Register FAQ / Rules Forum Spy Search Today's Posts Mark Forums Read
Go Back   MacRumors Forums > Apple Systems and Services > OS X > Mac OS X Server, Xserve, and Networking

Reply
 
Thread Tools Search this Thread Display Modes
Old Jul 25, 2011, 06:11 AM   #1
Cabbit
macrumors 68020
 
Cabbit's Avatar
 
Join Date: Jan 2006
Location: Scotland
Lion and OpenLDAP

Greetings,

I am having a issue with Lion Clients and Severs connecting to a OpenLDAP server. The clients are logging in with the username but the passwords are not being authorised. Its blindly accepting any password.

Following https://help.apple.com/advancedserve...dAE970666-0053...
I have no mapping for password or authentication authority. From the logs no bind is taking place except the initial bind.

There is nothing fancy going on our end, just that the new mini's are running Lion using the same config as we do with Snow Leopard.

Any help is greatly appreciated.

Update:
LDAP authentication issue.

We have an openldap server, authenticating many users on Windows, Linux, and OSX (Leopard + Snow Leopard).

Our LDAP mappings are fairly minimal, as we don't include too many apple specific fields.

However, on Lion, with LDAP configured as on Snow Leopard, user authentication blindly accepts any password. Which really isn't want we want!

User + Group lookup is fine. Just authentication is not happening as expected.

Client logs don't really show anything specific.

Server logs suggest that authentication isn't happening.

We don't use SSL or Kerberos, nor are we able to switch to Apple's Open Directory LDAP implementation.

Update 2:
Directory Utility > Directory Editor > Authenticate works as expected. So user records can be edited, given the correct credentials. However, just not at login
__________________
Nom nom nom eating cake!

Last edited by Cabbit; Jul 25, 2011 at 06:20 AM.
Cabbit is offline   0 Reply With Quote
Old Jul 29, 2011, 09:29 AM   #2
kgreen
macrumors newbie
 
Join Date: Jul 2011
Hi Cabbit,

same exact problem here.
Hope to hear from you soon if anything helped.


Greetings, kgreen
kgreen is offline   0 Reply With Quote
Old Jul 29, 2011, 09:55 AM   #3
Cabbit
Thread Starter
macrumors 68020
 
Cabbit's Avatar
 
Join Date: Jan 2006
Location: Scotland
No solutions yet, hoping something changes with 10.7.1, it is nice to know someone else is having the same problem.
__________________
Nom nom nom eating cake!
Cabbit is offline   0 Reply With Quote
Old Jul 29, 2011, 09:58 AM   #4
kgreen
macrumors newbie
 
Join Date: Jul 2011
Indeed, good to know. Though I had to search hard to find someone having the same issues.
kgreen is offline   0 Reply With Quote
Old Aug 2, 2011, 11:34 AM   #5
Compulov
macrumors newbie
 
Join Date: Aug 2011
I hate adding "me toos" to problems with nothing to add, but... "me too". I hadn't had a chance to try this on a Lion Client, but our Mini server was exhibiting this same problem. I wouldn't have even noticed it if I hadn't accidentally mistyped my password and been surprised when it actually worked. Thankfully it was on a server which I was just mucking with, nothing anyone would be logging into in production.
For what it's worth... Lion Server 10.7.0, OpenLDAP server, we're using SSL (self-signed cert with TLS_REQCERT never in /etc/openldap/ldap.conf).

Also, one other thing observed... when I tried to change the password of someone using the bogus credentials (using the passwd command at the cli -- sorry, I'm a unix geek), it eventually fails with an internal error (at least I think that's what it was... I'd need to go back and boot the server up and try it again to know for sure).

I can't say I'm entirely surprised there's an authentication glitch. When we first got Snow Leopard (10.6.0), every time we tried to use SSL with LDAP, it'd cause directoryservices to hang after about 10 minutes (or less). They finally fixed it in like 10.6.1 or 10.6.2.

Has anyone tried reporting this to Apple directly? Since it looks like we're not alone, I think I might try calling them later on.

