Publishers of technology books, eBooks, and videos for creative people

Home > Articles > Apple > Operating Systems

This chapter is from the book

This chapter is from the book

Apple Training Series: Mac OS X Server Essentials, 2nd EditionApple Training Series: Mac OS X Server Essentials, 2nd Edition

Learn More Buy

This chapter is from the book

This chapter is from the book

Apple Training Series: Mac OS X Server Essentials, 2nd EditionApple Training Series: Mac OS X Server Essentials, 2nd Edition

Learn More Buy

Using Authentication Methods on Mac OS X Server

Open Directory offers a variety of options for authenticating users whose accounts are stored in directories on Mac OS X Server, including Kerberos and the many authentication methods that network services require. Open Directory can authenticate users by using:

  • Single sign-on with the Kerberos KDC built in to Mac OS X Server
  • A password stored securely in the Open Directory Password Server database
  • A password stored as several hashes including LAN Manager, NTLMv1 and NTLMv2 (NT LAN Manager), and Microsoft Challenge Handshake Authentication Protocol (MS-CHAPv2), used for VPN—in a file that only the root user can access
  • An older crypt password stored directly in the user’s account, for backward compatibility with legacy systems
  • Local-only accounts, in which a shadow password is used, stored in a location accessible only by root

In addition, Open Directory lets you set up a password policy that affects all users (except administrators) as well as specific password policies for each user, such as automatic password expiration and minimum password length. (Password policies do not apply to crypt passwords.) Even though Mac OS X Server supports all of these different authentication methods, you should not use all methods. Crypt password support, for example, is provided for backward compatibility with older computers, but using crypt passwords is not as secure as using the Open Directory Password Server.

Configuring User Authentication

To authenticate a user, Open Directory first must determine which authentication option to use: Kerberos, Open Directory Password Server, shadow password, or crypt password. The user’s account contains information that specifies which authentication option to use. This information is called the authentication authority attribute. The attribute is not limited to specifying a single authentication option. For example, an authentication authority attribute could specify that a user can be authenticated by Kerberos and Open Directory Password Server.

You can change a user’s authentication authority attribute by changing the password type in the Advanced pane of Workgroup Manager. By default, the password type is Open Directory, which means that Mac OS X Server uses either Kerberos or Open Directory Password Server. Open Directory passwords are stored securely in a separate database, not in the user account.

ch4_fig_034.jpg

Click to view larger image

A user’s account might not contain an authentication authority attribute. If a user’s account contains no authentication authority attribute, Mac OS X Server assumes a crypt password is stored in the user’s account. For example, user accounts created using Mac OS X v10.1 and earlier contain a crypt password but not an authentication authority attribute.

NOTE

Crypt passwords are inherently less secure, because they are stored in the directory database and are subject to dictionary attacks. Configure a user account to use a crypt password only if you need to provide compatibility with a computer running Mac OS X v10.1 or earlier.

TIP

If you are using a server that was upgraded from an earlier version of Mac OS X Server, you should examine the password type for all the user records stored on the server. If any records are still using a crypt password, you should upgrade the password type for the account to Open Directory.

Disabling a User Account

If you want to disable a user from logging in, you can temporarily disable that user by using Workgroup Manager to remove access to his or her account. Doing so does not delete the user, nor does it change his or her UNIX user ID or any other information. Nor does it delete any of the user’s settings, preferences, or files created by that user. It simply prevents that user from authenticating and gaining access to the server via any method.

  1. Open Workgroup Manager and select the directory where the account resides that you want to disable. Generally, you will disable the OpenLDAP accounts, but you can also disable local accounts.
  2. Click the Accounts button, select the account, click the Basic tab, and deselect the “access account” checkbox.
  3. Save the changes.
    ch4_fig_035.jpg

    Click to view larger image

    NOTE

    When a user account is disabled, you will see a red X through the user’s icon in the list of users.

Setting Account Password Policies

Once you create new users, it is useful to establish password policies for their network accounts. (There is more on setting these policies later in this lesson.) Should the users change their passwords next time they log in? Should there be a minimum password length? You can use Workgroup Manager to establish these and other policies for your users. These password policies can apply to just one user or to all users. Password policies applied with Workgroup Manager are called user account settings and are set for each user by clicking the Advanced button, then clicking the Options button.

ch4_fig_036.jpg

Click to view larger image

TIP

Per-user policies can be set for more than one user by selecting more users prior to clicking the Advanced tab and subsequent Options button.

Password policies applied with Server Admin are called global policies. In Mac OS X Server, user account settings may override global policies. Administrators are exempt from both types of policies. You will learn how to set global policies later in this lesson.

ch4_fig_037.jpg

Click to view larger image

Set User Account Settings (Per-user password policies)

You will now set policies on a per-user basis as opposed to a global basis.

