Specifications
6
71
6 Managing User Authentication
The authentication services included with Mac OS X
Server don’t require any setup, but you can change how
each user is authenticated.
Mac OS X Server can authenticate users by:
• Using single signon with the Kerberos Key Distribution Center (KDC) built into
Mac OS X Server
• Using a password stored securely in the Open Directory Password Server database
• Using a shadow password stored as several hashes, including NT and LAN Manager,
in a file that only the root user can access
• Using a crypt password stored directly in the user’s account
• Using a non-Apple LDAP server for simple LDAP bind authentication
Single signon and Kerberos authentication require minimal setup of Mac OS X Server.
The other authentication options require no setup of Mac OS X Server.
You can manage how Mac OS X Server uses the available options to authenticate users.
For task descriptions and instructions, see:
• “Composing a Password” on page 72
• “Changing a User’s Password” on page 72
• “Resetting the Passwords of Multiple Users” on page 73
• “Changing the Global Password Policy” on page 74
• “Setting Password Policies for Individual Users” on page 75
• “Changing a User’s Password Type” on page 76
This includes changing the password type to Open Directory, shadow password, or
crypt password; and enabling single signon, Kerberos, or LDAP bind authentication.
• “Assigning Administrator Rights for Open Directory Authentication” on page 80
• “Exporting and Importing Users Whose Password Type Is Open Directory” on page 81
• “Migrating Passwords to Open Directory Authentication” on page 82
LL2352.Book Page 71 Friday, August 22, 2003 3:12 PM