Question

  • Creator
    Topic
  • #2141842

    MacOS Catalina fails to authenticate to OpenLDAP

    by bsdb0x ·

    Tags: 

    I am wondering if anyone else may have come across this issue.

    So I have to integrate about 30 new iMacs into my network. My network is primarily Linux and FreeBSD. All hosts authenticate to an OpenLDAP server running on FreeBSD, all home directories are mounted with autofs to a ZFS server. OpenLDAP runs TLS.

    On a fresh updated install of Catalina I am able to configure the LDAP directory just fine, using RFC2307 and proper binding. I had to disable certain SASL methods to make it work this far. This was done with:

    for m in CRAM-MD5 DIGEST-MD5 LOGIN NTLM PLAIN GSSAPI; do
    /usr/libexec/PlistBuddy -c “add ‘:module options:ldap:Denied SASL Methods:’ string $m” /Library/Preferences/OpenDirectory/Configurations/LDAPv3/ldap1.plist
    done

    Using the Directory Utility/Directory Editor I am able to view all users and I can click the lock and authenticate just fine there and view all of the users details.

    Using the terminal logged in with “sudo su” I am able to “su ” just fine, the user account loads and my automount home directory works perfectly. Any user can use “id ” to view user details. Running “dscl localhost -list /LDAPv3/ldap1/Users” returns the full list of users properly.

    Problem is when I try to login on the GUI, SSH OR via “su ” while not under sudo. The logins fail. The logs show:

    opendirectoryd found password attribute – using a very low security method of ‘crypt’
    opendirectoryd Invalid password for opendirectoryd ODRecordVerifyPassword failed with result ODErrorCredentialsInvalid

    The LDAP server stores passwords using {CRYPT} using SHA512 (aka $6$) for encryption, all of this works fine with any linux/bsd client (and using p-Gina on Windows). Changing this encryption will be really difficult as it would require everyone to change their password. The users are required to change passwords every 90 days, and with the staggering of that schedule it will take forever.

    Last year we did have a few Mojave macbooks running just fine using this exact setup, LDAP has not changed since as we enforce a frozen schema and configuration to avoid any issues.

    To me the problem seems to come from Catalina denying “crypt” but any searches I have done have come up with zero ideas. So I am out of ideas, anyone else know what maybe going on??

    Thanks in advance for any insights!

You are posting a reply to: MacOS Catalina fails to authenticate to OpenLDAP

The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our Community FAQs for details. All submitted content is subject to our Terms of Use.

All Answers

Share your knowledge