Apple OS X manual Open Directory Overview

C H A P T E R 1

Concepts

an appropriate network-based authentication method, such as CRAM-MD5, APOP, NT, LAN Manager, DHX, or Web-DAV Digest. Note that the Password Server’s administrator may disable some authentication methods in accordance with local security policies.

The authority data field must contain two strings separated by a single colon (:) character. The first string begins with a SASL ID. The SASL ID is provided to the Password Server to identify who is attempting to authenticate. Apple’s Password Server implementation uses a unique pseudo-random 128-bit number encoded as hex-ASCII assigned when the password was created to identify user passwords in its private password database. However, Open Directory clients should not assume that the first string will always be a fixed-size value or a simple number.

The SASL ID is followed by a comma (,) and a public key, which is used when the client challenges the Password Server before authentication begins to confirm that the Password Server is not being spoofed.

The second string is a network address consisting of two sub-strings separated by the slash (/) character. The first substring is optional and indicates the type of network address specified by the second substring. The second substring is the actual network address. If the first substring and the slash character are not specified, the second substring is assumed to be an IPv4 address.

If specified, there are three possible values for the first substring:

■IPv4 — The client can expect the second substring to contain a standard 32-bit IPv4 network address in dotted decimal format.

■IPv6 — The client can expect the second substring to contain a standard 64-bit IPv6 network address.

■dns — The client can expect the second substring to contain a fully qualified domain name representing the network location of the password server.

If the authority data field is missing or malformed, the entire authentication authority attribute value must be ignored and any attempt to authenticate using it must be failed.

In the following example of an authentication authority attribute for Mac OS X Password Server authentication, the version field is empty, so the version is assumed to 1.0.0. The SASL ID is 0x3d069e157be9c1bd0000000400000004. The IP address is not preceded by ipv6/, so the IP address is assumed to be an IPv4 address.

;ApplePasswordServer;0x3d069e157be9c1bd0000000400000004,1024 35 16223833417753121496884462913136720801998949213408033369934701878980130072 13381175293354694885919239435422606359363041625643403628356164401829095281 75978839978526395971982754647985811845025859418619336892165981073840052570 65700881669262657137465004765610711896742036184611572991562110113110995997 4708458210473 root@pwserver.example.com:17.221.43.124

In the following example, the appearance of dns indicates that the network address in the second substring is a fully qualified domain name.

;ApplePasswordServer;0x3d069e157be9c1bd0000000400000004,1024 35 16223833417753121496884462913136720801998949213408033369934701878980130072 13381175293354694885919239435422606359363041625643403628356164401829095281 75978839978526395971982754647985811845025859418619336892165981073840052570 65700881669262657137465004765610711896742036184611572991562110113110995997 4708458210473 root@pwserver.example.com:dns/sasl.password.example.com

2007-01-08 © 2007 Apple Inc. All Rights Reserved.