In Mac OS X Server, users trying to access services (like logging in to a directory-aware workstation, or trying to mount a remote volume) must authenticate by providing a login name and password before privileges for the users can be determined.

You have several options for authenticating users:

ÂÂ Open Directory authentication. Based on the standard Simple Authentication and Security Layer (SASL) protocol, Open Directory authentication supports many authentication methods, including CRAM-MD5, APOP, WebDAV, SHA-1, LAN Manager, NTLMv2, and Kerberos.

Open Directory authentication lets you set up password policies for individual users or for all users whose records are stored in a directory, with exceptions if required. Open Directory authentication also lets you specify password policies for individual directory replicas.

For example, you can specify a minimum password length or require a user to change the password the next time he or she logs in. You can also disable login for inactive accounts or after a specified number of failed login attempts.

ÂÂ Kerberos v5 authentication. Using Kerberos authentication allows integration into existing Kerberos environments. The Key Distribution Center (KDC) on

Mac OS X Server offers full support for password policies you set up on the server. Using Kerberos also provides a feature known as single sign-on,described in the next section.

The following services on Mac OS X Server support Kerberos authentication: ÂÂ Address Book Server

ÂÂ Apple Filing Protocol (AFP)

ÂÂ File Transfer Protocol (FTP) ÂÂ iCal Server

ÂÂ iChat Server

ÂÂ Login window ÂÂ Mail Services

ÂÂ Network Filing Protocol (NFS) ÂÂ Open Directory (LDAPv3)

ÂÂ Printing (IPP) ÂÂ Screen saver

ÂÂ Secure Shell (SSH)

ÂÂ Server Message Block file service (SMB) ÂÂ Virtual Private Network (VPN)

ÂÂ Virtual Network Computing (VNC, known as Screen Sharing in Mac OS X Server)

Chapter 4    Enhancing Security

57

Page 57
Image 57
Apple 10.6 manual You have several options for authenticating users, ÂÂ Secure Shell SSH