User profile for user: JKasten83
JKasten83 Author
User level: Level 1
0 points

Lion LDAP Authentication Problem

Hi helpers,


we are using an OpenLDAP server to authenticate our users to different desktop machines. Using SL everything worked just perfect. Now, I upgraded to 10.7 and the login of the LDAP users does not work anymore. I can see all users of the LDAP server listed in the directory service. Furthermore, using dscacheutil, I can get the uid and so on from the LDAP server. Just the password authentification does not work. Using "su", I get "su: Sorry" all the time.


Thanks for your help


J

Mac Pro, Mac OS X (10.7)

Posted on Aug 9, 2011 8:35 AM

Reply
35 replies
Sort By: 
User profile for user: JKasten83
JKasten83 Author
User level: Level 1
0 points

Aug 10, 2011 4:15 AM in response to JKasten83

Just to add a bit more information:


The opendirectoryd.log states: "AppleODClient - unable to open OD connection to Password Server"


Does anybody have the same problems? Is there anybody, who can successfully connect to an LDAP server and use the authentication?

Reply
User profile for user: JKasten83
JKasten83 Author
User level: Level 1
0 points

Aug 22, 2011 1:10 AM in response to JKasten83

By removing and readding the LDAP server, the strange behavior that NO password is needed was fixed. Now, no LDAP user can be authenticated by password anymore -- this was the initial behavior.


As far as I can see, there are only two options:

1. No LDAP user can login.

2. Every LDAP user can be logged in with any password.


Thus, the problem is still not solved.

Reply
User profile for user: samvais
samvais
User level: Level 1
0 points

Aug 23, 2011 6:46 AM in response to JKasten83

I have now reported the problem to Apple via http://www.apple.com/feedback/macosx.html


I'm going to double check if this is related to mobile accounts which we use with the LDAP configuration to allow offline logins. I doubt that's the reason, but I'll try one more time from scratch, just to be sure.

Reply
User profile for user: samvais
samvais
User level: Level 1
0 points

Aug 23, 2011 7:29 AM in response to samvais

No change. I did as plain and simple configuration as possible.

1. Edited /etc/openldap/ldap.conf with the path to certificate

2. created simple ldap configuration with directory utility (RFC2307 with SSL): dc=domain,dc=tld


3. booted and noticed there's a minor bug which changes the configuration NOT to use SSL, fixed the configuration and booted again.

4. Logged in with real username and wrong password. Uids and gids of users are correct and dscacheutil -configuration shows the correct servers, but the password is not verified.

Reply
User profile for user: drStrangeP0rk
drStrangeP0rk
User level: Level 1
8 points

Aug 29, 2011 6:14 PM in response to DarrenAus

Curios...


Are you working with ROOT enabled or selected in Directory Utility?


Your LDAP server, what is it? OS etc. Lion?


What happens when you use ldapsearch? From Lion terminal? From other Client Terminal? Using Directory Utility?


Does the Lion Client find the users DN but does not drop and then reconnect using the DN?


Can the loged in user access any other services on the network?


Do they access


Are you using mixed authentication methods?


What is the relationship LDAP has with these if any? (Kerberos authentication of LDAP clients, LDAP Auth supporting kerberos, etc.?)



I think we have a very simple fix but need to know more...

Thanks

Reply
User profile for user: sonnyleung1
sonnyleung1
User level: Level 1
0 points

Aug 29, 2011 11:46 PM in response to JKasten83

OpenLDAP website (www.openldap.org)—learn about the open source software that

Open Directory uses to provide LDAP directory service.


RFC3377, “Lightweight Directory Access Protocol (v3): Technical Specification”

(www.rfc-editor.org/rfc/rfc3377.txt)—lists a set of eight other Request for Comment

(RFC) documents with overview information and detailed specifications for the

LDAPv3 protocol.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Lion LDAP Authentication Problem

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up