Specifications
3
33
3 User Authentication With
Open Directory
Open Directory offers a variety of options for
authenticating users whose accounts are stored in
directory domains on Mac OS X Server, including
Kerberos and the many authentication methods that
network services require.
Open Directory can authenticate users by:
• Using single signon with the Kerberos KDC built into Mac OS X Server
• Using a password stored securely in the Open Directory Password Server database
• Using a shadow password stored as several hashes, including NT and LAN Manager,
in a file that only the root user can access
• Using a crypt password stored directly in the user’s account, for backward
compatibility with legacy systems
• Using a non-Apple LDAP server for LDAP bind authentication
In addition, Open Directory lets you set up specific password policies for each user,
such as automatic password expiration and minimum password length. (Password
policies do not apply to shadow passwords, crypt passwords, or LDAP bind
authentication.)
This chapter describes the authentication options available in Mac OS X Server.
Authentication and Authorization
Services such as the login window and Apple file service request user authentication
from Open Directory. Authentication is part of the process by which a service
determines whether it should grant a user access to a resource. Usually this process
also requires authorization. Authentication proves a user’s identity, and authorization
determines what the authenticated user is allowed to do. A user typically authenticates
by providing a valid name and password. A service can then authorize the
authenticated user to access specific resources. For example, file service authorizes full
access to folders and files that an authenticated user owns.
LL2352.Book Page 33 Friday, August 22, 2003 3:12 PM