For authenticating users whose accounts are stored in directories on Lion Server, Open Directory offers a variety of options, including Kerberos and the many authentication methods that network services require. Open Directory can authenticate users by using:
• Single sign-on with the Kerberos KDC built in to Lion Server
• A password stored securely in the Open Directory Password Server database
• A password stored as several hashes—including NTLMv1 and NTLMv2 (NT LAN Manager); and Microsoft Challenge Handshake Authentication Protocol (MS-CHAPv2), used for VPN—in a location that only the root user can access
• An older crypt password stored directly in the user’s account (on the local filesystem ...