25.4. Understanding Password Server and Kerberos
Previously, I explained that Open Directory includes an LDAP server, which stores and distributes information about users' identities. However, LDAP isn't ideal for managing passwords. Instead, Open Directory uses either of two mechanisms to authenticate users (confirm their identities) and authorize them (give them access to whichever resources they're approved to use). Either way, password data is stored in a secure database separate from the LDAP data.
NOTE
This section assumes that your server is configured to serve as an Open Directory master — that it's designated as the central repository for directory information. It's also possible for Mac OS X Server to function as a replica of another Open Directory server, to connect to another server (such as Microsoft Active Directory) for directory data, or to have Open Directory turned off altogether, in which case only local accounts are available.
The first mechanism is called Password Server. It's not a separate program or even a separately configurable service but rather a feature of Open Directory that stores and validates passwords. Password Server is flexible in that it uses the SASL (Simple Authentication and Security Layer) framework to support all the different authentication methods that may be used by the various server and client software users might run — for example, CRAM-MD5 for IMAP, Digest-MD5 for the login window, and NTLM for SMB. When you create a new network ...
Get Mac® Security Bible now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.