<br><div><span class="gmail_quote">On 1/1/08, <b class="gmail_sendername">Jordan K. Hubbard</b> <<a href="mailto:jkh@apple.com">jkh@apple.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div style="">I see your confusion. The documentation only mentions Crypt passwords as and old-style way of leaving passwords around if you need interoperability with 10.0 or 10.1 machines. By default, you're already using a shadow password and have been for quite a few releases now.
</div></blockquote><div><br>Jordan, appreciate the further clarity. Quick question then (just to make sure I'm ultra clear) -- even if a MacPort installs a new entry in the local directory domain with a "Crypt Password" type, what you're saying is that in reality, under Leopard Server (and the past few versions of Mac OS X Server) this password is a Shadow Password disguised to the system as a Crypt Password? I ask because using Workgroup Manager on Leopard Server, I can select the user that was installed by the MacPort (for example, take the openldap MacPort which installs a local directory domain entry with the username "ldap", UID "500" and a User Password Type of "Crypt Password" and I can select the pop-up menu with the "Crypt Password" selection and change the type to either "Shadow Password" or "OpenDirectory" because I am also running an OpenDirectory Master on the same machine).
<br><br>I appreciate the insight as this is actually quite interesting!<br><br>Thanks,<br><br>T.M.<br><br></div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div style=""><div>- Jordan</div><div><span class="e" id="q_1173826d244ddfa3_1"><div><div><div><br></div><div>On Jan 1, 2008, at 3:09 PM, Tabitha McNerney wrote:</div><br><blockquote type="cite"><br><div><span class="gmail_quote">
On 1/1/08, <b class="gmail_sendername">Jordan K. Hubbard</b> <<a href="mailto:jkh@apple.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">jkh@apple.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Let's ask a different question: What are you trying to achieve?<br><br>- Jordan</blockquote><div><br>Hi Jordan,<br><br>You raise a good question, about what I am trying to achieve. My concern is that, after reading Apple's Mac OS X Server Leopard documentation, it strikes me that crypt passwords are less secure compared to other options such as Shadow Passwords, as I quote the Leopard Server OpenDirectory documentation (PDF):
<br><br><blockquote style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;" class="gmail_quote">User accounts not used on computers that require a crypt password should have an <br>
Open Directory password or a shadow password. A crypt password is required only for <br>logging in to a computer with Mac OS X v10.1 or earlier and on computers with some <br>types of UNIX. <br><br>A crypt password is stored as an encrypted value, or hash, in the user account record in
<br>the directory domain. Because the crypt password can be recovered from the directory <br>domain, it is subject to offline attack and is less secure than other password types.<br></blockquote><br>Maybe I am misinterpreting, but it strikes me that Apple is recommending that, if possible, a crypt password should be last on the list of password type choices.
<br><br>Thanks,<br><br>T.M.<br></div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">On Jan 1, 2008, at 2:04 AM, Tabitha McNerney wrote:
<br><br>> Hello all --<br>><br>> I am happily running Leopard Server and installing MacPorts 1.6.0.<br>> Some of the ports install users in the local directory domain (with<br>> Leopard Apple has officially done away with NetInfo by the way).
<br>> There is an option using Workgroup Manager -- a GUI tool only<br>> bundled by Apple with Mac OS X Server, to change the password type<br>> of local directory domain users (for example, the user "ldap"
<br>> installed by MacPorts as part of the openldap port) from crypt to<br>> Shadow Password. Has anyone ever tried this and if so are there any<br>> reasons not to switch from crypt to Shadow Password?<br>><br>
> Thank,<br>><br>> -T.M.<br>> _______________________________________________<br>> macports-users mailing list<br>> <a href="mailto:macports-users@lists.macosforge.org" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
macports-users@lists.macosforge.org </a><br>> <a href="http://lists.macosforge.org/mailman/listinfo/macports-users" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://lists.macosforge.org/mailman/listinfo/macports-users
</a><br><br></blockquote></div><br></blockquote></div><br></div></span></div></div></blockquote></div><br>