Apple OS X manual Local Cached User Authentication

Page 19

C H A P T E R 1

Concepts

Local Cached User Authentication

Local Cached User authentication is used for mobile home directories. The authority data field must be present. Its format is

DS Nodename:DS Recordname:DS GUID

where the colon (:) character delimits the three individual strings. All three strings are required. The first string is any valid node name in UTF-8 format. The second string is any valid record name in UTF-8 format. The third string is any valid generated unique identifier (GUID) in UTF-8 format.

If the authority data field is absent or malformed, the authentication authority attribute value must be ignored and must result in failure to authenticate any client that attempts authentication using it. No other authentication type can be combined with this authentication type.

Here are some examples of properly formed authentication authority attribute values for Local Cached User authentication:

;LocalCachedUser;/LDAPv3/bh1234.example.com:bjensen:AFE453BF-284E-4BCE- ADB2-206C2B169F41 1.0.0;LocalCachedUser;/LDAPv3/bh1234.example.com:bjensen:AFE453BF-284E- 4BCE-ADB2-206C2B169F41 1;LocalCashedUser;/LDAPv3/bh1234.example.com:bjensen:AFE453BF-284E-4BCE- ADB2-206C2B169F41

Kerberos Version 5 Authentication

For Kerberos Version 5 authentication, the authority data field is formatted as follows:

[UID];[user principal (with realm)]; realm; [realm public key]

The optional 128-bit UID is encoded in the same way as for Apple Password Server authentication.

The optional user principal is the user principal for this user within the Kerberos system. If the user principal is not present, the user name and the realm are used to generate the principal name (user@REALM). This allows a fixed authentication authority value to be set up and applied to all user records in a database.

The required realm is the name of the Kerberos realm to which the user belongs.

The optional realm public key may be used to authenticate the KDC in a future release.

The following example yields a user principal of kerbdude@LDAP.EXAMPLE.COM:

;Kerberosv5;;Kerberosv5;0x3f71f7ed60eb4a19000003dd000003dd;kerbdude@LDAP. EXAMPLE.COM;LDAP.EXAMPLE.COM;1024 35 148426325667675065063924525312889134704829593528054246269765042088452509 603776033113420195398827648618077455647972657589218029049259485673725023 256091629016867281927895944614676546798044528623395270269558999209123531 180552515499039496134710921013272317922619159540456184957773705432987195 533509824866907128303 root@ldap.example.com

Open Directory Overview

19

2007-01-08 © 2007 Apple Inc. All Rights Reserved.

Page 18 Page 20
Image 19
Page 18 Page 20
Contents Open Directory Programming Guide Apple Inc Contents N T E N T S Figures, Tables, and Listings G U R E S , T a B L E S , a N D L I S T I N G S See Also Organization of This DocumentIntroduction See Also Open Directory Overview Concepts1Flow of an Open Directory request Nodes2An Open Directory request over a network Record Types Search Policies and Search NodesConstant Description Standard attribute for storing a unique ID commonly found Standard Attribute TypesNative Attribute Types AuthenticationBasic Authentication Open Directory Overview Local Windows Hash Authentication Local Cached User Authentication Disabled User Authentication Directory Proxy Directory Native AuthenticationOpen Directory, lookupd, and NetInfo 3lookupd and NetInfo interaction when using SSH Debugging Directory Service Command Line UtilityListing Registered Nodes Working with NodesWorking with Nodes Finding a Node Opening and Closing a Node Authenticating a User to a Node Authenticating using directory native authentication Directory Native AuthenticationWorking with Nodes Working with Nodes Authenticating a User to a Node Listing Records Working with RecordsListing Records Working with Records Getting Information About a Record’s AttributeGetting Information About a Record’s Attribute Setting the Name of a Record Working with Records Listing 3-3Setting the name of a record Creating a Record and Adding an Attribute Void CreateRecord const tDirNodeReference inDirNodeRef Deleting a Record Working with Records Document Revision History Document Revision History
Related manuals
Manual 32 pages 7.58 Kb
Top Page Image Contents