You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: JKasten83
JKasten83 Author
User level: Level 1
0 points

Lion LDAP Authentication Problem

Hi helpers,


we are using an OpenLDAP server to authenticate our users to different desktop machines. Using SL everything worked just perfect. Now, I upgraded to 10.7 and the login of the LDAP users does not work anymore. I can see all users of the LDAP server listed in the directory service. Furthermore, using dscacheutil, I can get the uid and so on from the LDAP server. Just the password authentification does not work. Using "su", I get "su: Sorry" all the time.


Thanks for your help


J

Mac Pro, Mac OS X (10.7)

Posted on Aug 9, 2011 8:35 AM

Reply
35 replies
User profile for user: JKasten83
JKasten83 Author
User level: Level 1
0 points

Aug 22, 2011 1:10 AM in response to JKasten83

By removing and readding the LDAP server, the strange behavior that NO password is needed was fixed. Now, no LDAP user can be authenticated by password anymore -- this was the initial behavior.


As far as I can see, there are only two options:

1. No LDAP user can login.

2. Every LDAP user can be logged in with any password.


Thus, the problem is still not solved.

Reply
User profile for user: samvais
samvais
User level: Level 1
0 points

Aug 23, 2011 7:29 AM in response to samvais

No change. I did as plain and simple configuration as possible.

1. Edited /etc/openldap/ldap.conf with the path to certificate

2. created simple ldap configuration with directory utility (RFC2307 with SSL): dc=domain,dc=tld


3. booted and noticed there's a minor bug which changes the configuration NOT to use SSL, fixed the configuration and booted again.

4. Logged in with real username and wrong password. Uids and gids of users are correct and dscacheutil -configuration shows the correct servers, but the password is not verified.

Reply
User profile for user: drStrangeP0rk
drStrangeP0rk
User level: Level 1
8 points

Aug 29, 2011 6:14 PM in response to DarrenAus

Curios...


Are you working with ROOT enabled or selected in Directory Utility?


Your LDAP server, what is it? OS etc. Lion?


What happens when you use ldapsearch? From Lion terminal? From other Client Terminal? Using Directory Utility?


Does the Lion Client find the users DN but does not drop and then reconnect using the DN?


Can the loged in user access any other services on the network?


Do they access


Are you using mixed authentication methods?


What is the relationship LDAP has with these if any? (Kerberos authentication of LDAP clients, LDAP Auth supporting kerberos, etc.?)



I think we have a very simple fix but need to know more...

Thanks

Reply
User profile for user: sonnyleung1
sonnyleung1
User level: Level 1
0 points

Aug 29, 2011 11:46 PM in response to JKasten83

OpenLDAP website (www.openldap.org)—learn about the open source software that

Open Directory uses to provide LDAP directory service.


RFC3377, “Lightweight Directory Access Protocol (v3): Technical Specification”

(www.rfc-editor.org/rfc/rfc3377.txt)—lists a set of eight other Request for Comment

(RFC) documents with overview information and detailed specifications for the

LDAPv3 protocol.

Reply

Lion LDAP Authentication Problem

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up