Computerworld - Apple's Open Directory is a powerful directory services platform that supports a variety of clients, most notably Mac OS X and Windows. Open Directory is based on open-source software, including OpenLDAP and Kerberos, and includes some components specific to Mac OS X Server.
As such, Open Directory is an easy-to-manage application for Mac and multiplatform networks. It functions well as a network's sole directory service and can integrate well with Active Directory or, for that matter, with any LDAP-based directory services platform.
For administrators, employing a robust directory services application that supports all their clients is only part of the equation. Directory servers manage user authentication and maintain significant amounts of information about users, groups, servers, workstations and network configurations. This makes securing directory servers a paramount concern for any network admin.
Open Directory automatically includes full support for Kerberos and Apple's own secure Open Directory password server for those clients and services that cannot use Kerberos. However, its diverse nature means that Open Directory can easily be made more secure than the default settings leave it after initial setup.
The following methods can greatly enhance the security of a standard Open Directory installation.
Use only Open Directory passwords
When creating or modifying user accounts under Open Directory, admins are given two options for choosing the password type: Open Directory and crypt (sometimes referred to as basic).
Open Directory passwords are stored securely in both a Kerberos realm and in the Open Directory Password Server database. In both cases, the passwords are stored in a highly encrypted form in databases that are separate from Open Directory's LDAP database, where the remaining user account attributes are stored. This provides a high level of security because even if the Open Directory domain itself is compromised, a malicious user will not be able to retrieve password information from it since the passwords are stored in a different location.
To provide backward compatibility with early versions of Mac OS X -- 10.1 and earlier -- however, Open Directory supports the use of crypt passwords. These are stored as an attribute in the user account. Use of crypt passwords presents a significant security risk because the passwords can be easily extracted from a user's account and, despite their "crypt" name, are not significantly encrypted.
As a result, crypt passwords should be avoided wherever possible.
In addition to being far more secure than crypt passwords, Open Directory passwords support the use of password policies that can be set across an Open Directory domain or for specific users. Available policies include minimum password length, expiration and account lockout after multiple failed attempts. You should always make use of password policies to prevent or limit malicious access.
Note: Administrator accounts are exempt from password policies.
- Considerations For Effective Software License Management For many reasons, software license management has become a critical issue for many IT organizations and enterprise's alike. With many licensing options, hurdles...
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- The Truth About Virtual Computing for CAD If you're a user of graphics-intensive software such as 3D modeling, simulation and analysis, and visualization, you might be skeptical about moving to...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Why Are Customers Really Deploying an NGFW? It seems every IT Security expert is talking about the NGFW, but what are people really doing? This webcast covers 5 real-world customer... All NOSes and Server Software White Papers | Webcasts