  1. Open Workgroup Manager and insure you are in the LDAP directory (LDAPv3/127.0.0.1). Select the user accounts you created earlier in this lesson and click the Advanced tab.
    ch4_fig_038.jpg

    Click to view larger image

  2. Click the Options button.
  3. Select the following checkboxes:
    • Disable login on specific date
    • Disable login after user makes N failed attempts
    • Allow the user to change the password
    • Password must contain at least N characters
    • Password must be changed at next login

    “Allow the user to log in” will already be selected.

  4. In the “Password must contain at least N characters” field, enter 8.

    The next time any one of the highlighted users logs in, they will need to change their passwords; the password will need to be at least eight characters long, and their account will be disabled on the date you chose.

    NOTE

    You will notice when you choose more than one user that dashes appear in all checkboxes. Clicking a dash changes it to a checkbox, indicating that the selection is now set for all highlighted users.

    ch4_fig_039.jpg

    Click to view larger image

  5. Click OK, then click Save.

Set Single User Account Settings

Now, perhaps you want to have only one of those users not be able to change their passwords, as in the case with a novice user.

  1. Select one of your users, click the Advanced tab if not already selected, and click the Options button.
  2. Edit the checkboxes to disallow all options under the criteria for password and disable the checkbox allowing the user to change his or her password.
    ch4_fig_040.jpg

    Click to view larger image

  3. Click OK, then click Save.

    Now, this user can’t change his or her password, and it is still set to expire on a given date.

    TIP

    There are two places to deny access to a specific user account: the Basic pane and the Advanced pane. Changing the settings in the Basic pane will automatically affect the Advanced settings, but changing the data in the Advanced pane does not affect the Basic settings. If you want to deny access to a specific user account, make sure that settings in both the Basic and Advanced panes are configured appropriately. Make sure to save changes so that the new settings will be written to the directory.

Test User Account Policies

You will now move from your Mac OS X Server to your Mac OS X computer to test these policies.

  1. On the client computer at the login window, click Other, then attempt to log in as John Soward using the initial password set for john.

    Because you previously bound to the Open Directory master and there is no account record for John Soward on the Mac OS X client computer, the client searches the shared directory on the server to find a user account that matches.

    ch4_fig_041.jpg

    Click to view larger image

  2. You are prompted to enter a new password, because you configured directory services to require the password to be changed at the next login.
    ch4_fig_042.jpg

    Click to view larger image

  3. Enter johnj in the New Password and Verify Password fields, and then click Log In.

    This login fails because earlier you set the password policy to require at least eight characters.

  4. Enter johnjohnjohn into the New Password and Verify Password fields, and then click Log In.

    Because of the way Mac OS X Server functions, you still won’t be able to log in as john from your Mac OS X computer. This is because you haven’t set a home folder for the user john. However, the login fails and the login window shakes, even though the password has been changed. This can be confirmed by watching the Password Service Server log file in Server Admin. (Directory-related log files will be covered at the end of this lesson.)

Setting Global Password Policies

Open Directory enforces per-user and global password policies. For example, a user’s password policy can specify a password expiration interval. If the user is logging in and Open Directory discovers that the user’s password has expired, the user must replace the expired password. Open Directory can then authenticate the user.

Password policies can disable a user account on a certain date, after a number of days, after a period of inactivity, or after a number of failed login attempts. Password policies can also require passwords to be a minimum length, contain at least one letter, contain at least one numeral, be mixed case, contain a character that is neither a number or a letter, differ from the account name, differ from recent passwords, or be changed periodically.

Open Directory applies the same password policy rules to the Password Server and Kerberos. Password policies do not affect administrator accounts. Administrators are exempt from password policies because they can change the policies at will. In addition, enforcing password policies on administrators would subject them to denial-of-service attacks.

Kerberos and Open Directory Password Server maintain password policies separately. Mac OS X Server synchronizes the Kerberos password policy rules with Open Directory Password Server password policy rules.

After global password policies are put into effect, they are enforced for all users created or imported. For example, an existing user with the password wayne will not be required to change his or her password, even though you may have required more than eight characters and required the password to be different from the short name. This is because wayne’s account and password existed prior to the global policy being in place. In this case, it is best to require the user to change his or her password at the next login, thus forcing the user to conform his or her password to the recently set global password policies.

  1. Open Server Admin, if not already open, and select Open Directory from the list of services on the left.
  2. Click the Settings icon in the toolbar, then the Policy and Password tabs, in that order.
  3. Choose your own criteria to disable the login, choose what parameters the user’s password must meet, and click Save.
    ch4_fig_043.jpg

    Click to view larger image

    TIP

    It is important to obtain your organization’s password policies if known prior to setting these options. If you miss certain criteria that are required by your organization and all users have been imported and have passwords set, changing these parameters may require users to change their passwords again to conform to the newer standards.

