Lion and OpenLDAP

[Cabbit]

Greetings,

I am having a issue with Lion Clients and Severs connecting to a OpenLDAP server. The clients are logging in with the username but the passwords are not being authorised. Its blindly accepting any password.

Following https://help.apple.com/advancedserveradmin/mac/10.7/#apdAE970666-0053...
I have no mapping for password or authentication authority. From the logs no bind is taking place except the initial bind.

There is nothing fancy going on our end, just that the new mini's are running Lion using the same config as we do with Snow Leopard.

Any help is greatly appreciated.

Update:
LDAP authentication issue.

We have an openldap server, authenticating many users on Windows, Linux, and OSX (Leopard + Snow Leopard).

Our LDAP mappings are fairly minimal, as we don't include too many apple specific fields.

However, on Lion, with LDAP configured as on Snow Leopard, user authentication blindly accepts any password. Which really isn't want we want!

User + Group lookup is fine. Just authentication is not happening as expected.

Client logs don't really show anything specific.

Server logs suggest that authentication isn't happening.

We don't use SSL or Kerberos, nor are we able to switch to Apple's Open Directory LDAP implementation.

Update 2:
Directory Utility > Directory Editor > Authenticate works as expected. So user records can be edited, given the correct credentials. However, just not at login

 

[kgreen]

Hi Cabbit,

same exact problem here.
Hope to hear from you soon if anything helped.


Greetings, kgreen

 

[Cabbit]

No solutions yet, hoping something changes with 10.7.1, it is nice to know someone else is having the same problem.

 

[kgreen]

Indeed, good to know. Though I had to search hard to find someone having the same issues.

 

[Compulov]

I hate adding "me toos" to problems with nothing to add, but... "me too". I hadn't had a chance to try this on a Lion Client, but our Mini server was exhibiting this same problem. I wouldn't have even noticed it if I hadn't accidentally mistyped my password and been surprised when it actually worked. Thankfully it was on a server which I was just mucking with, nothing anyone would be logging into in production.
For what it's worth... Lion Server 10.7.0, OpenLDAP server, we're using SSL (self-signed cert with TLS_REQCERT never in /etc/openldap/ldap.conf).

Also, one other thing observed... when I tried to change the password of someone using the bogus credentials (using the passwd command at the cli -- sorry, I'm a unix geek), it eventually fails with an internal error (at least I think that's what it was... I'd need to go back and boot the server up and try it again to know for sure).

I can't say I'm entirely surprised there's an authentication glitch. When we first got Snow Leopard (10.6.0), every time we tried to use SSL with LDAP, it'd cause directoryservices to hang after about 10 minutes (or less). They finally fixed it in like 10.6.1 or 10.6.2.

Has anyone tried reporting this to Apple directly? Since it looks like we're not alone, I think I might try calling them later on.

-Leigh

 

[kgreen]

Hi Compulov,

I've had this problem with two different Lion clients and another Snow Leopard client. I tend to exclude any client specific issues. The password doesn't seem to be checked for whatever reasons.

Maybe reporting it to Apple might help. Hope you'll keep reporting.

 

[monachus]

Definite issue

We've delayed a company-wide upgrade to Lion because of this issue. Even though we have Open Directory running now (snark snark), we use OpenLDAP for our datacenter access and for clients. Simply having Lion installed is a security vulnerability, as any user who can access OD settings can connect to the datacenter as any other user. It's a HUGE hole.

Has anyone on this thread actually reported it to Apple?

Adrian

 

[monachus]

Has anyone on this thread actually reported it to Apple?

I just reported it via their feedback site as a bug report. In my experience Apple is ominously quiet about these sorts of things until magically fixing them with no real announcement or acknowledgement that they ever existed. I'm obsessively checking for 10.7.1, and it can't possibly come soon enough.

 

[monachus]

no fix in 10.7.1

This is not resolved in 10.7.1.

 

[bananas]

I'm also having this issue at work. No help from OS X 10.7.1.
We have Linux openLDAP servers and Linux and OS X clients authenticating from it. Snow Leopard and Linuxes are working just fine, but Lion accepts blank passwords after first login.

 

[monachus]

Snow Leopard and Linuxes are working just fine, but Lion accepts blank passwords after first login.

Not just blank passwords - any login. I logged in with a username that doesn't exist anywhere, and it took it without hesitation. It complained that the home directory wasn't in the normal place, but I was logged in. The whole thing is terrible.

