Lion and OpenLDAP

Discussion in 'Mac OS X Server, Xserve, and Networking' started by Cabbit, Jul 25, 2011.

  1. Cabbit, Jul 25, 2011
    Last edited: Jul 25, 2011

    macrumors 68020

    Cabbit

    Joined:
    Jan 30, 2006
    Location:
    Scotland
    #1
    Greetings,

    I am having a issue with Lion Clients and Severs connecting to a OpenLDAP server. The clients are logging in with the username but the passwords are not being authorised. Its blindly accepting any password.

    Following https://help.apple.com/advancedserveradmin/mac/10.7/#apdAE970666-0053...
    I have no mapping for password or authentication authority. From the logs no bind is taking place except the initial bind.

    There is nothing fancy going on our end, just that the new mini's are running Lion using the same config as we do with Snow Leopard.

    Any help is greatly appreciated.

    Update:
    LDAP authentication issue.

    We have an openldap server, authenticating many users on Windows, Linux, and OSX (Leopard + Snow Leopard).

    Our LDAP mappings are fairly minimal, as we don't include too many apple specific fields.

    However, on Lion, with LDAP configured as on Snow Leopard, user authentication blindly accepts any password. Which really isn't want we want!

    User + Group lookup is fine. Just authentication is not happening as expected.

    Client logs don't really show anything specific.

    Server logs suggest that authentication isn't happening.

    We don't use SSL or Kerberos, nor are we able to switch to Apple's Open Directory LDAP implementation.

    Update 2:
    Directory Utility > Directory Editor > Authenticate works as expected. So user records can be edited, given the correct credentials. However, just not at login
     
  2. macrumors newbie

    Joined:
    Jul 29, 2011
    #2
    Hi Cabbit,

    same exact problem here.
    Hope to hear from you soon if anything helped.


    Greetings, kgreen
     
  3. thread starter macrumors 68020

    Cabbit

    Joined:
    Jan 30, 2006
    Location:
    Scotland
    #3
    No solutions yet, hoping something changes with 10.7.1, it is nice to know someone else is having the same problem.
     
  4. macrumors newbie

    Joined:
    Jul 29, 2011
    #4
    Indeed, good to know. Though I had to search hard to find someone having the same issues.
     
  5. macrumors newbie

    Joined:
    Aug 2, 2011
    #5
    I hate adding "me toos" to problems with nothing to add, but... "me too". I hadn't had a chance to try this on a Lion Client, but our Mini server was exhibiting this same problem. I wouldn't have even noticed it if I hadn't accidentally mistyped my password and been surprised when it actually worked. Thankfully it was on a server which I was just mucking with, nothing anyone would be logging into in production.
    For what it's worth... Lion Server 10.7.0, OpenLDAP server, we're using SSL (self-signed cert with TLS_REQCERT never in /etc/openldap/ldap.conf).

    Also, one other thing observed... when I tried to change the password of someone using the bogus credentials (using the passwd command at the cli -- sorry, I'm a unix geek), it eventually fails with an internal error (at least I think that's what it was... I'd need to go back and boot the server up and try it again to know for sure).

    I can't say I'm entirely surprised there's an authentication glitch. When we first got Snow Leopard (10.6.0), every time we tried to use SSL with LDAP, it'd cause directoryservices to hang after about 10 minutes (or less). They finally fixed it in like 10.6.1 or 10.6.2.

    Has anyone tried reporting this to Apple directly? Since it looks like we're not alone, I think I might try calling them later on.

    -Leigh
     
  6. macrumors newbie

    Joined:
    Jul 29, 2011
    #6
    Hi Compulov,

    I've had this problem with two different Lion clients and another Snow Leopard client. I tend to exclude any client specific issues. The password doesn't seem to be checked for whatever reasons.

    Maybe reporting it to Apple might help. Hope you'll keep reporting.
     
  7. macrumors newbie

    Joined:
    Aug 11, 2011
    #7
    Definite issue

    We've delayed a company-wide upgrade to Lion because of this issue. Even though we have Open Directory running now (snark snark), we use OpenLDAP for our datacenter access and for clients. Simply having Lion installed is a security vulnerability, as any user who can access OD settings can connect to the datacenter as any other user. It's a HUGE hole.

    Has anyone on this thread actually reported it to Apple?

    Adrian
     
  8. macrumors newbie

    Joined:
    Aug 11, 2011
    #8
    I just reported it via their feedback site as a bug report. In my experience Apple is ominously quiet about these sorts of things until magically fixing them with no real announcement or acknowledgement that they ever existed. I'm obsessively checking for 10.7.1, and it can't possibly come soon enough.
     
  9. macrumors newbie

    Joined:
    Aug 11, 2011
    #9
    no fix in 10.7.1

    This is not resolved in 10.7.1.
     
