beautypg.com

Password server security, Overview of directory services tools – Apple Mac OS X Server (Administrator’s Guide) User Manual

Page 89

background image

Directory Services

89

m The password, stored in recoverable or hashed form. The form depends on the network

authentication protocols enabled for the Password Server (using Open Directory
Assistant). If APOP or 2-Way Random is enabled, the Password Server stores a recoverable
(encrypted) password. If neither of these methods is enabled, only hashes of the
passwords are stored.

m Data about the user that is useful in log records, such as the user’s short name.

m Password policy data.

Password Server Security

The Password Server stores passwords, but never allows passwords to be read. Passwords can
only be set and verified. Malicious users who want to gain access to your server must try to
log in over the network. Invalid password instances, logged by the Password Server, can alert
you to such attempts.

Using a Password Server offers flexible and secure password validation, but you need to make
sure that the server on which a Password Server runs is secure:

m Set up Password Servers on a server that is not used for any other activity.

m Since the load on a Password Server is not particularly high, you can have several (or even

all) of your Open Directory server domains share a single Password Server.

m Set up IP firewall service so nothing is accepted from unknown ports. Password Server

uses a well-known port.

m Make sure that the Password Server’s computer is located in a physically secure location,

and don’t connect a keyboard or monitor to it.

m Equip the server with an uninterruptible power supply.

The Password Server must remain available to provide authentication services. If the
Password Server goes down, password validation cannot occur, because you cannot replicate
a Password Server.

Overview of Directory Services Tools

The following applications help you set up and manage directory domains and Password
Servers.

m Open Directory Assistant. Use to create and configure shared or standalone Open

Directory domains (NetInfo or LDAPv3) and to set up Open Directory Password Servers.
Located in /Applications/Utilities.

m Directory Access. Use to enable or disable individual directory service protocols; define

a search policy; configure connections to existing LDAPv3, LDAPv2, and NetInfo
domains; and configure data mapping for LDAPv3 and LDAPv2 domains. Located in
/Applications/Utilities.

This manual is related to the following products:
See also other documents in the category Apple Software: