The authentication authority attribute, Choosing a password – Apple Mac OS X Server (Administrator’s Guide) User Manual
Page 192
192
Chapter 3
m Using an LDAP server. This option, like Kerberos, offers a way to integrate your Mac OS X
Server into an existing authentication scheme.
See “Using LDAP Bind Authentication” on page 201 for details about this strategy.
The Authentication Authority Attribute
To authenticate a user, Mac OS X directory services first locates the user’s record using the
user name provided by the user. Then it determines which password validation scheme to
use by consulting the “authentication authority” attribute in the user’s account.
The authentication authority attribute identifies the password validation scheme and
provides additional information as required. For example, if a Password Server is being used,
the location of the Password Server is part of the authentication authority value.
If a user’s account contains no authentication authority attribute, the basic strategy is used.
For example, user accounts created using Mac OS X version 10.1 and earlier contain no
authentication authority attribute.
Choosing a Password
The password associated with a user’s account must be entered by the user before he or she
can be authenticated. The password is case-sensitive (except for SNB LAN Manager
passwords) and does not appear on the screen as it is entered.
Regardless of the password validation option you use for any user, here are some guidelines
for composing a password for Mac OS X Server users.
A password should contain letters, numbers, and symbols in combinations that won’t be
easily guessed by unauthorized users. Avoid spaces and Option-key combinations. Also avoid
characters that can’t be entered on computers the user will be using. (Some computers do
not support passwords that contain double-byte characters, leading spaces, embedded
spaces, and so forth.) A zero-length password is not recommended, and some systems (such
as LDAP bind) do not allow them.
Most of the Mac OS X Server applications and services that require passwords support 7-bit
or 8-bit ASCII passwords without leading or trailing spaces. Use the following information to
determine whether you need to take these restrictions into account when defining
passwords for server users:
m Apple file service accepts 7-bit or 8-bit ASCII passwords.
m File Transfer Protocol (FTP) service accepts 7-bit ASCII passwords.
m IMAP accepts 7-bit ASCII passwords. Some IMAP clients accept 8-bit ASCII passwords.
m Macintosh Manager accepts 7-bit or 8-bit ASCII passwords.
m POP3 accepts 7-bit ASCII passwords.
m Web service accepts 7-bit ASCII passwords.