Hi...
With Mac OS X 10.4 I got a problem when user wants to log in into an
account hosted in 389ds.
I presumably tracked the problem down to a SASL auth problem.
Using wireshark I recorded the traffic between my mac os x 10.4 machine
and my 389ds server.
On logon the mac tries a bind without binddn but with SASL auth (mechanism
CRAM-MD5).
Mac -> 389DS: bindrequest with CRAM-MD5 to get credentials
389DS -> Mac: bindresponse with md5 credentials (eg.
"<3051212195.15971967(a)host.domain>")
Mac -> 389DS: bindrequest CRAM-MD5 with user and hashed password (eg.
"roland b98c....")
389DS -> MAC: bindresponse invalidcredentials ("SASL(-13): user not found:
no secret in database")
Mac says sorry no logon...
With Mac OS X 10.5/10.6 it works. It also tries the CRAM-MD5 SASL auth.
But when it failes it alternatively tries a bind with a binddn (eg.
"uid=roland,ou=people,dc=domain") which is successful. Unfortunately I
have a bigger amount of mac os x 10.4 machines which I cannot migrate to
10.5 oder later so I need to support this. I yet did not find a way to
convince mac os x 10.4 to use a binddn for auth.
Any clue what is wrong here? Is this a SASL uid mapping problem or is it
because the user passwords are stored SSHA hashed? I already tried to
change the stored password from SSHA to MD5, but it does not help SASL
auth fails with the same error message. Or is this a hash comparison
problem?
Thanks in advance,
Roland