  10. macrumors 6502

    bananas

    Joined:
    Aug 1, 2007
    #10
    I'm also having this issue at work. No help from OS X 10.7.1.
    We have Linux openLDAP servers and Linux and OS X clients authenticating from it. Snow Leopard and Linuxes are working just fine, but Lion accepts blank passwords after first login.
     
  11. macrumors newbie

    Joined:
    Aug 11, 2011
    #11
    Not just blank passwords - any login. I logged in with a username that doesn't exist anywhere, and it took it without hesitation. It complained that the home directory wasn't in the normal place, but I was logged in. The whole thing is terrible.
     
  12. macrumors 6502

    bananas

    Joined:
    Aug 1, 2007
    #12
  13. macrumors 6502

    Joined:
    Jul 1, 2011
    #13
    This is a known issue in Lion: A (german!) article which also tells that by now - finally! - Apple has acknowledged this major ****up is here:

    http://www.heise.de/mac-and-i/meldu...Authentifizierung-via-LDAP-nicht-1328609.html

    Off course when a fix for this - ahem! - unimportant non-iToy-feature will appear is totally unknown (you would expect to have a security fix within 24 hours, but not from Apple).

    ----------

    Here is the english version, for the record:

    http://www.h-online.com/security/ne...rds-when-authenticating-via-LDAP-1328704.html

    Cheers
     
  14. macrumors newbie

    Joined:
    Jul 29, 2011
    #14
    Thanks for the info. Hope to see that bug fixed as soon as possible.
     
  15. munkery, Aug 31, 2011
    Last edited: Aug 31, 2011

    macrumors 68020

    munkery

    Joined:
    Dec 18, 2006
    #15
    The following is a quote from another article about this issue.

    http://www.zdnet.com/blog/hardware/bug-allows-mac-os-x-lion-clients-to-use-any-ldap-password/14450

    If Lion is the client and this occurs when Lion clients interact with LDAP servers, then the issue lies with the server and not the client.

    You don't log into clients; you log into server services using clients.

    Fixing whatever issue exists in the Lion client that reveals this issue doesn't eliminate the issue from the LDAP server protocol.

    This is a bigger issue than just an issue with Lion.
     
  16. macrumors 6502

    bananas

    Joined:
    Aug 1, 2007
    #16
    You're wrong.
    this is a Lion issue. Lion as LDAP client accepts anything as a password, it fails to verify the password. You don't get access to any other systems, just the Lion machine that you are logging in.
     
  17. munkery, Sep 3, 2011
    Last edited: Sep 3, 2011

    macrumors 68020

    munkery

    Joined:
    Dec 18, 2006
    #17
    But, the content that you are accessing exists on the server.

    There is an issue with how the server verifies the credentials being sent from Lion clients.

    Even if this is fixed in Lion, somebody could produce a third party client to exploit this same issue due to there being some sort of issue related to the server not properly verifying credentials from the some clients.

    Screen shot 2011-09-03 at 2.20.58 PM.png

    The interaction of clients and servers in relation to LDAP is no different than any other client/server protocol.
     
  18. macrumors 6502

    bananas

    Joined:
    Aug 1, 2007
    #18
    Yes, by guessing a username you could get some information about user accounts: eg. which groups users belong to, phone numbers and email addresses of users and such. If the LDAP server uses SLL (like it should), you would need the right certificate to do this. The accessibility of LDAP server is most likely restricted to the known clients in internal network, so you would also need to find a way to get your computer into the network.
     
  19. macrumors member

    Joined:
    Aug 5, 2009
    #19
    Just like to know if this issue is fixed is the latest lion update? :confused:
     
  20. macrumors 68020

    munkery

    Joined:
    Dec 18, 2006
    #20
    Release notes suggest that it will be fixed in 10.7.2.

    The next update to Lion coming soon.
     
  21. macrumors newbie

    Joined:
    Oct 13, 2011
    #21
    Does anyone know if this has been addressed in 10.7.2??

    Thanks!
     
  22. macrumors 68020

    munkery

    Joined:
    Dec 18, 2006
    #22
    Yup.
     
  23. jeffstrunk, Oct 18, 2011
    Last edited: Oct 19, 2011

    macrumors newbie

    Joined:
    Oct 18, 2011
    #23
    10.7.2 has a related bug if you are attempting to use simple binds for authentication instead of kerberos. It now doesn't allow one to log in with any password at all.

    I have documented a workaround.
     
  24. macrumors 6502

    bananas

    Joined:
    Aug 1, 2007
    #24
    Thanks, this is really useful.
     
  25. macrumors newbie

    Joined:
    Dec 25, 2011
    #25
    When the LDAP settings are configured using custom mappings it will not connect to the LDAP server. In Directory Utility, I have configured LDAPv3 with the custom settings that are required to connect to our server. Under the Connection tab the Re-bind attempted in 120 seconds and it will stay at 120 seconds despite what you change it too.
     

Share This Page