Manualshelf

Specifications

ManualsBrandsApple ManualsComputer equipmentMac OS X Server Version 10.3 or Later
31323334353637383940
Chapter 3 User Authentication With Open Directory 37
The password is stored in recoverable (clear text) or hashed (encrypted) form. The
form depends on the authentication method. A recoverable password is stored for
the APOP and WebDAV authentication methods. For all other methods, the record
stores a hashed (encrypted) password. If no authentication method requiring a clear
text password is enabled, the Open Directory authentication database stores only
hashes of passwords.
The user’s short name, for use in log messages viewable in Server Admin.
Password policy data.
Kerberos Authentication
Kerberos is a network authentication protocol developed at MIT to provide secure
authentication and communication over open networks. In addition, Kerberos enables
single signon authentication (see “Single Signon on page 39).
Mac OS X and Mac OS X Server versions 10.2 and later support Kerberos v5. If your
network already has a Kerberos Key Distribution Center (KDC), you can set up your
Mac OS X computers to use it for authentication.
If a server with Mac OS X Server version 10.3 has a shared LDAP directory, the server
also has a Kerberos KDC built in. This KDC can authenticate all users whose accounts
are stored in a directory domain on the server and whose password type is Open
Directory. The built-in KDC requires minimal setup. Computers with Mac OS X version
10.3 and later require minimal setup to use the Mac OS X Server KDC for authentication
of user accounts stored on the server.
Kerberized Services
Kerberos can authenticate users for the following services of Mac OS X Server:
Login window
Mail service
FTP
AFP service
SSH
These services have been “Kerberized.” Only services that have been Kerberized can use
Kerberos to authenticate a user.
Kerberos Principals and Realms
Kerberized services are configured to authenticate principals who are known to a
particular Kerberos realm. You can think of a realm as a particular Kerberos database or
authentication domain, which contains validation data for users, services, and
sometimes servers, which are all known as principals. For example, a realm contains
principals’ secret keys, which are the result of a one-way function applied to passwords.
Service principals are generally based on randomly generated secrets rather than
passwords.
LL2352.Book Page 37 Friday, August 22, 2003 3:12 PM