C H A P T E R 1
Concepts
■Kerberos Version 5 authentication, which is used to authenticate users to Kerberos v5 systems. For more information, see “Kerberos Version 5 Authentication” (page 19).
■Disabled User authentication, which prevents any authentication from taking place. For more information, see “Disabled User Authentication” (page 20).
Note: For compatibility with previous versions of Mac OS X, user records that do not have an authentication authority attribute are authenticated using Basic password authentication.
User records contain an optional authentication authority attribute. The authentication authority attribute can have one or more values specifying how authentication and password changing should be conducted for that user. The format of this attribute is a
■version — a numeric value that identifies the structure of the attribute. This field is currently not used and usually is blank. This field may contain up to three
■authority tag — a string value containing the authentication type for this user. Each authentication type defines the format of the authority data field and specifies how the authority data field is interpreted. The authority tag field is treated as a UTF8 string in which leading, embedded, and trailing spaces are significant. When compared with the list of known types of authentication, the comparison is
■authority data — a field whose value depends on the type of authentication in the authority tag field. This field may be empty and is allowed to contain
Basic Authentication
An Open Directory client that encounters a user record containing the Basic authentication type should conduct authentication in a manner consistent with the authentication method supported by Mac OS X v10.0 and v10.1, which was crypt password authentication.
If the user record does not have an authentication authority attribute, the Open Directory client should use the Basic authentication type.
Here are some examples of authentication authority attributes that use the Basic authentication type:
;basic;
1.0.0;basic;
1;basic;
All three examples have the same result: authentication is conducted using crypt.
Apple Password Server Authentication
The Apple Password Server authentication type requires an Open Directory client to contact a Simple Authentication and Security Layer (SASL) password server at the network address stored in the authority data field. After contacting the Password Server, the Open Directory client can interrogate it to determine
16Open Directory Overview