Hi...
With Mac OS X 10.4 I got a problem when
user wants to log in into an account hosted in 389ds.
I presumably tracked the problem down
to a SASL auth problem.
Using wireshark I recorded the traffic
between my mac os x 10.4 machine and my 389ds server.
On logon the mac tries a bind without
binddn but with SASL auth (mechanism CRAM-MD5).
Mac -> 389DS: bindrequest with
CRAM-MD5 to get credentials
389DS -> Mac: bindresponse with md5
credentials (eg. "<3051212195.15971967@host.domain>")
Mac -> 389DS: bindrequest CRAM-MD5
with user and hashed password (eg. "roland b98c....")
389DS -> MAC: bindresponse invalidcredentials
("SASL(-13): user not found: no secret in database")
Mac says sorry no logon...
With Mac OS X 10.5/10.6 it works. It
also tries the CRAM-MD5 SASL auth. But when it failes it alternatively
tries a bind with a binddn (eg. "uid=roland,ou=people,dc=domain")
which is successful. Unfortunately I have a bigger amount of mac os x 10.4
machines which I cannot migrate to 10.5 oder later so I need to support
this. I yet did not find a way to convince mac os x 10.4 to use a binddn
for auth.
Any clue what is wrong here? Is this
a SASL uid mapping problem or is it because the user passwords are stored
SSHA hashed? I already tried to change the stored password from SSHA to
MD5, but it does not help SASL auth fails with the same error message.
Or is this a hash comparison problem?
Thanks in advance,
Roland