If you’ve upgraded to Mac OS X 10.7 (Lion) from Mac OS X 10.6.x (Snow Leopard), and you’re managing a network that uses OpenLDAP for authentication, you may have found that you can no longer authenticate using OpenLDAP from Mac OS X Lion. Today I’ll be showing you a quick solution to this problem as well as a very brief explanation about why this solution might work for you too.

The OpenLDAP server, which is used to authenticate clients on a network advertises various methods of authentication known as SASL (Simple Authentication and Security Layer) mechanisms. Some of these advertised mechanisms of authentication are CRAM-MD5, NTLM, DIGEST-MD5, and GSSAPI. Commonly, Macs authenticate using a different method, called Simple Bind. They attempt to use an encrypted authentication process by communicating with OpenLDAP over an SSL/TLS connection. Prior to Mac OS X 10.7 (Lion), a Mac would simply connect via SSL/TLS, it would be answered by the OpenLDAP server, and if the username and password combination is correct, it would start the login process and let you access your desktop.

All this changed with the release of Mac OS X Lion. Mac OS X Lion will attempt to connect to OpenLDAP via the aforementioned SASL mechanisms, and if the OpenLDAP server doesn’t accept these methods of authentication, Lion will not fail gracefully to Simple Bind. Instead, Mac OS X Lion will stop attempting to authenticate and it will reject a correct login as though it is incorrect.

The following three commands fix this problem by modifying /Library/Preferences/OpenDirectory/Configurations/LDAPv3/yourldapserver so that LDAP authentication requests will not attempt to use the aforementioned SASL mechanisms. The exact path on your workstation may differ slightly. Modify these commands as needed so that they include the path to your LDAP configuration plist. You’ll know you’re looking at the right file to run these commands against if it contains the Denied SASL Methods array.

sudo su 
/usr/libexec/PlistBuddy -c "add ':module options:ldap:Denied SASL Methods:' string CRAM-MD5" /Library/Preferences/OpenDirectory/Configurations/LDAPv3/yourldapserver.plist
/usr/libexec/PlistBuddy -c "add ':module options:ldap:Denied SASL Methods:' string NTLM" /Library/Preferences/OpenDirectory/Configurations/LDAPv3/yourldapserver.plist
/usr/libexec/PlistBuddy -c "add ':module options:ldap:Denied SASL Methods:' string GSSAPI" /Library/Preferences/OpenDirectory/Configurations/LDAPv3/yourldapserver.plist

After running these commands, restart the Mac, and OpenLDAP authentication should work!