Mac OS X Lion 10.7.3 GSSAPI support
When trying to authenticate a user against a GSSAPI enabled OpenLDAP server, it seems that opendirectoryd skips GSSAPI mechanism and uses CRAM-MD5.
The OpenLDAP server correctly advertises GSSAPI as a supported SASL mechanism (and GSSAPI works with ldapsearch):
$ ldapsearch -h ldap.aldu.net -b "" -s base "(objectclass=*)" supportedSASLMechanisms SASL/GSSAPI authentication started SASL username: heruan@ALDU.NET SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: supportedSASLMechanisms # # dn: supportedSASLMechanisms: NTLM supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: CRAM-MD5 # search result search: 5 result: 0 Success # numResponses: 2 # numEntries: 1
If I disable CRAM-MD5 on OpenLDAP, opendirectoryd falls back to a simple bind ignoring GSSAPI again! Is GSSAPI broken on Mac OS X Lion 10.7.3?