With Mac OS X 10.4 I got a problem when user wants to log in into an account hosted in 389ds.
I presumably tracked the problem down to a SASL auth problem.

Using wireshark I recorded the traffic between my mac os x 10.4 machine and my 389ds server.
On logon the mac tries a bind without binddn but with SASL auth (mechanism CRAM-MD5).

Mac -> 389DS:  bindrequest with CRAM-MD5 to get credentials
389DS -> Mac: bindresponse with md5 credentials (eg. "<3051212195.15971967@host.domain>")
Mac -> 389DS: bindrequest CRAM-MD5 with user and hashed password (eg. "roland b98c....")
389DS -> MAC: bindresponse invalidcredentials ("SASL(-13): user not found: no secret in database")
Mac says sorry no logon...

With Mac OS X 10.5/10.6 it works. It also tries the CRAM-MD5 SASL auth. But when it failes it alternatively tries a bind with a binddn (eg. "uid=roland,ou=people,dc=domain") which is successful. Unfortunately I have a bigger amount of mac os x 10.4 machines which I cannot migrate to 10.5 oder later so I need to support this. I yet did not find a way to convince mac os x 10.4 to use a binddn for auth.

Any clue what is wrong here? Is this a SASL uid mapping problem or is it because the user passwords are stored SSHA hashed? I already tried to change the stored password from SSHA to MD5, but it does not help SASL auth fails with the same error message. Or is this a hash comparison problem?

Thanks in advance,