Apple OS X manual Native Attribute Types, Authentication

C H A P T E R 1

Concepts

kDSNAttrAuthentication- Standard attribute for storing authentication authorities; commonly found

Native Attribute Types

Developers can define their own attributes (known as native attributes). Open Directory maps the namespace of each directory system onto native types, while the standard types are the same across all Open Directory plug-ins.

Authentication

Open Directory for Mac OS X v10.2 supports authentication on a per-user basis whereby user records have an authentication authority attribute that specifies the type of authentication that is to be used to authenticate a particular user and all of the information required to use the specified authentication method, such as encoded password information.

Note: The information in this section is of interest to Open Directory clients that create user records or that want to change the authentication authority for a user. These clients must write the authentication authority attribute and may have to do a set password operation to have the change take effect. Open Directory clients that only do directory native authentication or that only change existing passwords do not need to interpret the authentication authority attribute because the Open Directory plug-ins handle the supported authentication authority attribute values.

This version of Mac OS X supports the following types of authentication:

■Basic, which supports Crypt password authentication. For more information, see “Basic Authentication” (page 16).

■Apple Password Server authentication, which uses a Mac OS X Password Server to perform authentication. For more information, see “Apple Password Server Authentication” (page 16).

■Shadow Hash authentication, which uses salted SHA-1 hashes. The hash type of can be configured using the authentication authority data. By default, NT and LAN Manager hashes are not stored in local files, but storing them in local files can be enabled. This is the default authentication for this version of Mac OS X. For more information, see “Shadow Hash Authentication” (page 18).

■Local Windows authentication, which is legacy subset of Shadow Hash authentication. For more information, see “Local Windows Hash Authentication” (page 18).

■Local Cached User authentication, which is appropriate for mobile home directories using directory-based authentication such as LDAP. For more information, see “Local Cached User Authentication” (page 19).

2007-01-08 © 2007 Apple Inc. All Rights Reserved.