Password validation – Apple Mac OS X Server (Administrator’s Guide) User Manual

Users and Groups

123

If Mac OS X finds a user account containing the name entered by the user, it attempts to
validate the password associated with the account. If the password can be validated, the user
is authenticated and the login or connection process is completed.

After logging in to a Mac OS X computer, a user has access to all the resources, such as
printers and share points, defined in directory domains of the search policy set up for the
user’s computer. A share point is a hard disk (or hard disk partition), CD-ROM disc, or folder
that contains files you want users to share. The user can access his home directory by
clicking Home in a Finder window or in the Finder’s Go menu.

A user does not have to log in to a server to gain access to resources on a network, however.
For example, when a user connects to a Mac OS X computer, the user can access files he or
she is authorized to access on the computer, although the file system may prompt the user
to enter a user name and password first. When a user accesses a server’s resources without
logging in to the server, the search policy of the user’s computer is still in force, not the
search policy of the computer the user has connected with.

Password Validation

When authenticating a user, Mac OS X first locates the user’s account and then uses the
password strategy designated in the user’s account to validate the user’s password. There are
several password strategies from which to choose:

m The password a user provides can be validated using a value stored in the user’s account.

The account can be stored in a server-resident directory domain or in a directory domain
that resides on another vendor’s directory server, such as an LDAP or Active Directory
server.

m The password a user provides can be validated using a value stored in an Open Directory

Password Server

m A Kerberos server can be used to validate the password.