beautypg.com

Exporting users with password server passwords, Making a password server more secure, Monitoring a password server – Apple Mac OS X Server (Administrator’s Guide) User Manual

Page 197: Using kerberos

background image

Users and Groups

197

5

On the Advanced tab, click Options to set up the user’s password policy. Click OK when you
are done.

The password ID is a unique 128-bit number assigned when the password is created on the
Password Server. It may be helpful in troubleshooting, since it appears in the Password Server
log when a problem occurs. View this log in the directory services section of Server Status.

Exporting Users With Password Server Passwords

The Password Server does not let you read passwords. Therefore when you export user
accounts that have Password Server passwords, passwords are not exported.

When you import such users, you must reset all their passwords after importing their
accounts. “Enabling the Use of a Password Server for a User” on page 196 describes how.

Making a Password Server More Secure

Using a Password Server offers flexible and secure password validation, but you need to make
sure that the server on which a Password Server runs is secure:

m Set up Password Servers on a server that is not used for any other activity.

m Since the load on a Password Server is not particularly high, you can have several (or even

all) of your server-resident directory domains share a single Password Server.

m Make sure that the Password Server’s computer is located in a physically secure location.

Monitoring a Password Server

Use the Password Server logs, visible using Server Status, to monitor failed login attempts.

Password Server logs all failed authentication attempts, including IP addresses that generate
them. Periodically review the logs to determine whether there are a large number of failed
trials for the same password ID, indicating that somebody may be generating login guesses.

Using Kerberos

If you already use Kerberos to authenticate users, you can use Kerberos to validate
passwords for the following services of Mac OS X Server version 10.2 and later:

m Login window

m Mail service

m FTP

m AFP server and client

This manual is related to the following products:
See also other documents in the category Apple Software: