Specifications
Contents of the Open Directory Password Server Database
Open Directory Password Server maintains an authentication database separate from
the directory domain. Open Directory tightly restricts access to the authentication
database.
Open Directory Password Server stores the following information in its authentication
database for each user account that has a password type of Open Directory:
The user’s password ID, a 128-bit value assigned when the password is created. Â
It is also stored in the user’s record in the directory domain and is used as a key
for nding a user’s record in the Open Directory Password Server database.
The password, stored in recoverable (clear text) or hashed (encrypted) forms. Â
The form depends on the authentication method.
A recoverable password is stored for the APOP and WebDAV authentication
methods. For all other methods, the record stores a hashed (encrypted) password.
If no authentication method requiring a clear text password is enabled, the Open
Directory authentication database stores only hashes of passwords.
The user’s short name, for use in log messages viewable in Server Admin. Â
Password policy data. Â
Time stamps and other usage information, such as last login time, last failed Â
validation time, count of failed validations, and replication information.
LDAP Bind Authentication
For user accounts that reside in an LDAP directory on a non-Apple server, Open
Directory attempts to use LDAP bind authentication. Open Directory sends the LDAP
directory server the name and password supplied by the authenticating user. If the
LDAP server nds a matching user record and password, authentication succeeds.
If the LDAP directory service and the client computer’s connection to it are congured to
send clear text passwords over the network, LDAP bind authentication can be insecure.
Open Directory tries to use a secure authentication method with the LDAP directory.
If the directory doesn’t support secure LDAP bind and the client’s LDAPv3 connection
permits sending a clear text password, Open Directory reverts to simple LDAP bind.
To prevent clear text authentication make sure your LDAP servers don’t accept clear
text passwords.
In this case, you can secure simple LDAP bind authentication by setting up access to
the LDAP directory through the Secure Sockets Layer (SSL) protocol. SSL makes access
secure by encrypting all communications with the LDAP directory.
For more information, see “Changing the Security Policy for an LDAP Connection” on
page 145 and “Changing the Connection Settings for an LDAP Directory” on page 143.
54 Chapter 3 Open Directory Authentication