The next part of an Open Directory master, Password Server, is the part of Mac OS X Server responsible for managing passwords for the shared (LDAP) domain. It is ultimately a process called PasswordService and is created when an Open Directory master is chosen from the list of potential server configuration types. It writes out to three log files, which you can access by using the Server Admin tool under Open Directory and choosing the Logs tab. They and their ultimate locations are: - /Library/Logs/PasswordService/ApplePasswordServer.Error.log
- /Library/Logs/PasswordService/ApplePasswordServer.Replication.log
- /Library/Logs/PasswordService/ApplePasswordServer.Server.log
Using the mkpassdb command, you can also back up the database, merge two password server databases, review the mechanisms for handling the passwords, and remove password server slots. Please refer to the man page for more information on mkpassdb. Setting password policies Password policies (complexity requirements, expiration policies, and password histories) have always been important in governmental sectors. Increasingly, though, a regulatory environment fueled by Sarbanes-Oxley, HIPPA, and FERPA has driven their adoption in the educational and private sectors as well. You can set these policies either globally, using the Server Admin application, or on a per-user basis, using Workgroup Manager. Note that per-user settings override global ones, and that in any case, administrative users in Mac OS X Server 10.4 are not subject to password policy restrictions. Password policies can be very effective in maintaining compliance with your organization's guidelines but have varying degrees of restriction, as shown in Table 3.2. Table 3.2. User authentication policiesGUI DISABLE ACCOUNTS OPTION | USAGE | PWPOLICY COMMAND-LINE EQUIVALENT | On Date | Disables an account on a set date, such as when a contractor is set to leave a job site | usingExpirationDate usingHardExpirationDate expirationDateGMT hardExpireDateGMT | After a set number of days | Disables an account after a set number of days, such as when a student has access for the number of days in a grading period | maxMinutesUntilDisabled | After a period of inactivity | Disables an account after the user doesn't log in for a set number of days, such as when a user stops using a particular file server | maxminutesOfNonUse | After a set number of failed login attempts | Disables an account after a user or hacker attempts to enter incorrect information a set number of times | maxFailedLoginAttempts | GUI PASSWORD POLICY OPTION | USAGE | PWPOLICY COMMAND-LINE EQUIVALENT | Length Policy | Dictates that a password must be at least a set number of characters long | minChars | Letter Policy | Requires a password to contain at least one letter | requiresAlpha | Numeric character policy | Requires a password to contain at least one numeric character | requiresNumeric | Account name policy | Requires the password to be different from the account name | passwordCannotBeName | Reused passwords policy | Requires a password to be different from previous passwords | usingHistory | Password change policy | Requires a password to be changed after a set number of days, weeks, or months | maxMinutesUntilChangePassword | Be reset on first user login | Require a new password at next login | newPasswordRequired | Allow the user to change the password (in WGM) | Allows the user to change their password | canModifyPasswordSelf | | Requires a password to have both upper and lowercase letters | requiresMixedCase | | Dictates that a password must be no longer than a set number of characters | maxChars | | Value chosen to reset login after failed attempts | minutesUntilFailedLoginReset | | Compares password against Dictionary | notGuessablePattern |
To set global password policies 1. | Launch Server Admin, located in /Applications/Server, select Open Directory from the services list and click the Settings tab.
| 2. | Click the Policy tab and then the Passwords tab (Figure 3.8).
Figure 3.8. Open Directory's global password policy interface.
| 3. | Configure Password options appropriate to your organization's security policies.
| Tip If you follow this procedure on an Open Directory master or replica (replicas will be discussed later in this chapter), it will affect both the shared (LDAP) domain and the local (NetInfo) domain (the policies will be synchronized). However, if you pursue it on a Mac OS X Server that is not hosting a shared domain (as of 10.4.4), it will affect the global policy for the local (NetInfo) domain. You set per-user policies (as of 10.3.3) in the local (NetInfo) and the shared (LDAP) domain. In addition, four other options are available via pwpolicy that currently have no GUI counterpart. These options may not be supported by the local (NetInfo) domain. To set per-user password policies 1. | Launch Workgroup Manager located in /Applications/Server and connect to your server as a local or directory administrator (Figure 3.9).
Figure 3.9. Opening up Workgroup Manager and authenticating an administrator. | 2. | From the "Authenticated as" pop-up menu in the upper-left corner of the screen, choose either a local or shared domain (Figure 3.10).
Figure 3.10. Choosing the shared (LDAP) domain in Workgroup Manager. | | | 3. | Select one or more user accounts and click the Advanced pane.
| 4. | Click Options and configure password options appropriate to your organization's security policies. Then click OK (Figure 3.11).
Figure 3.11. User account password policies in the Advanced tab of Workgroup Manager. | 5. | Compare the per-user policies with the global policies in Server Admin (set in the previous task) to ensure there are no conflicts.
| 6. | Use the pwpolicy command to affect other non-GUI policies.
This example shows how you can require mixed case by replacing diradmin with the short name of your shared directory administrator):
pwpolicy -a diradmin -v - setglobalpolicy requiresMixedCase=1
| 7. | Enter your shared directory administrator's short name password to authenticate.
The -v option is verbose and allows feedback to be shown in the Terminal.
| 8. | Type pwpolicy getglobalpolicy to review your new policies.
| Storing Password Server passwords Password Server also has the ability to utilize several methods for storing passwords. The following password storage methods are accessible in the Security tab within the Open Directory service module of Server Admin or by using the NeST command-line tool: SMB-NTLMv2 Used for Windows ME, XP, 2000, 2003, and higher SMB-NT Used for Windows 98 and NT SMB-LAN-MANAGER Used for Windows 95 clients MS-CHAPv2 Used for VPN access GSSAPI Generic Security Service Application Program Interface WEBDAV-DIGEST Used for WebDAV APOP Used for authenticated Post Office Protocol Each of the methods of storing passwords has its pros and cons. In general, you should turn off the protocols you do not use, especially those that are somewhat unsecure, such as SMB-NT, SMB-LAN-MANAGER, WEBDAV-DIGEST, and APOP. To disable unsecure password storage methods 1. | Launch Server Admin, located in /Applications/Server, select Open Directory from the services list and click the Settings tab.
You can leave Server Admin open for the next several tasks.
| 2. | Click the Policy tab and then the Security tab (Figure 3.12).
Figure 3.12. Viewing the various password authentication methods in Server Admin. | 3. | Select the check boxes as appropriate and click Save.
or
Use the NeST command-line tool:
sudo NeST setprotocols APOP off | Tip |