Authenticating users with an OpenLDAP server.
I am trying to upgrade dozens of computers on our network to Yosemite and find that I can no longer authenticate network users with OpenLDAP running on a Linux server.
During the login process, the ldap server is being accessed, and network users are correctly identified, but their passwords are not recognized. For example, if I issue a command like this on the command line,
% id netusername
it will correctly return information on that user, with all the groups, etc. The Contacts app will search the ldap database and return the correct results. It seems like the only part missing is being able to authenticate against the passwords.
This is what appears in the system log when a network user attempts to log in:
Sep 25 08:22:02 mac-mini.our.domain SecurityAgent[199]: User info context values set for netusername
Sep 25 08:22:02 mac-mini.our.domain authorizationhost[245]: Failed to authenticate user <netusername> (error: 9).
The hardware is brand new mac-minis running OS 10.10.5. Updating OX 10.9.x to 10.10.5 causes systems to lose their ability to authenticate network users. I have hundreds of computers running 10.7 through 10.9 that have worked for years. Something has changed with Yosemite but I am at a dead end understanding what it is.
I also can't use Transport Layer Security (TLS) from command line ldap queries, where I can on 10.9. For example a "ldapsearch …" will work but the same search with "ldapsearch -ZZ …" will not. I am not sure if this is related to the authentication problem or not.
The OpenLDAP server is "slapd 2.4.40 (Jul 24 2015 08:37:58) $mockbuild@c6b8.bsys.dev.centos.org:/builddir/build/BUILD/openldap-2.4.40"
Any suggestions about how to start trouble shooting this problem would be appreciated. Is there another forum that would be more appropriate for this question?
--
Jon
Mac mini, OS X Yosemite (10.10.5)
