■ Kerberos Version 5 authentication, which is used to authenticate users to Kerberos v5 systems. For more
information, see “Kerberos Version 5 Authentication” (page 19).
■ Disabled User authentication, which prevents anyauthentication from taking place. For more information,
see “Disabled User Authentication” (page 20).
Note: For compatibility with previous versions of Mac OS X, user records that do not have an authentication
authority attribute are authenticated using Basic password authentication.
User records contain an optional authentication authority attribute. The authentication authority attribute
can have one or more values specifying how authentication and password changing should be conducted
for that user. The format of this attribute is a semicolon-delimited string consisting of fields in the following
order:
■ version — a numeric value that identifies the structure of the attribute. This field is currently not used
and usually is blank. This field may contain up to three 32-bit integer values (ASCII 0–9) separated by
periods (.). If this field is empty or its value is 1, the version is consideration to be 1.0.0. If the second or
the third field is empty; the version is interpreted as 0. Most client software will only needs to check the
first digit of the version field. This field cannot contain a semi-colon (;) character.
■ authority tag — a string value containing the authentication type for this user. Each authentication type
defines the format of the authority data field and specifies how the authority data field is interpreted.
The authority tag field is treated as a UTF8 string in which leading, embedded, and trailing spaces are
significant. When compared with the list of known types of authentication, the comparison is
case-insensitive. Open Directory clients that encounter an unrecognized type of authentication must
treat the authentication attempt as a failure. This field cannot contain a semi-colon character.
■ authority data — a field whose value depends on the type of authentication in the authority tag field.
This field may be empty and is allowed to contain semi-colon characters.
Basic Authentication
An Open Directory client that encounters a user record containing the Basic authentication type should
conduct authentication in a manner consistent with the authentication method supported byMac OS X v10.0
and v10.1, which was crypt password authentication.
If the user record does not have an authentication authority attribute, the Open Directory client should use
the Basic authentication type.
Here are some examples of authentication authority attributes that use the Basic authentication type:
;basic;
1.0.0;basic;
1;basic;
All three examples have the same result: authentication is conducted using crypt.
Apple Password Server Authentication
The Apple Password Server authentication type requires an Open Directory client to contact a Simple
Authentication and Security Layer (SASL) password server at the network address stored in the authority
data field. After contacting the Password Server, the Open Directory client can interrogate it to determine
16
Open Directory Overview
2007-01-08 | © 2007 Apple Inc. All Rights Reserved.
CHAPTER 1
Concepts