-Leigh
Compulov is offline   0 Reply With Quote
Old Aug 3, 2011, 02:40 AM   #6
kgreen
macrumors newbie
 
Join Date: Jul 2011
Hi Compulov,

I've had this problem with two different Lion clients and another Snow Leopard client. I tend to exclude any client specific issues. The password doesn't seem to be checked for whatever reasons.

Maybe reporting it to Apple might help. Hope you'll keep reporting.
kgreen is offline   0 Reply With Quote
Old Aug 11, 2011, 03:12 AM   #7
monachus
macrumors newbie
 
Join Date: Aug 2011
Definite issue

We've delayed a company-wide upgrade to Lion because of this issue. Even though we have Open Directory running now (snark snark), we use OpenLDAP for our datacenter access and for clients. Simply having Lion installed is a security vulnerability, as any user who can access OD settings can connect to the datacenter as any other user. It's a HUGE hole.

Has anyone on this thread actually reported it to Apple?

Adrian
monachus is offline   0 Reply With Quote
Old Aug 11, 2011, 03:17 AM   #8
monachus
macrumors newbie
 
Join Date: Aug 2011
Quote:
Originally Posted by monachus View Post
Has anyone on this thread actually reported it to Apple?
I just reported it via their feedback site as a bug report. In my experience Apple is ominously quiet about these sorts of things until magically fixing them with no real announcement or acknowledgement that they ever existed. I'm obsessively checking for 10.7.1, and it can't possibly come soon enough.
monachus is offline   0 Reply With Quote
Old Aug 19, 2011, 06:26 AM   #9
monachus
macrumors newbie
 
Join Date: Aug 2011
no fix in 10.7.1

This is not resolved in 10.7.1.
monachus is offline   0 Reply With Quote
Old Aug 19, 2011, 06:27 AM   #10
bananas
macrumors regular
 
Join Date: Aug 2007
Location: at home, where ever.
I'm also having this issue at work. No help from OS X 10.7.1.
We have Linux openLDAP servers and Linux and OS X clients authenticating from it. Snow Leopard and Linuxes are working just fine, but Lion accepts blank passwords after first login.
__________________
bananas is offline   0 Reply With Quote
Old Aug 19, 2011, 09:52 AM   #11
monachus
macrumors newbie
 
Join Date: Aug 2011
Quote:
Originally Posted by bananas View Post
Snow Leopard and Linuxes are working just fine, but Lion accepts blank passwords after first login.
Not just blank passwords - any login. I logged in with a username that doesn't exist anywhere, and it took it without hesitation. It complained that the home directory wasn't in the normal place, but I was logged in. The whole thing is terrible.
monachus is offline   0 Reply With Quote
Old Aug 20, 2011, 12:39 PM   #12
bananas
macrumors regular
 
Join Date: Aug 2007
Location: at home, where ever.
There's at least one discussion thread about the problem going on in apple support forums: https://discussions.apple.com/message/15887083#15887083
__________________
bananas is offline   0 Reply With Quote
Old Aug 24, 2011, 04:16 AM   #13
till213
macrumors regular
 
Join Date: Jul 2011
This is a known issue in Lion: A (german!) article which also tells that by now - finally! - Apple has acknowledged this major ****up is here:

http://www.heise.de/mac-and-i/meldun...t-1328609.html

Off course when a fix for this - ahem! - unimportant non-iToy-feature will appear is totally unknown (you would expect to have a security fix within 24 hours, but not from Apple).

