Mac OS X 10.6 Server Admin: Migrating Passwords from Mac OS X Server v10.1 or Earlier
User accounts can be migrated from earlier versions of Mac OS X Server by importing the account records or upgrading the server where they reside.
User accounts created with Mac OS X Server v10.1 or earlier have no authentication authority attribute but they do have crypt passwords.
If you import user accounts from Mac OS X Server v10.1 or earlier, these user accounts are initially configured to have crypt passwords. If you import these accounts to the server’s local directory domain, each is converted from crypt password to shadow password when the user or administrator changes the password or when the user authenticates to a service that can use a recoverable authentication method.
Likewise, if you upgrade from Mac OS X Server v10.1 or earlier, user accounts created before upgrading are assumed to have crypt passwords.
Although existing crypt passwords can continue to be used after importing or upgrading, you can change user accounts to have Open Directory or shadow passwords.
You can change individual user accounts or multiple user accounts by using Workgroup Manager. Changing a user account’s password type resets the password. For more information, see Changing the Password Type to Open Directory and Changing the Password Type to Shadow Password.
Some user accounts created with Mac OS X Server v10.1 or earlier may use Authentication Manager. It is a legacy technology for authenticating users of Windows file service and users of AFP service whose Mac OS 8 computers have not been upgraded with AFP client software v3.8.3 or later.
When migrating Authentication Manager users, you have the following options:
If you upgrade first from Mac OS X Server v10.1 to v10.2 and then to v10.5 and then you migrate to v10.6, existing users can continue to use their same passwords.
You can change some or all upgraded user accounts to have Open Directory passwords or shadow passwords, which are more secure than crypt passwords. For more information, see About Password Types.
If the upgraded server has a shared NetInfo domain and you migrate it to an LDAP directory, user accounts are converted to Open Directory passwords.
Each user account in the server’s local directory domain is converted from crypt password to shadow password when the user or administrator changes the password or when the user authenticates to a service that can use a recoverable authentication method.
If you import user accounts that use Authentication Manager into the LDAP directory, they are converted during importing to have Open Directory passwords.