Chapter 3 Open Directory Authentication 43
The password policy for a mobile user account applies when the account is used while
disconnected from the network and while connected to the network. A mobile user
account’s password policy is cached for use while oine. For more information about
mobile user accounts, see User Management.
Password policies do not aect administrator accounts. Administrators are exempt from
password policies because they can change the policies at will. In addition, enforcing
password policies on administrators could subject them to denial-of-service attacks.
Kerberos and Open Directory Password Server maintain password policies separately.
An Open Directory server synchronizes the Kerberos password policy rules with Open
Directory Password Server password policy rules.
About Single Sign-On Authentication
Mac OS X Server uses Kerberos for single sign-on authentication, which relieves users
from entering a name and password separately for every service. With single sign-on,
a user always enters a name and password in the login window. Thereafter, the user
does not need to enter a name and password for AFP service, mail service, or other
services that use Kerberos authentication.
To take advantage of single sign-on, users and services must be Kerberized—
congured for Kerberos authentication—and use the same Kerberos KDC server.
User accounts that reside in an LDAP directory of Mac OS X Server and have a
password type of Open Directory use the server’s built-in KDC. These user accounts are
congured for Kerberos and single sign-on. The server’s Kerberized services use the
server’s built-in KDC and are congured for single sign-on.
This Mac OS X Server KDC can also authenticate users for services provided by other
servers. Having more servers with Mac OS X Server use the Mac OS X Server KDC
requires only minimal conguration.
About Kerberos Authentication
Kerberos was developed at MIT to provide secure authentication and communication
over open networks like the Internet. It’s named for the three-headed dog that
guarded the entrance to the underworld of Greek mythology.
Kerberos provides proof of identity for two parties. It enables you to prove who
you are to network services you want to use. It also proves to your applications that
network services are genuine, not spoofed.
Like other authentication systems, Kerberos does not provide authorization. Each
network service determines what you are permitted to do based on your proven
identity.
Comments to this Manuals