Apple Mac OS X Server (Version 10.6 Snow Leopard) User Manual

Page 57

Chapter 4

Enhancing Security

In Mac OS X Server, users trying to access services (like logging in to a directory-aware
workstation, or trying to mount a remote volume) must authenticate by providing a
login name and password before privileges for the users can be determined.

You have several options for authenticating users:

Open Directory authentication. Based on the standard Simple Authentication
and Security Layer (SASL) protocol, Open Directory authentication supports many
authentication methods, including CRAM-MD5, APOP, WebDAV, SHA-1, LAN Manager,
NTLMv2, and Kerberos.
Open Directory authentication lets you set up password policies for individual users
or for all users whose records are stored in a directory, with exceptions if required.
Open Directory authentication also lets you specify password policies for individual
directory replicas.
For example, you can specify a minimum password length or require a user to
change the password the next time he or she logs in. You can also disable login for
inactive accounts or after a specified number of failed login attempts.

Kerberos v5 authentication. Using Kerberos authentication allows integration
into existing Kerberos environments. The Key Distribution Center (KDC) on
Mac OS X Server offers full support for password policies you set up on the server.
Using Kerberos also provides a feature known as single sign-on, described in the next
section.
The following services on Mac OS X Server support Kerberos authentication:

Address Book Server

Apple Filing Protocol (AFP)

File Transfer Protocol (FTP)

iCal Server

iChat Server

Mail Services

Network Filing Protocol (NFS)

Open Directory (LDAPv3)

Printing (IPP)

Screen saver

Secure Shell (SSH)

Server Message Block file service (SMB)

Virtual Private Network (VPN)

Virtual Network Computing (VNC, known as Screen Sharing in Mac OS X Server)