 or later.
Open Directory Password Server in Mac OS X Server v10.4 or later supports NTLMv2
authentication, but Password Server in Mac OS X Server v10.3 or earlier does not
support NTLMv2.
If you connect Mac OS X Server v10.3 or later to a directory domain of Mac OS X Server
v10.2 or earlier, users dened in the older directory domain cannot be authenticated
with the MS-CHAPv2 method. This method may be required to securely authenticate
users for the VPN service of Mac OS X Server v10.3 or later.
Open Directory Password Server in Mac OS X Server v10.3 or later supports
MS-CHAPv2 authentication, but Password Server in Mac OS X Server v10.2 does not
support MS-CHAPv2.