If you’ve upgraded to Mac OS X 10.7 (Lion) from Mac OS X 10.6.x (Snow Leopard), and you’re managing a network that uses OpenLDAP for authentication, you may have found that you can no longer authenticate using OpenLDAP from Mac OS X Lion. Today I’ll be showing you a quick solution to this problem as well as a very brief explanation about why this solution might work for you too.
The OpenLDAP server, which is used to authenticate clients on a network advertises various methods of authentication known as SASL (Simple Authentication and Security Layer) mechanisms. Some of these advertised mechanisms of authentication are CRAM-MD5, NTLM, DIGEST-MD5, and GSSAPI. Commonly, Macs authenticate using a different method, called Simple Bind. They attempt to use an encrypted authentication process by communicating with OpenLDAP over an SSL/TLS connection. Prior to Mac OS X 10.7 (Lion), a Mac would simply connect via SSL/TLS, it would be answered by the OpenLDAP server, and if the username and password combination is correct, it would start the login process and let you access your desktop.
All this changed with the release of Mac OS X Lion. Mac OS X Lion will attempt to connect to OpenLDAP via the aforementioned SASL mechanisms, and if the OpenLDAP server doesn’t accept these methods of authentication, Lion will not fail gracefully to Simple Bind. Instead, Mac OS X Lion will stop attempting to authenticate and it will reject a correct login as though it is incorrect.
The following three commands fix this problem by modifying /Library/Preferences/OpenDirectory/Configurations/LDAPv3/yourldapserver so that LDAP authentication requests will not attempt to use the aforementioned SASL mechanisms. The exact path on your workstation may differ slightly. Modify these commands as needed so that they include the path to your LDAP configuration plist. You’ll know you’re looking at the right file to run these commands against if it contains the Denied SASL Methods array.
sudo su /usr/libexec/PlistBuddy -c "add ':module options:ldap:Denied SASL Methods:' string CRAM-MD5" /Library/Preferences/OpenDirectory/Configurations/LDAPv3/yourldapserver.plist /usr/libexec/PlistBuddy -c "add ':module options:ldap:Denied SASL Methods:' string NTLM" /Library/Preferences/OpenDirectory/Configurations/LDAPv3/yourldapserver.plist /usr/libexec/PlistBuddy -c "add ':module options:ldap:Denied SASL Methods:' string GSSAPI" /Library/Preferences/OpenDirectory/Configurations/LDAPv3/yourldapserver.plist
After running these commands, restart the Mac, and OpenLDAP authentication should work!
9 comments: On Fixing OpenLDAP Authentication on OS X Lion
Hey Thanks, this worked under Mountain Lion, too.
Thanks! I hate how Apple screws with openldap authentication every release or two.
That makes at least two of us. š
Thanks a ton – this helped fix a problem I was having with getting my macs to authenticate with a openldap server on Ubuntu. Hope you don’t mind if I put a link to this entry on another site. Thanks again!
I don’t mind at all! Just be sure to link back to here!
Pingback: OpenLDAP with Solaris and OS X and NFS Home Directories | TechSensei's Blog ()
Thanks, that helped same problem I had authenticating OSX 10.8 to RHEL5 openldap 2.4.
I’m glad to have helped!
Checked today on mac OSX yosemite and it was it! Disabling SASL is required in order to have LDAP authentication working.
thank you,