    NOTE

    Because we don’t have home directories set at this point, you will be unable to test these policies at the login window.

Using Single Sign-On and Kerberos

Frequently, a user who is logged in on one computer needs to use resources located on another computer on the network. Users typically browse the network in the Finder and click to connect to the other computer. It would be a nuisance for users to have to enter a password for each connection. If you’ve deployed Open Directory, you’ve saved them that trouble. Open Directory provides a feature known as single sign-on, which relies on Kerberos. Single sign-on essentially means that when users log in, they automatically have access to other services they may need that day, such as email, file servers, chat servers, VPN connectivity, and others without entering another password.

Defining Kerberos Terms

There are three main players in a complete Kerberos transaction:

  • The user
  • The service that the user is interested in accessing
  • The KDC, which is responsible for mediating between the user and the service, creating and routing secure tickets, and generally supplying the authentication mechanism

Within Kerberos there are different realms, specific databases or authentication domains. Each realm contains the authentication information for users and services, called Kerberos principals. For example, if you have a user with a long name of John Significant and a short name of johnsig on a KDC with the realm of SERVER17.PRETENDCO.COM, the user principal would be johnsig@SERVER17.PRETENDCO.COM.

For a service to take advantage of Kerberos, it must be Kerberized (modified to work with Kerberos), which means that it can defer authentication of its users to a KDC. Not only can Mac OS X Server provide a KDC when configured to host a shared LDAP directory, but it can also provide several Kerberized services. An example of a service principal would be afpserver/server17.pretendco.com@SERVER17.PRETENDCO.COM.

Finally, Kerberos enables you to keep a list of users in a single database, called the KDC, which is configured on Mac OS X Server once an Open Directory master has been created. When a network user logs in on a Mac OS X v10.2 or later client computer, that computer negotiates with the KDC. If the user provides the correct user name and password, the KDC provides an initial ticket, called a Ticket Granting Ticket (TGT) that enables the user to subsequently ask for service tickets so they may connect to other servers and services on the network for the duration of the login session. During that time, the user can access any network service that has been Kerberized without seeing a password dialog.

Kerberos is one of the components of Open Directory. The reason a user’s password is stored in both the Password Server database and the Kerberos principal database is to allow users to authenticate to services that are not Kerberized. However, users must enter a password every time they access those services. Open Directory uses Password Server to provide support for those authentication protocols.

Because Kerberos is an open standard, Open Directory on Mac OS X Server can be easily integrated into an existing Kerberos network. You can set up your Mac OS X computers to use an existing KDC for authentication.

One security aspect to using Kerberos is that the tickets are time sensitive. Kerberos requires that the computers on your network be synchronized to within 5 minutes by default. Configure your Mac OS X computers and your servers to use the NTP, and synchronize to the same time server so this doesn’t become an issue in preventing you from getting Kerberos tickets.

Examining Kerberos Tickets

Even though you do not have a home folder at this point, you can examine your Kerberos Ticket Granting Ticket.

  1. Log in to your Mac OS X computer as cadmin.
  2. Navigate to /System/Library/CoreServices/ and open the Kerberos application.
    ch4_fig_044.jpg

    Click to view larger image

  3. Click the New button in the toolbar to obtain a new Kerberos ticket.

    Notice that because you are bound to the Mac OS X Server, you have SERVER17.PRETENDO.COM listed in your Realm field.

    ch4_fig_045.jpg

    Click to view larger image

  4. Enter the short name and password that you entered earlier in Workgroup Manager and click OK.
  5. Because you set parameters on changing the password at next login, you are presented with a dialog asking you to change your password if you wish to obtain a ticket. Click Yes.
    ch4_fig_046.jpg

    Click to view larger image

  6. Enter the old password you chose for the user, then enter and reenter a new password that conforms to the criteria you set earlier on password restrictions and click OK.
    ch4_fig_047.jpg

    Click to view larger image

    You should now be able to view your Kerberos Ticket Granting Ticket. In later exercises, you will have a home folder and be able to view service tickets along with your TGT.

ch4_fig_048.jpg

Click to view larger image

Notice that even though you logged in at the login window as cadmin, you were able to get a Kerberos TGT as another user. This is because you authenticated locally to your Mac OS X computer as cadmin, while your authentication mechanism for your other account originated on your Mac OS X Server, to which you have been bound during this lesson.

Peachpit Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Peachpit and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Peachpit products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email ask@peachpit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by Adobe Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.peachpit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020