Manualshelf

Specifications

ManualsBrandsApple ManualsComputer equipmentMac OS X Server Version 10.3 or Later
41424344454647484950
Chapter 4 Open Directory Planning 49
Open Directory Security
With Mac OS X Server version 10.3, a server that has a shared LDAP directory domain
also provides Open Directory authentication. The authentication data stored by Open
Directory is particularly sensitive. This authentication data includes the Open Directory
Password Server database and the Kerberos database, which is extraordinarily sensitive.
Therefore you need to make sure that an Open Directory master and all Open Directory
replicas are secure:
Physical security of a server that is an Open Directory master or replica is paramount.
It should be behind a locked door. It should always be left logged out.
Secure the media you use to back up an Open Directory Password Server database
and a Kerberos database. Having your Open Directory servers behind locked doors
wont protect a backup tape that you leave on your desk every night.
If possible, do not use a server that is an Open Directory master or replica to provide
any other services. If you can’t dedicate servers to be Open Directory master and
replicas, at least minimize the number of other services they provide. One of the
other services could have a security breach that allows someone inadvertent access
to the Kerberos or Open Directory Password Server databases. Dedicating servers to
providing Open Directory services is an optimal practice but not required.
Avoid using a RAID volume that’s shared with other computers as the startup volume
of a server that is an Open Directory master or replica. A security breach on one of
the other computers could jeopardize the security of the Open Directory
authentication information.
Set up IP firewall service to block all ports except ports used for directory,
authentication, and administration protocols.
Open Directory Password Server uses ports 106 and 3659.
The Kerberos KDC uses TCP/UDP port 88, and TCP/UDP port 749 is used for
Kerberos administration.
The shared LDAP directory uses TCP port 389 for an ordinary connection and TCP
port 636 for an SSL connection.
Workgroup Manager uses TCP port 311 and 625.
Server Admin uses TCP port 311.
SMB uses TCP/UDP ports 137, 138, 139, and 445.
Equip the Open Directory master computer with an uninterruptible power supply.
In summary, the most secure and best practice is to dedicate each server that is an
Open Directory master or replica to provide only Open Directory services. Set up a
firewall on each of these servers to allow only directory access, authentication, and
administration protocols: LDAP, Password Server, Kerberos, Workgroup Manager, and
Server Manager. Physically secure each Open Directory server and all backup media
used with it.
LL2352.Book Page 49 Friday, August 22, 2003 3:12 PM