----------

Quote:
Originally Posted by till213 View Post
... A (german!) article ...
Here is the english version, for the record:

http://www.h-online.com/security/new...P-1328704.html

Cheers
till213 is offline   2 Reply With Quote
Old Aug 26, 2011, 01:52 AM   #14
kgreen
macrumors newbie
 
Join Date: Jul 2011
Thanks for the info. Hope to see that bug fixed as soon as possible.
kgreen is offline   0 Reply With Quote
Old Aug 31, 2011, 05:07 PM   #15
munkery
macrumors 68020
 
munkery's Avatar
 
Join Date: Dec 2006
Quote:
Originally Posted by monachus View Post
We've delayed a company-wide upgrade to Lion because of this issue. Even though we have Open Directory running now (snark snark), we use OpenLDAP for our datacenter access and for clients. Simply having Lion installed is a security vulnerability, as any user who can access OD settings can connect to the datacenter as any other user. It's a HUGE hole.
Quote:
Originally Posted by bananas View Post
I'm also having this issue at work. No help from OS X 10.7.1.
We have Linux openLDAP servers and Linux and OS X clients authenticating from it. Snow Leopard and Linuxes are working just fine, but Lion accepts blank passwords after first login.
The following is a quote from another article about this issue.

Quote:
Bottom line, if you use LDAP for authentication, and you have clients using 10.7 ‘Lion’ then this is a pretty big deal. If that doesn’t describe your setup then you don’t need to worry about this.
http://www.zdnet.com/blog/hardware/b...password/14450

If Lion is the client and this occurs when Lion clients interact with LDAP servers, then the issue lies with the server and not the client.

You don't log into clients; you log into server services using clients.

Fixing whatever issue exists in the Lion client that reveals this issue doesn't eliminate the issue from the LDAP server protocol.

This is a bigger issue than just an issue with Lion.
__________________
Mac Security Suggestions

Last edited by munkery; Aug 31, 2011 at 05:19 PM.
munkery is offline   -3 Reply With Quote
Old Sep 3, 2011, 03:10 PM   #16
bananas
macrumors regular
 
Join Date: Aug 2007
Location: at home, where ever.
Quote:
Originally Posted by munkery View Post
If Lion is the client and this occurs when Lion clients interact with LDAP servers, then the issue lies with the server and not the client.

You don't log into clients; you log into server services using clients.
You're wrong.
this is a Lion issue. Lion as LDAP client accepts anything as a password, it fails to verify the password. You don't get access to any other systems, just the Lion machine that you are logging in.
__________________
bananas is offline   0 Reply With Quote
Old Sep 3, 2011, 04:17 PM   #17
munkery
macrumors 68020
 
munkery's Avatar
 
Join Date: Dec 2006
Quote:
Originally Posted by bananas View Post
You're wrong.
this is a Lion issue. Lion as LDAP client accepts anything as a password, it fails to verify the password. You don't get access to any other systems, just the Lion machine that you are logging in.
But, the content that you are accessing exists on the server.

There is an issue with how the server verifies the credentials being sent from Lion clients.

Even if this is fixed in Lion, somebody could produce a third party client to exploit this same issue due to there being some sort of issue related to the server not properly verifying credentials from the some clients.

Click image for larger version

Name:	Screen shot 2011-09-03 at 2.20.58 PM.png
Views:	101
Size:	61.5 KB
ID:	301419

The interaction of clients and servers in relation to LDAP is no different than any other client/server protocol.
__________________
Mac Security Suggestions

Last edited by munkery; Sep 3, 2011 at 04:24 PM.
munkery is offline   0 Reply With Quote
Old Sep 4, 2011, 02:29 AM   #18
bananas
macrumors regular
 
Join Date: Aug 2007
Location: at home, where ever.
Quote:
Originally Posted by munkery View Post
Even if this is fixed in Lion, somebody could produce a third party client to exploit this same issue due to there being some sort of issue related to the server not properly verifying credentials from the some clients.
Yes, by guessing a username you could get some information about user accounts: eg. which groups users belong to, phone numbers and email addresses of users and such. If the LDAP server uses SLL (like it should), you would need the right certificate to do this. The accessibility of LDAP server is most likely restricted to the known clients in internal network, so you would also need to find a way to get your computer into the network.
__________________
bananas is offline   0 Reply With Quote
Old Sep 25, 2011, 03:29 AM   #19
TammyWal22
macrumors member
 
Join Date: Aug 2009
Just like to know if this issue is fixed is the latest lion update?
__________________
My Gadget: 13" MacBook Pro | iPhone 4
My App: Jewel Frenzy
My Reading: top apps for iphone
TammyWal22 is offline   0 Reply With Quote
Old Sep 25, 2011, 03:38 AM   #20
munkery
macrumors 68020
 
munkery's Avatar
 
Join Date: Dec 2006
Quote:
Originally Posted by TammyWal22 View Post
Just like to know if this issue is fixed is the latest lion update?
Release notes suggest that it will be fixed in 10.7.2.

