Filter
Top Products
Chapter 4 Enhancing Security 57
In Mac OS X Server, users trying to access services (like logging in to a directory-aware
workstation, or trying to mount a remote volume) must authenticate by providing a
login name and password before privileges for the users can be determined.
You have several options for authenticating users:
 Open Directory authentication. Based on the standard Simple Authentication
and Security Layer (SASL) protocol, Open Directory authentication supports many
authentication methods, including CRAM-MD5, APOP, WebDAV, SHA-1, LAN Manager,
NTLMv2, and Kerberos.
Open Directory authentication lets you set up password policies for individual users
or for all users whose records are stored in a directory, with exceptions if required.
Open Directory authentication also lets you specify password policies for individual
directory replicas.
For example, you can specify a minimum password length or require a user to
change the password the next time he or she logs in. You can also disable login for
inactive accounts or after a specied number of failed login attempts.
 Kerberos v5 authentication. Using Kerberos authentication allows integration
into existing Kerberos environments. The Key Distribution Center (KDC) on
Mac OS X Server oers full support for password policies you set up on the server.
Using Kerberos also provides a feature known as single sign-on, described in the next
section.
The following services on Mac OS X Server support Kerberos authentication:
Address Book Server Â
Apple Filing Protocol (AFP) Â
File Transfer Protocol (FTP) Â
iCal Server Â
iChat Server Â
Login window Â
Mail Services Â
Network Filing Protocol (NFS) Â
Open Directory (LDAPv3) Â
Printing (IPP) Â
Screen saver Â
Secure Shell (SSH) Â
Server Message Block le service (SMB) Â
Virtual Private Network (VPN) Â
Virtual Network Computing (VNC, known as Screen Sharing in Mac OS X Server) Â