C H A P T E R 1
Concepts
Disabled User Authentication
The Disabled User authentication is used to indicate that an account has been disabled. The complete previous authentication attribute value is retained in the authority data field and is enclosed by left and right angle brackets. If the authority data field is absent, Basic authentication is assumed.
Here are some examples of properly formed authentication authority attribute values for Disabled User authentication:
;DisabledUser;;ShadowHash;
;DisabledUser;<;ShadowHash;>
The left ( < ) and right ( > ) angle brackets around the old authentication authority value are optional. Any tool that
Multiple Authentication Attribute Values
An authentication attribute can have multiple values. When changing a password, all authentication authority values are tried until the password is successfully changed or an error occurs. When verifying a password, the order of authentication authority values determines which value is used first. The first authentication authority that returns something other than eDSAuthMethodNotSupported is used. For example, Local Windows Hash returns eDSAuthMethodNotSupported for all methods other than the change and set methods, cleartext authentication, and the SMB LM and SMB NT authentication methods.
Authentication Versus Authorization
It is important to distinguish the difference between authentication and authorization:
■authentication — a process that uses a piece of information provided by the user (typically a password) to verify the identity of that user
■authorization — the determination of whether a user has permission to access a particular set of information
Open Directory allows an Open Directory client to use any method to authenticate a user. Open Directory does not provide any facility for determining whether a user is authorized to access any particular set of information. Moreover, Open Directory does not provide an authorization model. Instead, Open Directory clients are responsible for granting or denying a user access to a particular set of information based on the user’s authenticated identity.
When developing an authorization model, Open Directory clients must consider the following:
■the authorization information to store
■where and how to store authorization information
■which applications can see, create, or modify authorization information
■who is authorized to see and change authorization information
Often authorization is based on membership in a particular group. Many directory services store authorization information in the directory service itself. These directory services use the identity that is currently being used to access the directory service to determine whether to grant access to this information.
