• Did you order new AirTags? We've opened a dedicated AirTags forum.

Cabbit

macrumors 68020
Original poster
Jan 30, 2006
2,128
1
Scotland
Greetings,

I am having a issue with Lion Clients and Severs connecting to a OpenLDAP server. The clients are logging in with the username but the passwords are not being authorised. Its blindly accepting any password.

Following https://help.apple.com/advancedserveradmin/mac/10.7/#apdAE970666-0053...
I have no mapping for password or authentication authority. From the logs no bind is taking place except the initial bind.

There is nothing fancy going on our end, just that the new mini's are running Lion using the same config as we do with Snow Leopard.

Any help is greatly appreciated.

Update:
LDAP authentication issue.

We have an openldap server, authenticating many users on Windows, Linux, and OSX (Leopard + Snow Leopard).

Our LDAP mappings are fairly minimal, as we don't include too many apple specific fields.

However, on Lion, with LDAP configured as on Snow Leopard, user authentication blindly accepts any password. Which really isn't want we want!

User + Group lookup is fine. Just authentication is not happening as expected.

Client logs don't really show anything specific.

Server logs suggest that authentication isn't happening.

We don't use SSL or Kerberos, nor are we able to switch to Apple's Open Directory LDAP implementation.

Update 2:
Directory Utility > Directory Editor > Authenticate works as expected. So user records can be edited, given the correct credentials. However, just not at login
 
Last edited:

kgreen

macrumors newbie
Jul 29, 2011
4
0
Hi Cabbit,

same exact problem here.
Hope to hear from you soon if anything helped.


Greetings, kgreen
 
Comment

Cabbit

macrumors 68020
Original poster
Jan 30, 2006
2,128
1
Scotland
No solutions yet, hoping something changes with 10.7.1, it is nice to know someone else is having the same problem.
 
Comment

kgreen

macrumors newbie
Jul 29, 2011
4
0
Indeed, good to know. Though I had to search hard to find someone having the same issues.
 
Comment

Compulov

macrumors newbie
Aug 2, 2011
1
0
I hate adding "me toos" to problems with nothing to add, but... "me too". I hadn't had a chance to try this on a Lion Client, but our Mini server was exhibiting this same problem. I wouldn't have even noticed it if I hadn't accidentally mistyped my password and been surprised when it actually worked. Thankfully it was on a server which I was just mucking with, nothing anyone would be logging into in production.
For what it's worth... Lion Server 10.7.0, OpenLDAP server, we're using SSL (self-signed cert with TLS_REQCERT never in /etc/openldap/ldap.conf).

Also, one other thing observed... when I tried to change the password of someone using the bogus credentials (using the passwd command at the cli -- sorry, I'm a unix geek), it eventually fails with an internal error (at least I think that's what it was... I'd need to go back and boot the server up and try it again to know for sure).

I can't say I'm entirely surprised there's an authentication glitch. When we first got Snow Leopard (10.6.0), every time we tried to use SSL with LDAP, it'd cause directoryservices to hang after about 10 minutes (or less). They finally fixed it in like 10.6.1 or 10.6.2.

Has anyone tried reporting this to Apple directly? Since it looks like we're not alone, I think I might try calling them later on.

-Leigh
 
Comment

kgreen

macrumors newbie
Jul 29, 2011
4
0
Hi Compulov,

I've had this problem with two different Lion clients and another Snow Leopard client. I tend to exclude any client specific issues. The password doesn't seem to be checked for whatever reasons.

Maybe reporting it to Apple might help. Hope you'll keep reporting.
 
Comment

monachus

macrumors newbie
Aug 11, 2011
4
0
Definite issue

We've delayed a company-wide upgrade to Lion because of this issue. Even though we have Open Directory running now (snark snark), we use OpenLDAP for our datacenter access and for clients. Simply having Lion installed is a security vulnerability, as any user who can access OD settings can connect to the datacenter as any other user. It's a HUGE hole.

Has anyone on this thread actually reported it to Apple?

Adrian
 
Comment

monachus

macrumors newbie
Aug 11, 2011
4
0
Has anyone on this thread actually reported it to Apple?

I just reported it via their feedback site as a bug report. In my experience Apple is ominously quiet about these sorts of things until magically fixing them with no real announcement or acknowledgement that they ever existed. I'm obsessively checking for 10.7.1, and it can't possibly come soon enough.
 
Comment

bananas

macrumors 6502
Aug 1, 2007
293
23
I'm also having this issue at work. No help from OS X 10.7.1.
We have Linux openLDAP servers and Linux and OS X clients authenticating from it. Snow Leopard and Linuxes are working just fine, but Lion accepts blank passwords after first login.
 
