3.66. <AuthBy LDAP_APS>

This clause finds user details in a Mac OS-X Directory Server LDAP database, and then authenticates the user password against a Mac OS-X Apple Password Server.
Mac OS-X Server includes a facility called Directory Server which provides information about users (amongst other things). Part of the Directory Server facility is an LDAP server that contains the user details. However, the LDAP server never contains any user passwords, it merely contains information about valid methods for authenticating that user. Users that have been configured to use the ‘Password Server’ authentication method can have passwords authenticated by the Apple Password Server facility.
Therefore, AuthBy LDAP_APS can authenticate any user configured into the Apple Directory Server LDAP server, and configured to use the Apple Password Server authentication method.
AuthBy LDAP_APS is a subclass of AuthBy LDAP2. IT queries the Mac OS-X LDAP server for information about a specific user in the same way as AuthBy LDAP2. It uses the user's authAuthority attribute from the LDAP database to determine how to authenticate the password. If the user is configured to be able to use the Apple Password Server (i.e. the authAuthority contains ApplePasswordServer, a user id and a Password Server address) then AuthBy LDAP_APS will authenticate the user's password by contacting (via TCP/IP) the specified Apple Password Server.
At Mac OS-X Server 10.4, Apple Password Server does not support all possible password authentication methods. In particular, it supports Plaintext (via CRAM-MD5), Digest-MD5 and MSCHAPV2. It does not support CHAP or MSCHAPV1. Therefore you can only use AuthBy LDAP_APS to authenticate PAP, MSCHAPV2, TTLS-PAP, TTLS-MSCHAPV2 or PEAP-MSCHAPV2 requests.
AuthBy LDAP_APS is configured in the same was as AuthBy LDAP2, except that you must specify PasswordAttr as authAuthority, since AuthBy LDAP_APS uses that attribute to find and contact the Password Server for that user.
Since standard TCP/IP is used to talk to the LDAP server and the Apple Password Server, it is not necessary to run Radiator and AuthBy LDAP_APS on the Mac OS-X Directory Server host. Radiator could run on a remote Mac, Linux, Windows or other host, different to the Mac OS-X host running the Directory Server and, in the general case, the Apple Password Server could be on a third host.
AuthBy LDAP_APS understands also the same parameters as <AuthBy LDAP2>. For more information, see Section 3.47. <AuthBy LDAP2>. There is a sample configuration file in goodies/ldap-aps.cfg in your Radiator distribution.

3.66.1. PasswordServerAddress

If this optional parameter is set, it forces Radiator to use the specified address as the address of the Apple Password server, instead of deducing it from the users data record. Addresses may be one of the forms:
  • dns/yoke.open.com.au
  • ipv4/
  • ipv6/2001:720:1500:1::a100
This can be useful with replicated password servers. It is common to set it to localhost: