beautypg.com

Using authentication manager, Providing secure authentication for windows users – Apple Mac OS X Server (version 10.2.3 or later) User Manual

Page 197

background image

Users and Groups

197

m A zero-length password is not recommended; Password Server and some systems (such as

LDAP bind) do not support a zero-length password.

For maximum compatibility with computers and services your users might use, use ASCII
passwords.

Using Authentication Manager

Authentication Manager, available since Mac OS X Server version 10.0, offers all the
characteristics of the basic validation strategy, plus

m a secure way to validate the passwords of Windows users (including support for SMB-NT,

SMB-LM, and CRAM-MD5)

m the only way to securely authenticate AFP clients prior to version 3.8.3, which requires

AFP two-way random authentication

m support for passwords longer than 8 characters for some authentication methods, such as

128-character passwords for SMB-NT and 14-character passwords for SMB-LM

Authentication Manager only works for users with accounts defined in NetInfo directory
domains. It can’t be used with LDAP domains.

To use Authentication Manager, it must be enabled for the NetInfo directory domain in which
user accounts you want to use it are stored:

m When you upgrade to Mac OS X Server version 10.2 from version 10.1 with Authentication

Manager enabled, it remains enabled. Existing users can continue to use their same
passwords.

m To enable Authentication Manager on Mac OS X Server version 10.2, you can use the

command line in the Terminal application. See “Setting Up Authentication Manager” on
page 618 for details.

When Authentication Manager is enabled, any new users for whom you select basic password
authentication are validated using Authentication Manager. To set the password for a user in a
shared NetInfo domain, you must first connect to the server hosting the domain.

Providing Secure Authentication for Windows Users

Mac OS X Server offers three secure ways to validate the passwords of Windows users:

m Password Server

m Authentication Manager

m Local Windows hash

Password Server is the recommended approach. It stores passwords in an unreadable
fashion, and it supports many authentication methods. Password Server lets you implement
password policies, and it supports both LDAP and NetInfo user accounts.

LL0395.Book Page 197 Wednesday, November 20, 2002 11:44 AM

See also other documents in the category Apple Software: