Apple's Open Directory is a powerful directory services platform that supports a variety of clients, most notably Mac OS X and Windows. Open Directory is based on open-source software, including OpenLDAP and Kerberos, and includes some components specific to Mac OS X Server.
As such, Open Directory is an easy-to-manage application for Mac and multiplatform networks. It functions well as a network's sole directory service and can integrate well with Active Directory or, for that matter, with any LDAP-based directory services platform.
For administrators, employing a robust directory services application that supports all their clients is only part of the equation. Directory servers manage user authentication and maintain significant amounts of information about users, groups, servers, workstations and network configurations. This makes securing directory servers a paramount concern for any network admin.
Open Directory automatically includes full support for Kerberos and Apple's own secure Open Directory password server for those clients and services that cannot use Kerberos. However, its diverse nature means that Open Directory can easily be made more secure than the default settings leave it after initial setup.
The following methods can greatly enhance the security of a standard Open Directory installation.
Use only Open Directory passwords
When creating or modifying user accounts under Open Directory, admins are given two options for choosing the password type: Open Directory and crypt (sometimes referred to as basic).
Open Directory passwords are stored securely in both a Kerberos realm and in the Open Directory Password Server database. In both cases, the passwords are stored in a highly encrypted form in databases that are separate from Open Directory's LDAP database, where the remaining user account attributes are stored. This provides a high level of security because even if the Open Directory domain itself is compromised, a malicious user will not be able to retrieve password information from it since the passwords are stored in a different location.
To provide backward compatibility with early versions of Mac OS X -- 10.1 and earlier -- however, Open Directory supports the use of crypt passwords. These are stored as an attribute in the user account. Use of crypt passwords presents a significant security risk because the passwords can be easily extracted from a user's account and, despite their "crypt" name, are not significantly encrypted.
As a result, crypt passwords should be avoided wherever possible.
In addition to being far more secure than crypt passwords, Open Directory passwords support the use of password policies that can be set across an Open Directory domain or for specific users. Available policies include minimum password length, expiration and account lockout after multiple failed attempts. You should always make use of password policies to prevent or limit malicious access.
Note: Administrator accounts are exempt from password policies.