The next update to Lion coming soon.
__________________
Mac Security Suggestions
munkery is offline   0 Reply With Quote
Old Oct 13, 2011, 12:48 PM   #21
Clever.Usrname
macrumors newbie
 
Join Date: Oct 2011
Quote:
Originally Posted by munkery View Post
Release notes suggest that it will be fixed in 10.7.2.

The next update to Lion coming soon.
Does anyone know if this has been addressed in 10.7.2??

Thanks!
Clever.Usrname is offline   0 Reply With Quote
Old Oct 13, 2011, 01:49 PM   #22
munkery
macrumors 68020
 
munkery's Avatar
 
Join Date: Dec 2006
Quote:
Originally Posted by Clever.Usrname View Post
Does anyone know if this has been addressed in 10.7.2??

Thanks!
Yup.
__________________
Mac Security Suggestions
munkery is offline   0 Reply With Quote
Old Oct 18, 2011, 08:48 AM   #23
jeffstrunk
macrumors newbie
 
Join Date: Oct 2011
Quote:
Originally Posted by Clever.Usrname View Post
Does anyone know if this has been addressed in 10.7.2??

Thanks!
10.7.2 has a related bug if you are attempting to use simple binds for authentication instead of kerberos. It now doesn't allow one to log in with any password at all.

I have documented a workaround.

Last edited by jeffstrunk; Oct 19, 2011 at 01:05 PM. Reason: bad url with extra http
jeffstrunk is offline   0 Reply With Quote
Old Nov 2, 2011, 05:30 AM   #24
bananas
macrumors regular
 
Join Date: Aug 2007
Location: at home, where ever.
Quote:
Originally Posted by jeffstrunk View Post
10.7.2 has a related bug if you are attempting to use simple binds for authentication instead of kerberos. It now doesn't allow one to log in with any password at all.

I have documented a workaround.
Thanks, this is really useful.
__________________
bananas is offline   0 Reply With Quote
Old Dec 26, 2011, 02:00 AM   #25
Adela
macrumors newbie
 
Join Date: Dec 2011
When the LDAP settings are configured using custom mappings it will not connect to the LDAP server. In Directory Utility, I have configured LDAPv3 with the custom settings that are required to connect to our server. Under the Connection tab the Re-bind attempted in 120 seconds and it will stay at 120 seconds despite what you change it too.
__________________
Reputation Management
Adela is offline   0 Reply With Quote

Reply
MacRumors Forums > Apple Systems and Services > OS X > Mac OS X Server, Xserve, and Networking

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Similar Threads
thread Thread Starter Forum Replies Last Post
Apple Releases OS X Security Update for Mavericks, Mountain Lion, and Lion Users MacRumors Mac Blog Discussion 36 Apr 23, 2014 02:54 PM
Recover from internet, wait... do I need to buy lion or mountain lion?! Pic inside. Messy Mac Basics and Help 9 Nov 10, 2013 08:29 AM
How Do I Create a Lion Boot/Install DVD from a Lion USB Stick? teletran3 Mac OS X 10.7 Lion 10 Apr 13, 2013 09:41 AM
Creating a Lion Installer (Lion download no longer supported in App Store) Jeff Troiano Mac OS X 10.7 Lion 5 Feb 3, 2013 07:11 AM
Snow Leopard Vs Lion Vs Mountain Lion for 2006 2.66x4 Mac Pro cen7779 Mac Pro 9 Oct 3, 2012 03:44 PM

Forum Jump

All times are GMT -5. The time now is 02:44 PM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC