Password Server

The Password Server is a key piece of Open Directory on OS X Server, and has been since version 10.3, Panther. It provides support for authentication by non-Kerberized services, such as IMAP, POP3, SMTP, Windows NTLM, and WebDAV, via the Simple Authentication and Security Layer (SASL).

In the past, the Password Server has been almost completely separate from OpenLDAP. LDAP would provide public information, while Password Server would protect sensitive authentication results. The only link was via the AuthenticationAuthority attribute in a user entry. The actual authentication hashes were kept in the /private/var/db/authserver/ directory.

The most positive aspect of this separation is that the authentication hashes are kept completely separated from all other parts of the system. A compromise of the LDAP side cannot reveal any sensitive information.

The down side of this separation is that Open Directory replication prior to Lion Server was more complicated. OpenLDAP and Password Server would replicate independently of each other. They needed separate mechanisms to keep master and replica in sync, and it was sometimes difficult to tell if a replication had succeeded or failed, since one service might report success while the other reported failure.

In Lion Server, the authentication hashes are kept in a hidden LDAP container, cn=authdata, that is only accessible by Password Server. This is kept in a completely separate LDAP database from the primary LDAP information maintained by Open Directory.

Storing the authentication information this way makes replication much simpler — OpenLDAP is the only replicating service. The Password Server checks authentication against the cn=authdata LDAP container on the local server and does not maintain its own database.

The downside is that the separation between LDAP and authentication is lost. A compromise of OpenLDAP may reveal authentication hashes. While the permissions architecture of OpenLDAP should prevent this from happening, it is not clear how the relative level of vulnerability will play out. LDAP is very complex in some ways and it is possible that the net result will be an overall lower level of security.