Specifications
173
Appendix
B
B Open Directory Password Server
Authentication Methods
Open Directory Password Server is based on the SASL
standard for supporting multiple methods of
authenticating user passwords.
The authentication methods supported by Open Directory Password Server include
APOP, CRAM-MD5, DHX, Digest-MD5, MS-CHAPv2, SMB-NT, SMB-LAN Manager, and
WebDAV-Digest. Open Directory Password Server can support a wide range of
authentication methods because it is based on the Simple Authentication and Security
Layer (SASL) standard.
Open Directory needs to support many different authentication method because each
service that requires authentication uses some methods but not others. File service
uses one set of authentication methods, Web service uses another set of methods, mail
service uses another set, and so on.
Some authentication methods are more secure than others. The more secure methods
use tougher algorithms to encode the information that they transmit between client
and server. The more secure authentication methods also store passwords in a form
that can’t be recovered from the server.
Enabling or Disabling Authentication Methods
All password authentication methods supported by Open Directory Password Server
are initially enabled. You can disable and enable Open Directory Password Server
authentication methods by using the NeST command in Terminal. For information, see
the command-line administration guide.
When deciding whether to disable or enable authentication methods, your goal should
be to provide maximum convenience to legitimate users while keeping other users
from gaining access to the server. Consider the following:
• Which types of password validation are needed by the services that my server or
servers provide?
• What balance do I want between ease of access and security?
• What types of hardware and software will the server’s clients use?
• Is my server in a physically secure location?
LL2352.Book Page 173 Friday, August 22, 2003 3:12 PM