SASL authentication appears to be operating incorrectly on my install of FDS. We do not use SASL; our passwords are stored in FDS using CRYPT-MD5, SMD5, and SSHA256, depending on when and how the account's password was last changed. As I understand it, SASL authentication using DIGEST-MD5 and CRAM-MD5 only works if passwords are stored in cleartext in FDS. Is this correct?
The problem is that our OS X clients, when configured for LDAP authentication, try a SASL bind (CRAM-MD5) first then fall back to a simple bind if that fails. When OS X checks a login against an OpenLDAP server, the server returns resultCode 80 (other), error message "SASL(-13): user not found: no secret in database", and so the client falls back to a simple bind. However, when OS X tries a SASL bind against FDS, the server returns resultCode 49 (invalidCredentials), error message "SASL(-13): authentication failure: incorrect digest response", and so the client assumes that the login failed.
Is this a bug in FDS? Or did I misconfigure something? Is there an easy workaround? Our Macs are mostly unusable until I can get this fixed.
Thanks.
Josh Kelley