Fixing OpenLDAP Authentication on OS X Lion

If you’ve upgraded to Mac OS X 10.7 (Lion) from Mac OS X 10.6.x (Snow Leopard), and you’re managing a network that uses OpenLDAP for authentication, you may have found that you can no longer authenticate using OpenLDAP from Mac OS X Lion. Today I’ll be showing you a quick solution to this problem as well as a very brief explanation about why this solution might work for you too.

The OpenLDAP server, which is used to authenticate clients on a network advertises various methods of authentication known as SASL (Simple Authentication and Security Layer) mechanisms. Some of these advertised mechanisms of authentication are CRAM-MD5, NTLM, DIGEST-MD5, and GSSAPI. Commonly, Macs authenticate using a different method, called Simple Bind. They attempt to use an encrypted authentication process by communicating with OpenLDAP over an SSL/TLS connection. Prior to Mac OS X 10.7 (Lion), a Mac would simply connect via SSL/TLS, it would be answered by the OpenLDAP server, and if the username and password combination is correct, it would start the login process and let you access your desktop.

All this changed with the release of Mac OS X Lion. Mac OS X Lion will attempt to connect to OpenLDAP via the aforementioned SASL mechanisms, and if the OpenLDAP server doesn’t accept these methods of authentication, Lion will not fail gracefully to Simple Bind. Instead, Mac OS X Lion will stop attempting to authenticate and it will reject a correct login as though it is incorrect.

The following three commands fix this problem by modifying /Library/Preferences/OpenDirectory/Configurations/LDAPv3/yourldapserver so that LDAP authentication requests will not attempt to use the aforementioned SASL mechanisms. The exact path on your workstation may differ slightly. Modify these commands as needed so that they include the path to your LDAP configuration plist. You’ll know you’re looking at the right file to run these commands against if it contains the Denied SASL Methods array.

sudo su 
/usr/libexec/PlistBuddy -c "add ':module options:ldap:Denied SASL Methods:' string CRAM-MD5" /Library/Preferences/OpenDirectory/Configurations/LDAPv3/yourldapserver.plist
/usr/libexec/PlistBuddy -c "add ':module options:ldap:Denied SASL Methods:' string NTLM" /Library/Preferences/OpenDirectory/Configurations/LDAPv3/yourldapserver.plist
/usr/libexec/PlistBuddy -c "add ':module options:ldap:Denied SASL Methods:' string GSSAPI" /Library/Preferences/OpenDirectory/Configurations/LDAPv3/yourldapserver.plist

After running these commands, restart the Mac, and OpenLDAP authentication should work!





9 responses to “Fixing OpenLDAP Authentication on OS X Lion”

  1. Robert Avatar

    Hey Thanks, this worked under Mountain Lion, too.

  2. Chris Hiestand Avatar
    Chris Hiestand

    Thanks! I hate how Apple screws with openldap authentication every release or two.

    1. Michael Smalley Avatar

      That makes at least two of us. 🙂

  3. Benjamin Avatar

    Thanks a ton – this helped fix a problem I was having with getting my macs to authenticate with a openldap server on Ubuntu. Hope you don’t mind if I put a link to this entry on another site. Thanks again!

    1. Michael Smalley Avatar

      I don’t mind at all! Just be sure to link back to here!

  4. […] thanks to Fixing OpenLDAP Authentication on OS X Lion | smalley creative blog I got OS X Mountain Lion to also work with the same LDAP server.  I used the RFC2307 (Unix) LDAP […]

  5. Derek Avatar

    Thanks, that helped same problem I had authenticating OSX 10.8 to RHEL5 openldap 2.4.

    1. Michael Smalley Avatar

      I’m glad to have helped!

  6. Francesco Avatar

    Checked today on mac OSX yosemite and it was it! Disabling SASL is required in order to have LDAP authentication working.

    thank you,

Leave a Reply

Your email address will not be published. Required fields are marked *