Support User Manuals

Apple Mac OS X Server Network Card User Manual

Open as PDF

of 304

260 Chapter 15 Working with Open Directory

Managing Open Directory Passwords

When a user’s account has a password type of Open Directory, the user can be

authenticated by Kerberos or the Open Directory Password Server. Kerberos is a

network authentication system that uses credentials issued by a trusted server.

The Open Directory Password Server supports the traditional password authentication

methods that some network services or users’ client applications require. Services can

be configured to not allow Kerberos, in which case they use Password Server for user

accounts with Open Directory passwords.

Neither Kerberos nor the Open Directory Password Server stores the password in the

user’s account. Both Kerberos and the Open Directory Password Server store passwords

in secure databases apart from the directory domain and never allow passwords to be

read. Passwords can only be set and verified.

Open Directory Password Server

Password Server uses the standard Simple Authentication and Security Layer (SASL)

technology to negotiate an authentication method between a client and a service.

It supports multiple authentication methods including APOP, CRAM-MD5, DHX, Digest-

MD5, MS-CHAPv2, NTLMv1 and NTLMv2, LAN Manager, and WebDAV-Digest.

Open Directory also provides authentication services using shadow passwords, which

support the same authentication methods as Password Server.

You can use the

mkpassdb tool to create, modify, or back up the password database

used by the Server Password Server. See the mkpassdb man page for more information.

Viewing or Changing Password Policies

You can use the pwpolicy tool to view or change the authentication policies used by

the Mac OS X Server Password Server. See the pwpolicy man page for more

information.

Enabling or Disabling Authentication Methods

All password authentication methods supported by the Open Directory Password

Server are initially enabled. You can disable and enable the Open Directory Password

Server authentication methods by using the NeST tool.

To see a list of available methods:

$ NeST -getprotocols

To disable or enable a method:

$ NeST -setprotocols

protocol

(on|off)

Replace protocol with any of the protocol names listed by NeST -getprotocols

(for example,

SMB-LAN-MANAGER). For information about the available methods, see the

Open Directory administration guide.

previous next