Computerworld - Apple's Open Directory is a powerful directory services platform that supports a variety of clients, most notably Mac OS X and Windows. Open Directory is based on open-source software, including OpenLDAP and Kerberos, and includes some components specific to Mac OS X Server.
As such, Open Directory is an easy-to-manage application for Mac and multiplatform networks. It functions well as a network's sole directory service and can integrate well with Active Directory or, for that matter, with any LDAP-based directory services platform.
For administrators, employing a robust directory services application that supports all their clients is only part of the equation. Directory servers manage user authentication and maintain significant amounts of information about users, groups, servers, workstations and network configurations. This makes securing directory servers a paramount concern for any network admin.
Open Directory automatically includes full support for Kerberos and Apple's own secure Open Directory password server for those clients and services that cannot use Kerberos. However, its diverse nature means that Open Directory can easily be made more secure than the default settings leave it after initial setup.
The following methods can greatly enhance the security of a standard Open Directory installation.
Use only Open Directory passwords
When creating or modifying user accounts under Open Directory, admins are given two options for choosing the password type: Open Directory and crypt (sometimes referred to as basic).
Open Directory passwords are stored securely in both a Kerberos realm and in the Open Directory Password Server database. In both cases, the passwords are stored in a highly encrypted form in databases that are separate from Open Directory's LDAP database, where the remaining user account attributes are stored. This provides a high level of security because even if the Open Directory domain itself is compromised, a malicious user will not be able to retrieve password information from it since the passwords are stored in a different location.
To provide backward compatibility with early versions of Mac OS X -- 10.1 and earlier -- however, Open Directory supports the use of crypt passwords. These are stored as an attribute in the user account. Use of crypt passwords presents a significant security risk because the passwords can be easily extracted from a user's account and, despite their "crypt" name, are not significantly encrypted.
As a result, crypt passwords should be avoided wherever possible.
In addition to being far more secure than crypt passwords, Open Directory passwords support the use of password policies that can be set across an Open Directory domain or for specific users. Available policies include minimum password length, expiration and account lockout after multiple failed attempts. You should always make use of password policies to prevent or limit malicious access.
Note: Administrator accounts are exempt from password policies.
- Path Selection Infographic Path Selection Infographic
- Hyperconvergence Infographic A wide range of observers agree that data centers are now entering an era of "hyperconvergence" that will raise network traffic levels faster...
- Preparing Your Infrastructure for the Hyperconvergence Era From cloud computing and virtualization to mobility and unified communications, an array of innovative technologies is transforming today's data centers.
- How WAN Optimization Helps Enterprises Reduce Costs If you wanted to break down innovation into a tidy equation, it might go something like this: Technology + Connectivity = Productivity. Productivity...
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users? All NOSes and Server Software White Papers | Webcasts