Catalina fails to autenticate to OpenLDAP


Joined
Aug 27, 2020
Messages
1
Reaction score
0
I am wondering if anyone else may have come across this issue.

So I have to integrate about 30 new iMacs into my network. My network is primarily Linux and FreeBSD. All hosts authenticate to an OpenLDAP server running on FreeBSD, all home directories are mounted with autofs to a ZFS server. OpenLDAP runs TLS.

On a fresh updated install of Catalina I am able to configure the LDAP directory just fine, using RFC2307 and proper binding. I had to disable certain SASL methods to make it work this far. This was done with:

for m in CRAM-MD5 DIGEST-MD5 LOGIN NTLM PLAIN GSSAPI; do
/usr/libexec/PlistBuddy -c "add ':module options:ldap:Denied SASL Methods:' string $m" /Library/Preferences/OpenDirectory/Configurations/LDAPv3/ldap1.plist
done


Using the Directory Utility/Directory Editor I am able to view all users and I can click the lock and authenticate just fine there and view all of the users details.

Using the terminal logged in with "sudo su" I am able to "su <ldap-user>" just fine, the user account loads and my automount home directory works perfectly. Any user can use "id <ldap-user>" to view user details. Running "dscl localhost -list /LDAPv3/ldap1/Users" returns the full list of users properly.

Problem is when I try to login on the GUI, SSH OR via "su <ldap-user>" while not under sudo. The logins fail. The logs show:

opendirectoryd found password attribute - using a very low security method of 'crypt'
opendirectoryd Invalid password for <private>
opendirectoryd ODRecordVerifyPassword failed with result ODErrorCredentialsInvalid


The LDAP server stores passwords using {CRYPT} using SHA512 (aka $6$) for encryption, all of this works fine with any linux/bsd client (and using p-Gina on Windows). Changing this encryption will be really difficult as it would require everyone to change their password. The users are required to change passwords every 90 days, and with the staggering of that schedule it will take forever.

Last year we did have a few Mojave macbooks running just fine using this exact setup, LDAP has not changed since as we enforce a frozen schema and configuration to avoid any issues.

To me the problem seems to come from Catalina denying "crypt" but any searches I have done have come up with zero ideas. So I am out of ideas, anyone else know what maybe going on??

Thanks in advance for any insights!
 
Ad

Advertisements

Cory Cooper

Moderator
Joined
May 19, 2004
Messages
8,609
Reaction score
329
Hello and welcome.

I have some experience networking and binding experience, but not with FreeBSD/OpenLDAP.

I will look into it further and get back to you with anything I find.

C
 
Ad

Advertisements

Cory Cooper

Moderator
Joined
May 19, 2004
Messages
8,609
Reaction score
329
Hello again,

I haven't found anything helpful as of yet...still looking.

Any update from your end?

C
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top