Contrasting password validation options – Apple Mac OS X Server (Administrator’s Guide) User Manual

Users and Groups

191

Contrasting Password Validation Options

Here are the pros and cons of the options for validating a user’s password:

m Storing a password in the user’s account. This approach, referred to as the “basic”

password validation strategy, is the default strategy. It is the simplest and fastest strategy,
since it does not depend on another infrastructure for password validation. It is the
strategy most compatible with software that needs to access user records directly, such as
legacy UNIX software. It supports users logging in to computers running Mac OS X
version 10.1 and earlier as well as Windows users authenticated using Authentication
Manager when they log in to a Mac OS X Server version 10.1.

When integrating with existing directory systems, such as LDAP and Active Directory
servers, this strategy offers the greatest opportunity for both Mac OS X Server and the
directory server to use the same record to authenticate a user who wants to use that server.

This strategy may not support clients that require certain network-secure authentication
protocols (such as SMB, APOP, or CRAM-MD5) when transmitting passwords to a
particular service. Also, this strategy can make your server vulnerable to offline attacks,
since readable versions of passwords are used. See “The Problem With Readable
Passwords” on page 194 for more information about offline attacks.

See “Storing Passwords in User Accounts” on page 193 for details about this strategy.

m Using a Password Server. This strategy lets you set up user-specific password policies for

users. You can require a user to change his password periodically or use only passwords
having more than a minimum number of characters. It supports clients that can use basic
authentication as well as clients requiring network-secure authentication protocols that
protect the privacy of a password during transmission. It is the recommended method to
use for Windows clients. It is the only way to authenticate AFP clients prior to version
3.8.3, because they require AFP 2-Way Random authentication, which Password Server
supports.

Password Server passwords can’t be used during login to computers running Mac OS X
version 10.1 or earlier. In addition, this strategy relies on the availability of a Password
Server on a Mac OS X Server; if the Password Server goes down, password validation
cannot occur, because you cannot replicate a Password Server. Also, you must ensure that
physical access to the server on which Password Server resides is controlled.

See “Using a Password Server” on page 195 for details about this strategy.

m Using a Kerberos server. This option is not supported by all services but offers the

opportunity to integrate into existing Kerberos environments. As in the case of the
Password Server, if the Kerberos server is unavailable, users whose passwords are verified
using it are unable to use your server.

See “Using Kerberos” on page 197 for details about this strategy.