 

[bananas]

There's at least one discussion thread about the problem going on in apple support forums: https://discussions.apple.com/message/15887083#15887083

 

[till213]

This is a known issue in Lion: A (german!) article which also tells that by now - finally! - Apple has acknowledged this major ****up is here:

http://www.heise.de/mac-and-i/meldu...Authentifizierung-via-LDAP-nicht-1328609.html

Off course when a fix for this - ahem! - unimportant non-iToy-feature will appear is totally unknown (you would expect to have a security fix within 24 hours, but not from Apple).

----------

... A (german!) article ...

Here is the english version, for the record:

http://www.h-online.com/security/ne...rds-when-authenticating-via-LDAP-1328704.html

Cheers

 

[kgreen]

Thanks for the info. Hope to see that bug fixed as soon as possible.

 

[munkery]

We've delayed a company-wide upgrade to Lion because of this issue. Even though we have Open Directory running now (snark snark), we use OpenLDAP for our datacenter access and for clients. Simply having Lion installed is a security vulnerability, as any user who can access OD settings can connect to the datacenter as any other user. It's a HUGE hole.

I'm also having this issue at work. No help from OS X 10.7.1.
We have Linux openLDAP servers and Linux and OS X clients authenticating from it. Snow Leopard and Linuxes are working just fine, but Lion accepts blank passwords after first login.

The following is a quote from another article about this issue.

Bottom line, if you use LDAP for authentication, and you have clients using 10.7 ‘Lion’ then this is a pretty big deal. If that doesn’t describe your setup then you don’t need to worry about this.

http://www.zdnet.com/blog/hardware/bug-allows-mac-os-x-lion-clients-to-use-any-ldap-password/14450

If Lion is the client and this occurs when Lion clients interact with LDAP servers, then the issue lies with the server and not the client.

You don't log into clients; you log into server services using clients.

Fixing whatever issue exists in the Lion client that reveals this issue doesn't eliminate the issue from the LDAP server protocol.

This is a bigger issue than just an issue with Lion.

 

[bananas]

If Lion is the client and this occurs when Lion clients interact with LDAP servers, then the issue lies with the server and not the client.

You don't log into clients; you log into server services using clients.

You're wrong.
this is a Lion issue. Lion as LDAP client accepts anything as a password, it fails to verify the password. You don't get access to any other systems, just the Lion machine that you are logging in.

 

[munkery]

You're wrong.
this is a Lion issue. Lion as LDAP client accepts anything as a password, it fails to verify the password. You don't get access to any other systems, just the Lion machine that you are logging in.

But, the content that you are accessing exists on the server.

There is an issue with how the server verifies the credentials being sent from Lion clients.

Even if this is fixed in Lion, somebody could produce a third party client to exploit this same issue due to there being some sort of issue related to the server not properly verifying credentials from the some clients.



The interaction of clients and servers in relation to LDAP is no different than any other client/server protocol.

 

[bananas]

Even if this is fixed in Lion, somebody could produce a third party client to exploit this same issue due to there being some sort of issue related to the server not properly verifying credentials from the some clients.

Yes, by guessing a username you could get some information about user accounts: eg. which groups users belong to, phone numbers and email addresses of users and such. If the LDAP server uses SLL (like it should), you would need the right certificate to do this. The accessibility of LDAP server is most likely restricted to the known clients in internal network, so you would also need to find a way to get your computer into the network.

 

[TammyWal22]

Just like to know if this issue is fixed is the latest lion update?

 

[munkery]

Just like to know if this issue is fixed is the latest lion update?

Release notes suggest that it will be fixed in 10.7.2.

The next update to Lion coming soon.

 

[Clever.Usrname]

Release notes suggest that it will be fixed in 10.7.2.

The next update to Lion coming soon.

Does anyone know if this has been addressed in 10.7.2??

Thanks!

 

[munkery]

Does anyone know if this has been addressed in 10.7.2??

Thanks!

Yup.

 

[jeffstrunk]

Does anyone know if this has been addressed in 10.7.2??

Thanks!

10.7.2 has a related bug if you are attempting to use simple binds for authentication instead of kerberos. It now doesn't allow one to log in with any password at all.

I have documented a workaround.

 

[bananas]

10.7.2 has a related bug if you are attempting to use simple binds for authentication instead of kerberos. It now doesn't allow one to log in with any password at all.

I have documented a workaround.

Thanks, this is really useful.

 

[Adela]

When the LDAP settings are configured using custom mappings it will not connect to the LDAP server. In Directory Utility, I have configured LDAPv3 with the custom settings that are required to connect to our server. Under the Connection tab the Re-bind attempted in 120 seconds and it will stay at 120 seconds despite what you change it too.