Apple OS X manual Open Directory Overview

Page 17

C H A P T E R 1

Concepts

an appropriate network-based authentication method, such as CRAM-MD5, APOP, NT, LAN Manager, DHX, or Web-DAV Digest. Note that the Password Server’s administrator may disable some authentication methods in accordance with local security policies.

The authority data field must contain two strings separated by a single colon (:) character. The first string begins with a SASL ID. The SASL ID is provided to the Password Server to identify who is attempting to authenticate. Apple’s Password Server implementation uses a unique pseudo-random 128-bit number encoded as hex-ASCII assigned when the password was created to identify user passwords in its private password database. However, Open Directory clients should not assume that the first string will always be a fixed-size value or a simple number.

The SASL ID is followed by a comma (,) and a public key, which is used when the client challenges the Password Server before authentication begins to confirm that the Password Server is not being spoofed.

The second string is a network address consisting of two sub-strings separated by the slash (/) character. The first substring is optional and indicates the type of network address specified by the second substring. The second substring is the actual network address. If the first substring and the slash character are not specified, the second substring is assumed to be an IPv4 address.

If specified, there are three possible values for the first substring:

IPv4 — The client can expect the second substring to contain a standard 32-bit IPv4 network address in dotted decimal format.

IPv6 — The client can expect the second substring to contain a standard 64-bit IPv6 network address.

dns — The client can expect the second substring to contain a fully qualified domain name representing the network location of the password server.

If the authority data field is missing or malformed, the entire authentication authority attribute value must be ignored and any attempt to authenticate using it must be failed.

In the following example of an authentication authority attribute for Mac OS X Password Server authentication, the version field is empty, so the version is assumed to 1.0.0. The SASL ID is 0x3d069e157be9c1bd0000000400000004. The IP address is not preceded by ipv6/, so the IP address is assumed to be an IPv4 address.

;ApplePasswordServer;0x3d069e157be9c1bd0000000400000004,1024 35 16223833417753121496884462913136720801998949213408033369934701878980130072 13381175293354694885919239435422606359363041625643403628356164401829095281 75978839978526395971982754647985811845025859418619336892165981073840052570 65700881669262657137465004765610711896742036184611572991562110113110995997 4708458210473 root@pwserver.example.com:17.221.43.124

In the following example, the appearance of dns indicates that the network address in the second substring is a fully qualified domain name.

;ApplePasswordServer;0x3d069e157be9c1bd0000000400000004,1024 35 16223833417753121496884462913136720801998949213408033369934701878980130072 13381175293354694885919239435422606359363041625643403628356164401829095281 75978839978526395971982754647985811845025859418619336892165981073840052570 65700881669262657137465004765610711896742036184611572991562110113110995997 4708458210473 root@pwserver.example.com:dns/sasl.password.example.com

Open Directory Overview

17

2007-01-08 © 2007 Apple Inc. All Rights Reserved.

Page 16 Page 18
Image 17
Page 16 Page 18
Contents Open Directory Programming Guide Apple Inc Contents N T E N T S Figures, Tables, and Listings G U R E S , T a B L E S , a N D L I S T I N G S See Also Organization of This DocumentIntroduction See Also Open Directory Overview Concepts1Flow of an Open Directory request Nodes2An Open Directory request over a network Record Types Search Policies and Search NodesConstant Description Standard attribute for storing a unique ID commonly found Standard Attribute TypesNative Attribute Types AuthenticationBasic Authentication Open Directory Overview Local Windows Hash Authentication Local Cached User Authentication Disabled User Authentication Directory Proxy Directory Native AuthenticationOpen Directory, lookupd, and NetInfo 3lookupd and NetInfo interaction when using SSH Debugging Directory Service Command Line UtilityListing Registered Nodes Working with NodesWorking with Nodes Finding a Node Opening and Closing a Node Authenticating a User to a Node Authenticating using directory native authentication Directory Native AuthenticationWorking with Nodes Working with Nodes Authenticating a User to a Node Listing Records Working with RecordsListing Records Working with Records Getting Information About a Record’s AttributeGetting Information About a Record’s Attribute Setting the Name of a Record Working with Records Listing 3-3Setting the name of a record Creating a Record and Adding an Attribute Void CreateRecord const tDirNodeReference inDirNodeRef Deleting a Record Working with Records Document Revision History Document Revision History
Related manuals
Manual 32 pages 7.58 Kb
Top Page Image Contents