Specifications

ManualsBrandsApple ManualsComputer equipmentMac OS X Server Version 10.3 or Later

171

172

173

174

175

176

177

178

179

180

174 Appendix B Open Directory Password Server Authentication Methods

Note: Disabling or enabling an authentication method may necessitate resetting

passwords in user accounts. If a user can’t use additional methods after you enable

them, the user or a directory domain administrator needs to reset the user’s password.

Basic information about Open Directory Password Server’s authentication methods is

provided on the following pages. This information is not a substitute for a thorough

knowledge of authentication methods and how they affect security and ease of access.

APOP Password Validation

APOP can be used for POP mail service by Mac OS X Server and users’ mail client

software. It encodes passwords when they are sent over the network, but stores them

in a recoverable form on the server. It offers good security during network

transmission. A malicious user might be able to obtain passwords by gaining access to

the server and reading the password file, although doing this would be difficult. If

APOP is disabled, some email programs will transmit passwords over the network in

clear text format, which is a significant security risk. If you use your server for POP

email, you should probably keep APOP enabled.

CRAM-MD5 Password Validation

CRAM-MD5 can be used for IMAP mail service by Mac OS X Server and users’ mail client

software. CRAM-MD5 is also used by some LDAP software. This authentication method

encodes passwords when they are sent over the network, and stores them in a

scrambled form on the server. It offers good security during network transmission. A

malicious user might be able to obtain passwords by gaining access to the server and

decoding the password file, although doing this would be very difficult. If CRAM-MD5 is

disabled, some email programs will transmit passwords over the network in clear text

format, which is a significant security risk. If you use your server for SMTP or IMAP

email, you should probably keep CRAM-MD5 enabled.

DHX Password Validation

Diffie-Hellman Exchange (DHX) password validation is used by the Apple file service of

Mac OS X Server and some other Apple Filing Protocol (AFP) file servers. DHX is

required for Open Directory administration and password changes. A malicious user

might be able to obtain passwords by gaining access to the server and decoding the

password file, although doing this would be very difficult. DHX strongly encodes

passwords when they are sent over the network. DHX cannot be disabled.

Mac OS 8.1–8.6 computers must have their AppleShare Client software upgraded to use

DHX.

• Mac OS 8.6 computers should use AppleShare Client version 3.8.8.

• Mac OS 8.1–8.5 clients should use AppleShare Client version 3.8.6.

• Mac OS 8.1–8.6 client computers that have file server volumes mount automatically

during startup should use AppleShare Client version 3.8.3 with the DHX UAM (User

Authentication Module) installed. The DHX UAM is included with the AppleShare

Client 3.8.3 installation software.

LL2352.Book Page 174 Friday, August 22, 2003 3:12 PM