Comment

monachus

macrumors newbie
Aug 11, 2011
4
0
Snow Leopard and Linuxes are working just fine, but Lion accepts blank passwords after first login.

Not just blank passwords - any login. I logged in with a username that doesn't exist anywhere, and it took it without hesitation. It complained that the home directory wasn't in the normal place, but I was logged in. The whole thing is terrible.
 
Comment

till213

Suspended
Jul 1, 2011
423
88
This is a known issue in Lion: A (german!) article which also tells that by now - finally! - Apple has acknowledged this major ****up is here:

http://www.heise.de/mac-and-i/meldu...Authentifizierung-via-LDAP-nicht-1328609.html

Off course when a fix for this - ahem! - unimportant non-iToy-feature will appear is totally unknown (you would expect to have a security fix within 24 hours, but not from Apple).

----------

... A (german!) article ...

Here is the english version, for the record:

http://www.h-online.com/security/ne...rds-when-authenticating-via-LDAP-1328704.html

Cheers
 
Comment

munkery

macrumors 68020
Dec 18, 2006
2,217
1
We've delayed a company-wide upgrade to Lion because of this issue. Even though we have Open Directory running now (snark snark), we use OpenLDAP for our datacenter access and for clients. Simply having Lion installed is a security vulnerability, as any user who can access OD settings can connect to the datacenter as any other user. It's a HUGE hole.

I'm also having this issue at work. No help from OS X 10.7.1.
We have Linux openLDAP servers and Linux and OS X clients authenticating from it. Snow Leopard and Linuxes are working just fine, but Lion accepts blank passwords after first login.

The following is a quote from another article about this issue.

Bottom line, if you use LDAP for authentication, and you have clients using 10.7 ‘Lion’ then this is a pretty big deal. If that doesn’t describe your setup then you don’t need to worry about this.

http://www.zdnet.com/blog/hardware/bug-allows-mac-os-x-lion-clients-to-use-any-ldap-password/14450

If Lion is the client and this occurs when Lion clients interact with LDAP servers, then the issue lies with the server and not the client.

You don't log into clients; you log into server services using clients.

Fixing whatever issue exists in the Lion client that reveals this issue doesn't eliminate the issue from the LDAP server protocol.

This is a bigger issue than just an issue with Lion.
 
Last edited:
Comment

bananas

macrumors 6502
Aug 1, 2007
293
23
If Lion is the client and this occurs when Lion clients interact with LDAP servers, then the issue lies with the server and not the client.

You don't log into clients; you log into server services using clients.

You're wrong.
this is a Lion issue. Lion as LDAP client accepts anything as a password, it fails to verify the password. You don't get access to any other systems, just the Lion machine that you are logging in.
 
Comment

munkery

macrumors 68020
Dec 18, 2006
2,217
1
You're wrong.
this is a Lion issue. Lion as LDAP client accepts anything as a password, it fails to verify the password. You don't get access to any other systems, just the Lion machine that you are logging in.

But, the content that you are accessing exists on the server.

There is an issue with how the server verifies the credentials being sent from Lion clients.

Even if this is fixed in Lion, somebody could produce a third party client to exploit this same issue due to there being some sort of issue related to the server not properly verifying credentials from the some clients.

Screen shot 2011-09-03 at 2.20.58 PM.png

The interaction of clients and servers in relation to LDAP is no different than any other client/server protocol.
 
Last edited:
Comment

bananas

macrumors 6502
Aug 1, 2007
293
23
Even if this is fixed in Lion, somebody could produce a third party client to exploit this same issue due to there being some sort of issue related to the server not properly verifying credentials from the some clients.

Yes, by guessing a username you could get some information about user accounts: eg. which groups users belong to, phone numbers and email addresses of users and such. If the LDAP server uses SLL (like it should), you would need the right certificate to do this. The accessibility of LDAP server is most likely restricted to the known clients in internal network, so you would also need to find a way to get your computer into the network.
 
Comment

jeffstrunk

macrumors newbie
Oct 18, 2011
1
0
Does anyone know if this has been addressed in 10.7.2??

Thanks!

10.7.2 has a related bug if you are attempting to use simple binds for authentication instead of kerberos. It now doesn't allow one to log in with any password at all.

I have documented a workaround.
 
Last edited:
Comment

Adela

macrumors newbie
Dec 25, 2011
1
0
When the LDAP settings are configured using custom mappings it will not connect to the LDAP server. In Directory Utility, I have configured LDAPv3 with the custom settings that are required to connect to our server. Under the Connection tab the Re-bind attempted in 120 seconds and it will stay at 120 seconds despite what you change it too.
 
Comment
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.