anappropriate network-based authentication method, such as CRAM-MD5, APOP, NT,LAN Manager, DHX,
orWeb-DAVDigest. Note that the Password Server’s administrator may disable some authentication methods
inaccordance with local security policies.
Theauthority data field must contain two strings separated by a single colon (:) character. The first string
beginswith a SASL ID. The SASL ID is provided to the Password Server to identify who is attempting to
authenticate.Apple’s Password Server implementation uses a unique pseudo-random 128-bitnumber
encodedas hex-ASCII assigned when the password was created to identify user passwords in its private
passworddatabase. However, Open Directory clients should not assume that the first string will always be
afixed-size value or a simple number.
TheSASL ID is followed by a comma (,) and a public key, which is used when the client challenges the
PasswordServer before authentication begins to confirm that the Password Server is not being spoofed.
Thesecond string is a network address consisting of two sub-strings separated by the slash (/) character.
Thefirst substring is optional and indicates the type of network address specified by the second substring.
Thesecond substring is the actual network address. If the first substring and the slash character are not
specified,the second substring is assumed to be an IPv4 address.
Ifspecified, there are three possible values for the first substring:
■IPv4— The client can expect the second substring to contain a standard 32-bit IPv4 network address
indotted decimal format.
■IPv6— The client can expect the second substring to contain a standard 64-bit IPv6 network address.
■dns— The client can expect the second substring to contain a fully qualified domain name representing
thenetwork location of the password server.
Ifthe authorit y data field is missing or malformed,the entire authentication authority attribute value must
beignored and any attempt to authenticate using it must be failed.
Inthe following example of an authentication authority attribute for Mac OS X Password Server authentication,
theversion field is empty, so the version is assumed to 1.0.0. The SASL ID is
0x3d069e157be9c1bd0000000400000004.The IP address is not preceded by ipv6/, so the IP address is
assumedto be an IPv4 address.
;ApplePasswordServer;0x3d069e157be9c1bd0000000400000004,1024 35
16223833417753121496884462913136720801998949213408033369934701878980130072
13381175293354694885919239435422606359363041625643403628356164401829095281
75978839978526395971982754647985811845025859418619336892165981073840052570
65700881669262657137465004765610711896742036184611572991562110113110995997
4708458210473 root@pwserver.example.com:17.221.43.124
Inthe following example, the appearance of dns indicates that the network address in the second substring
isa fully qualified domain name.
;ApplePasswordServer;0x3d069e157be9c1bd0000000400000004,1024 35
16223833417753121496884462913136720801998949213408033369934701878980130072
13381175293354694885919239435422606359363041625643403628356164401829095281
75978839978526395971982754647985811845025859418619336892165981073840052570
65700881669262657137465004765610711896742036184611572991562110113110995997
4708458210473 root@pwserver.example.com:dns/sasl.password.example.com
Open Directory Overview 17
2007-01-08 | ©2007 Apple Inc. All Rights Reserved.
CHAPTER 1
Concepts