Authentication with a password server, Network authentication protocols, Password server database – Apple Mac OS X Server (Administrator’s Guide) User Manual

88

Chapter 2

Authentication With a Password Server

When a user’s account is configured to use a Password Server, the user’s password is not
stored in a directory domain. Instead, the directory domain stores a unique password ID
assigned to the user by the Password Server. To authenticate a user, directory services pass
the user’s password ID to the Password Server. The Password Server uses the password ID to
find the user’s actual password and any associated password policy.

For example, the Password Server may locate a user’s password but discover that it has
expired. If the user is logging in, the login window asks the user to replace the expired
password. Then the Password Server can authenticate the user.

A Password Server can’t authenticate a user during login on a computer with Mac OS X
version 10.1 or earlier.

You’ll find more information about configuring user accounts to use a Password Server in
“Understanding Password Validation” on page 189 of Chapter 3, “Users and Groups.”

Network Authentication Protocols

The Password Server is based on a standard known as Simple Authentication and Security
Layer (SASL). This standard enables a Password Server to support the wide range of network
user authentication protocols used by various network services of Mac OS X Server, such as
mail service and file services. Here are a few of the network authentication protocols that the
Password Server supports:

m CRAM-MD5

m MD5

m APOP

m NT and LAN Manager (for SMB)

m SHA-1

m DHX

m AFP 2-Way Random

m WebDAV Digest

Password Server Database

The Password Server maintains a record for each user that includes the following:

m Password ID, a 128-bit value assigned when the password is created. The value includes a

key for finding a user’s Password Services record.