Tips for Securing Apple's Open Directory

Appleis Open Directory for Mac OS X Server is a powerful, capable directory services system that uses open standards like Open LDAP and Kerberos. Despite its capabilities, there are still some methods to secure it over and above the default settings, according to Ryan Faas at Computerworld on Friday.

Mr. Fass, who has written an informative series on Appleis Open Directory system, noted, "For administrators, employing a robust directory services application that supports all their clients is only part of the equation. Directory servers manage user authentication and maintain significant amounts of information about users, groups, servers, workstations and network configurations. This makes securing directory servers a paramount concern for any network admin."

Some of the things that were noted include:

  1. Use open Directory not crypt passwords.
  2. Rely on Kerberos at every opportunity
  3. Disable unused authentication mechanisms
  4. Require SSL for all communication
  5. Use Trusted Binding introduced in Mac OS X 10.4
  6. Secure relevant ports via firewall

Mr. Faas reminded administrators that frequent inspection of the Password Service Server log will reveal failed login attempts and is worthy of attention.

The article, one more in a notable series of articles by the Mr. Fass, is a good refresher for Apple network administrators to make sure theyive taken all possible measures to secure their Apple network and do it correctly.