Manualshelf

Specifications

ManualsBrandsApple ManualsComputer equipmentMac OS X Server Version 10.3 or Later
31323334353637383940
Chapter 3 User Authentication With Open Directory 35
Open Directory Authentication
When a users account has a password type of Open Directory, the user can be
authenticated by Kerberos or the Open Directory Password Server. Neither Kerberos
nor Open Directory Password Server stores the password in the user’s account.
Both Kerberos and Open Directory Password Server store passwords outside the
directory domain and never allow passwords to be read. Passwords can only be set and
verified. Malicious users might attempt to log in over the network hoping to gain
access to Kerberos and Open Directory Password Server. The Open Directory logs can
alert you to unsuccessful login attempts. (See “Viewing Open Directory Status and
Logs on page 115.)
Password Policies
Both Kerberos and Open Directory Password Server enforce password policies. For
example, a users password policy can specify a password expiration interval. If the user
is logging in and Open Directory discovers the user’s password has expired, the user
must replace the expired password. Then Open Directory can authenticate the user.
Password policies can disable a user account on a certain date, after a number of days,
after a period of inactivity, or after a number of failed login attempts. Password policies
can also require passwords to be a minimum length, contain at least one letter, contain
at least one numeral, differ from the account name, differ from recent passwords, or be
changed periodically. Open DIrectory applies the same password policy rules to Open
Directory Password Server and Kerberos, except that Kerberos does not support all the
rules.
Password policies do not affect administrator accounts. Administrators are exempt from
password policies because they can change the policies at will. In addition, enforcing
password policies on administrators would subject them to denial-of-service attacks.
Which Users Can Have Open Directory Passwords
All user accounts stored on a server with Mac OS X Server version 10.3 can be
configured to have a password type of Open Directory. User accounts in the servers
local directory domain can be configured to have a password type of Open Directory. If
this server hosts a shared directory domain, user accounts in it can also be configured
to have a password type of Open Directory.
Users who need to log in using the login window of Mac OS X version 10.1 or earlier
must be configured to use crypt passwords. The password type doesn’t matter for
other services. For example, a user could authenticate for Apple file service with an
Open Directory password.
LL2352.Book Page 35 Friday, August 22, 2003 3:12 PM