Apple OS X Server User Manual


 
an appropriate network-based authentication method, such as CRAM-MD5, APOP, NT, LAN Manager, DHX,
or Web-DAV Digest. Note thatthe PasswordServer’sadministrator may disable some authenticationmethods
in accordance with local security policies.
The authority data field must contain two strings separated by a single colon (:) character. The first string
begins with a SASL ID. The SASL ID is provided to the Password Server to identify who is attempting to
authenticate. Apple’s Password Server implementation uses a unique pseudo-random 128-bit number
encoded as hex-ASCII assigned when the password was created to identify user passwords in its private
password database. However, Open Directory clients should not assume that the first string will always be
a fixed-size value or a simple number.
The SASL ID is followed by a comma (,) and a public key, which is used when the client challenges the
Password Server before authentication begins to confirm that the Password Server is not being spoofed.
The second string is a network address consisting of two sub-strings separated by the slash (/) character.
The first substring is optional and indicates the type of network address specified by the second substring.
The second substring is the actual network address. If the first substring and the slash character are not
specified, the second substring is assumed to be an IPv4 address.
If specified, there are three possible values for the first substring:
IPv4 — The client can expect the second substring to contain a standard 32-bit IPv4 network address
in dotted decimal format.
IPv6 — The client can expect the second substring to contain a standard 64-bit IPv6 network address.
dns The client can expect the second substring to containa fully qualified domain name representing
the network location of the password server.
If the authority data field is missing or malformed, the entire authentication authority attribute value must
be ignored and any attempt to authenticate using it must be failed.
In the following example of an authentication authority attribute for Mac OS X Password Server authentication,
the version field is empty, so the version is assumed to 1.0.0. The SASL ID is
0x3d069e157be9c1bd0000000400000004. The IP address is not preceded by ipv6/, so the IP address is
assumed to be an IPv4 address.
;ApplePasswordServer;0x3d069e157be9c1bd0000000400000004,1024 35
16223833417753121496884462913136720801998949213408033369934701878980130072
13381175293354694885919239435422606359363041625643403628356164401829095281
75978839978526395971982754647985811845025859418619336892165981073840052570
65700881669262657137465004765610711896742036184611572991562110113110995997
4708458210473 root@pwserver.example.com:17.221.43.124
In the following example, the appearance of dns indicates that the network address in the second substring
is a fully qualified domain name.
;ApplePasswordServer;0x3d069e157be9c1bd0000000400000004,1024 35
16223833417753121496884462913136720801998949213408033369934701878980130072
13381175293354694885919239435422606359363041625643403628356164401829095281
75978839978526395971982754647985811845025859418619336892165981073840052570
65700881669262657137465004765610711896742036184611572991562110113110995997
4708458210473 root@pwserver.example.com:dns/sasl.password.example.com
Open Directory Overview 17
2007-01-08 | © 2007 Apple Inc. All Rights Reserved.
CHAPTER 1
Concepts