SASL authentication appears to be operating incorrectly on my install
of FDS. We do not use SASL; our passwords are stored in FDS using
CRYPT-MD5, SMD5, and SSHA256, depending on when and how the account's
password was last changed. As I understand it, SASL authentication
using DIGEST-MD5 and CRAM-MD5 only works if passwords are stored in
cleartext in FDS. Is this correct?
The problem is that our OS X clients, when configured for LDAP
authentication, try a SASL bind (CRAM-MD5) first then fall back to a
simple bind if that fails. When OS X checks a login against an
OpenLDAP server, the server returns resultCode 80 (other), error
message "SASL(-13): user not found: no secret in database", and so the
client falls back to a simple bind. However, when OS X tries a SASL
bind against FDS, the server returns resultCode 49
(invalidCredentials), error message "SASL(-13): authentication
failure: incorrect digest response", and so the client assumes that
the login failed.
Is this a bug in FDS? Or did I misconfigure something? Is there an
easy workaround? Our Macs are mostly unusable until I can get this
fixed.
Thanks.
Josh Kelley