With OS X Server, a server with a shared LDAP directory domain also provides Open Directory authentication.
It’s important to protect the authentication data stored by Open Directory. This authentication data includes the Open Directory Password Server database and the Kerberos database, which must also be protected. Therefore, make sure an Open Directory master and all Open Directory replicas are secure by following these guidelines:
Keep your server behind a locked door, and always log it out. Physical security of a server that’s an Open Directory master or replica is paramount.
Secure the media you use to back up an Open Directory Password Server database and a Kerberos database. Having your Open Directory servers behind locked doors won’t protect a backup tape that you leave on your desk.
Don’t use a server that’s an Open Directory master or replica to provide other services. If you can’t dedicate servers to be Open Directory masters and replicas, minimize the number of services they provide.
One of the other services could have a security breach that gives someone access to the Kerberos or Open Directory Password Server databases. Dedicating servers to provide Open Directory services is an optimal practice but isn’t required.
Set up service access control lists (SACLs) for the login window and secure shell (SSH) to limit who can log in to an Open Directory master or replica.
Avoid using a RAID volume that’s shared with other computers as the startup volume of a server that’s an Open Directory master or replica. A security breach on one of the other computers could jeopardize the security of the Open Directory authentication information.
Set up the firewall service to block all ports except those listed here for directory, authentication, and administration protocols:
Open Directory Password Server uses ports 106 and 3659.
The Kerberos KDC uses TCP/UDP port 88, and TCP/UDP port 749 is used for Kerberos administration.
The shared LDAP directory uses TCP port 389 for an ordinary connection and TCP port 636 for an SSL connection.
Replicating directory and authentication data over the network is a minimal security risk. Password data is securely replicated using random keys negotiated during each replication session. The authentication portion of replication traffic—the Open Directory Password Server and the Kerberos KDC—is fully encrypted.
For extra security, configure network connections between Open Directory servers to use network switches rather than hubs. This isolates authentication replication traffic to trusted network segments.