Setup guide
certificates as discussed in “Creating an SSL Certificate for LDAP
Services,” this can be accomplished as follows:
a. Copy the files ldapserver.crt, ldapserver.key, and ca.crt
from the CA to the /System/Library/OpenSSL/certs directory on
the LDAP server. Use a removable medium such as a CD or USB
Flash memory; do not copy the files over the network.
b. Enter the location for the ldapserver.crt file in the “SSL
Certificate” field.
c. Enter the location for the ldapserver.key file in the “SSL Key”
field.
d. Enter the location for the ca.crt file in the “CA Certificate” field.
7. Click Save.
4.5.3 Configure Authentication Policies
If the system is running as an Open Directory Master or Replica, then the directory
domain’s password policies can be configured through Server Admin. From the Open
Directory panel in Server Admin, do the following to configure password policies:
1. Click on the Settings tab.
2. Click on the Authentication button at the top of the pane.
3. In the “Disable accounts section,” place a check in the box for “on” and
enter a date when the account will no longer be needed.
4. Place a check in the box for “after ___” failed login attempts and enter 3 in
the text field or whatever is required by site policy.
5. In the “Passwords must” section, place a check in the box for “be at least
__” characters long and enter 12 in the text field.
6. Place a check in the box for “contain at least one letter.”
7. Place a check in the box for “contain at least one numeric character.”
8. Place a check in the box for “differ from account name.”
9. Place a check in the box for “differ from the last __ passwords used” and
enter 3.
10. Place a check in the box for “be changed every” and set it to 90 days.
11. Click Save.
4.6 Securing Web Services
Mac OS X Server includes an installation of the Apache Web Server version 1.3. It
also ships with Apache version 2 for evaluation purposes, but version 1.3 is
recommended. First, the web server software should be deactivated if the system is
40
UNCLASSIFIED