Manualshelf

Specifications

ManualsBrandsApple ManualsComputer equipmentMac OS X Server Command-Line
51525354555657585960
Disabling Open Directory Authentication Methods
To make Open Directory password storage on the server more secure, you can
selectively disable authentication methods.
For example, if no clients are going to use Windows services, you can disable the
NTLMv1, NTLMv2, and LAN Manager authentication methods to prevent storing
passwords on the server using these methods. Then someone who gains unauthorized
access to the servers password database can’t exploit weaknesses in these
authentication methods to crack passwords.
Important: If you disable an authentication method, its hash is removed from
the password database the next time the user authenticates. If you enable an
authentication method that was disabled, every Open Directory password must be
reset to add the newly enabled method’s hash to the password database. Users can
reset their own passwords, or a directory administrator can do it.
Disabling an authentication method makes the Open Directory Password Server
database more secure if an unauthorized user gains physical access to an Open
Directory server (master or replica) or to media containing a backup of the Open
Directory master.
Someone who gains access to the password database can try to crack a user’s
password by attacking the hash or recoverable text stored in the password database
by any authentication method. Nothing is stored in the password database by a
disabled authentication method, leaving one less avenue of attack open to a cracker
who has physical access to the Open Directory server or a backup of it.
Some hashes stored in the password database are easier to crack than others.
Recoverable authentication methods store clear (plainly readable) text. Disabling
authentication methods that store clear text or weaker hashes increases password
database security more than disabling methods that store stronger hashes.
If you believe your Open Directory master, replicas, and backups are secure, select all
authentication methods. If youre concerned about the physical security of any Open
Directory server or its backup media, disable some methods.
Note: Disabling authentication methods does not increase the security of passwords
while they are transmitted over the network. Only password database security is
aected. In fact, disabling some authentication methods might require clients to
congure their software to send passwords over the network in clear text, thereby
compromising password security in a dierent way.
52 Chapter 3 Open Directory Authentication