beautypg.com

Authentication with a password server – Apple Mac OS X Server (version 10.2.3 or later) User Manual

Page 64

background image

64

Chapter 2

Authentication is part of the process by which your server determines whether it should
grant access to a user, computer, or program. Usually, access requires two tests:
authentication and authorization. For authentication, the requester must prove identity,
usually by providing a password. For authorization, the server determines what privileges the
authorized requester has to access a specific resource (for example, by determining whether
a user is the owner of a particular file).

Your Mac OS X Server can host a Password Server, or it can get authentication services from a
Password Server hosted by another Mac OS X Server. If you have multiple Mac OS X Servers,
one of them can host a Password Server for all the others to use. In this case, you should set
up the Mac OS X Server that will host a Password Server and then set up the other Mac OS X
Servers to use the existing Password Server.

Each Open Directory domain can be associated with one Password Server or no Password
Server. This association happens automatically when the domain is set up with the Open
Directory Assistant application. An Open Directory domain and its associated Password
Server can be located on the same server, or the Password Server can be on a different server.
More than one Open Directory domain can be associated with a single Password Server.

Authentication With a Password Server

When a user’s account is configured to use a Password Server, the user’s password is not
stored in a directory domain. Instead, the directory domain stores a unique password ID
assigned to the user by the Password Server. To authenticate a user, directory services pass
the user’s password ID to the Password Server. The Password Server uses the password ID to
find the user’s actual password and any associated password policy.

For example, the Password Server may locate a user’s password but discover that it has
expired. If the user is logging in, the login window asks the user to replace the expired
password. Then the Password Server can authenticate the user.

A Password Server can’t authenticate a user during login on a computer with Mac OS X
version 10.1 or earlier.

You’ll find more information about configuring user accounts to use a Password Server in
“Understanding Password Validation” on page 193 of Chapter 3, “Users and Groups.”

Important

A Password Server is the best means of authenticating Windows computer users

who want to access the Windows services of Mac OS X Server. You should set up a Password
Server when you first set up a Mac OS X Server on your network so that you are prepared to
start Windows services now or in the future. If you wait to set up a Password Server until after
you have created user accounts, you will have to reset the passwords of the user accounts.
Resetting passwords can be time consuming and can confuse users.

LL0395.Book Page 64 Wednesday, November 20, 2002 11:44 AM

See also other documents in the category Apple Software: