Re: OpenDirectory, DirectoryServices, OpenLDAP architecture questions
Re: OpenDirectory, DirectoryServices, OpenLDAP architecture questions
- Subject: Re: OpenDirectory, DirectoryServices, OpenLDAP architecture questions
- From: Michael Torrie <email@hidden>
- Date: Tue, 15 Mar 2005 22:25:30 -0700
On Tue, 2005-03-15 at 16:18 -0800, Jason Townsend wrote:
> Hopefully I can help explain things some... despite our best efforts
> on documentation it seems there are always some questions left
> unanswered. I'm assuming you have seen the Open Directory API (also
> known as the Directory Services API) documentation already?
>
> http://developer.apple.com/documentation/Networking/Conceptual/
> Open_Directory/
Thanks so much for this reply. It helps greatly. I have browsed the
documentation on the api before, but needed to understand a bit more of
the 10,000 foot view. A couple more questions are at the bottom of this
e-mail.
> DirectoryService is a daemon which provides various directory data to
> the rest of the operating system from a variety of sources. These are
> provided by plug-ins which use a common API. Current plug-ins include
> LDAPv3, NetInfo, BSD flat files and NIS, and others.
Essentially DirectoryService acts like a combination of pam and the
name-switching service on linux?
>
> NetInfo is a directory system which originated with NeXT and is most
> commonly used for the local directory information on every Mac OS X
> system. It also supports serving information over the network. Maybe
> the source of the confusion for item (1) in your list is that the
> "netinfo" project available through Darwin provides not only the
> NetInfo daemons and tools, but also lookupd.
I actually mean to say "lookupd" in the list instead of netinfo.
>
> lookupd services many of the POSIX style APIs for looking up
> information on users, groups, mounts, hosts, services, etc. For
> example: getpwnam(), getpwuid(), getaddrinfo(), gethostbyname() and
> so on. There is a plug-in to lookupd called DSAgent which calls the
> Directory Services API and provides information from the
> DirectoryService daemon to clients of lookupd.
I have observed that on occasion when the ldap server goes weird, things
slowly start to not work. Eventually, if left long enough, even
DirectoryService freezes. If I kill it, it won't restart, but just
freezes immediately. At this point, any application that makes any libc
call that goes to lookupd or any DirectoryService call blocks
indefinitely. This almost seems like a deadlock. IE the
DirectoryService system cannot respond because LDAP is not responding
(still accepting connections but blocks indefinitely). And at this
point I cannot get lookupd or DirectoryService to restart because they
both need to do some call that depends on LDAP. So it is kind of
circular. The only way I can break the cycle is if I kill lookupd,
DirectoryService, PasswordService, and slapd (whatever is still running)
all simultaneously. Only then does the whole system unstick so that I
can get slapd and all the other parts of OpenDirectory running again.
In this case PasswordService won't start automatically so I have to
start it manually.
>
> For the following discussion, I'm describing how things work for a
> typical user in an Open Directory LDAP server.
>
> When authenticating as a Password Server based user in LDAP, there
> are two plug-ins involved inside DirectoryService. There's the LDAPv3
> plug-in, which looks up the user record and looks for
> AuthenticationAuthority and Password attributes. In this case there
> is an authentication authority present which indicates a tag of
> ApplePasswordServer as the first value. Since this is a Password
> Server user, the PasswordServer plug-in is called with information
> from the AuthenticationAuthority data to perform the authentication.
> If the cleartext password was passed in by the client of the
> Directory Services API, the plug-ins can use the best authentication
> method available to verify the password.
This is as I figured.
<snip>
> As described above, LDAPv3 is used in addition to the Password Server
> protocol. The Password Server protocol is based on SASL for any
> challenge response authentications, and there are some additional
> commands specific to it. Currently there is no documentation but the
> Password Server plug-in source is available from the
> DSPasswordServerPlugin project. Password Server uses either port 3659
> or 106. 3659 is the preferred port for current implementations.
>
> For more on SASL, check out CMU's list of RFCs here:
>
> http://asg.web.cmu.edu/sasl/sasl-ietf-docs.html
So essentially all an opendirectory client (say an iMac) uses is
straight LDAP and SASL protocol? How are things like authenticating to
change a password handled (the auth flag thing you were talking about)?
One of my goals is to somehow get a pam module created for linux to
interface with OpenDirectory. LDAP is adequate for many things, but
talking to the SASL repository would be even better.
Thanks.
Michael
>
> -Jason
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Darwin-dev mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
--
Michael Torrie <email@hidden>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden