Computerworld - Apple's Open Directory is a powerful directory services platform that supports a variety of clients, most notably Mac OS X and Windows. Open Directory is based on open-source software, including OpenLDAP and Kerberos, and includes some components specific to Mac OS X Server.
As such, Open Directory is an easy-to-manage application for Mac and multiplatform networks. It functions well as a network's sole directory service and can integrate well with Active Directory or, for that matter, with any LDAP-based directory services platform.
For administrators, employing a robust directory services application that supports all their clients is only part of the equation. Directory servers manage user authentication and maintain significant amounts of information about users, groups, servers, workstations and network configurations. This makes securing directory servers a paramount concern for any network admin.
Open Directory automatically includes full support for Kerberos and Apple's own secure Open Directory password server for those clients and services that cannot use Kerberos. However, its diverse nature means that Open Directory can easily be made more secure than the default settings leave it after initial setup.
The following methods can greatly enhance the security of a standard Open Directory installation.
Use only Open Directory passwords
When creating or modifying user accounts under Open Directory, admins are given two options for choosing the password type: Open Directory and crypt (sometimes referred to as basic).
Open Directory passwords are stored securely in both a Kerberos realm and in the Open Directory Password Server database. In both cases, the passwords are stored in a highly encrypted form in databases that are separate from Open Directory's LDAP database, where the remaining user account attributes are stored. This provides a high level of security because even if the Open Directory domain itself is compromised, a malicious user will not be able to retrieve password information from it since the passwords are stored in a different location.
To provide backward compatibility with early versions of Mac OS X -- 10.1 and earlier -- however, Open Directory supports the use of crypt passwords. These are stored as an attribute in the user account. Use of crypt passwords presents a significant security risk because the passwords can be easily extracted from a user's account and, despite their "crypt" name, are not significantly encrypted.
As a result, crypt passwords should be avoided wherever possible.
In addition to being far more secure than crypt passwords, Open Directory passwords support the use of password policies that can be set across an Open Directory domain or for specific users. Available policies include minimum password length, expiration and account lockout after multiple failed attempts. You should always make use of password policies to prevent or limit malicious access.
Note: Administrator accounts are exempt from password policies.
- Considerations For Effective Software License Management For many reasons, software license management has become a critical issue for many IT organizations and enterprise's alike. With many licensing options, hurdles...
- Learn More About Peer 1 Hosting's Mission Critical Cloud Mission Critical Cloud from Peer 1 Hosting is enterprise-ready, creating a perfect point of adoption whether you need an off-premise solution for development
- What Makes a Cloud Solution Truly Enterprise-Grade? Future enterprise cloud capabilities will evolve from five core elements...
- Mission Critical Cloud Powers Freesat Website, Mobile App When subscription-free satellite TV service Freesat needed a scalable, cost-effective infrastructure it found the disaster recovery and security features it needed with Peer...
- Rogue IT on the Rise? SAM strategies and tools Unauthorized downloads can affect security and compliance; see how CDW Software Asset Management (SAM) tools can help your organization.
- Cloud and Collaboration: Driving Your Business Value Mission Critical Cloud from Peer 1 Hosting is enterprise-grade. All NOSes and Server Software White Papers | Webcasts