Manualshelf

Specifications

ManualsBrandsApple ManualsComputer equipmentMac OS X Server Version 10.3 or Later
31323334353637383940
36 Chapter 3 User Authentication With Open Directory
Open Directory Password Server Authentication Methods
The Open Directory Password Server is based on a standard known as Simple
Authentication and Security Layer (SASL). It is an extensible authentication scheme that
allows Open Directory Password Server to support a variety of network user
authentication methods required by mail service, file services, and other services of
Mac OS X Server. Each service negotiates with Open Directory Password Server for an
authentication method before exchanging user credentials.
The Open Directory Password Server supports authentication methods that do not
require a clear text password be stored in the Open Directory Password Server
database. Only encrypted passwords, called hashes, are stored in the database. These
methods are CRAM-MD5, DHX, Digest-MD5, MS-CHAPv2, SMB-NT, and SMB-LAN
Manager.
No one—including an administrator and the root user—can recover encrypted
passwords by reading them from the database. An administrator can use Workgroup
Manager to set a users password, but can’t read any user’s password.
In addition, Open Directory Password Server supports authentication methods that
may require a clear text password be stored in the authentication database. These
methods are APOP and WebDAV-Digest.
Note: If you connect Mac OS X Server version 10.3 or later to a directory domain of
Mac OS X Server version 10.2 or earlier, be aware that users defined in the older
directory domain cannot be authenticated with the MS-CHAPv2 method. This method
may be required to securely authenticate users for the VPN service of Mac OS X Server
version 10.3 and later. Open Directory Password Server in Mac OS X Server version 10.3
supports MS-CHAPv2 authentication, but Password Server in Mac OS X Server version
10.2 does not support MS-CHAPv2.
Contents of Open Directory Password Server Database
Open Directory Password Server maintains an authentication database separate from
the Mac OS X Server directory domain. Open Directory tightly restricts access to the
authentication database, whereas anyone on the network can access the directory
domain.
Open Directory Password Server maintains a record in its authentication database for
each user account that has a password type of Open Directory. An authentication
record includes the following:
The user’s password ID is a 128-bit value assigned when the password is created. It is
also stored in the user’s record in the directory domain and is used as a key for
finding a users record in the Open Directory Password Server database.
LL2352.Book Page 36 Friday, August 22, 2003 3:12 PM