Manualshelf

Specifications

ManualsBrandsApple ManualsComputer equipmentXserve Up Mac OS X Server
261262263264265266267268269270
Chapter 15 Configuring and Managing Open Directory 261
Managing Open Directory Passwords
When a users account has a password type of Open Directory, the user can be
authenticated by Kerberos or the Open Directory Password Server.
Kerberos is a network authentication system that uses credentials issued by a trusted
server.
The Open Directory Password Server supports traditional password authentication
methods that some network services or users’ client applications require.
Services can be configured to not allow Kerberos. In that case they use Password Server
for user accounts with Open Directory passwords.
Neither Kerberos nor the Open Directory Password Server stores the password in the
users account. Both Kerberos and the Open Directory Password Server store passwords
in secure databases apart from the directory domain and they never allow passwords
to be read. Passwords can only be set and verified.
Open Directory Password Server
Password Server uses standard Simple Authentication and Security Layer (SASL)
technology to negotiate an authentication method between a client and a service.
Password Server supports multiple authentication methods, including APOP, CRAM-
MD5, DHX, Digest-MD5, MS-CHAPv2, NTLMv1 and NTLMv2, LAN Manager, and
WebDAV-Digest.
Open Directory also provides authentication services using shadow passwords, which
support the same authentication methods as Password Server.
To back up and restore the Password Server and Kerberos databases, use the
slapconfig tool with the -backupdb and -restoredb options, respectively. You can
also use this tool with the -mergedb option to merge a backup archive into an existing
directory system. For more information, see the slapconfig man page.
To create or modify the password database used by Password Server, use the mkpassdb
tool. For more information, see the mkpassdb man page.
Viewing or Changing Password Policies
To view or change the authentication policies used by Password Server, use the
pwpolicy tool. For more information, see the pwpolicy man page.
Kerberos and Apple Single Sign-On
A robust authentication server that uses MIT’s Kerberos Key Distribution Center (KDC) is
built into Open Directory—providing strong authentication with support for secure
single sign-on. That means users authenticate once, with a single user name and
password pair, to access a broad range of Kerberized network services.