Unable to authenticate OpenLDAP users on macOS clients "user not found: no secret in database"

mac-osx ldap openldap ubuntu-16.04

Solution 1:

I recently had an issue with this. I was unable to get user authentication to work while the DIGEST-MD5 and CRAM-MD5 mechanisms were being presented as options from the server. I wanted to make the change on the LDAP server rather than modify each client with plist settings.

The following two methods worked to fix user authentication by blocking the server from using the 2 SASL MD5 mechanisms. Tested with macOS Yosemite and Mojave clients bound to an OpenLDAP server version 2.4.44.

METHOD 1: Set the olcSaslSecProps noactive option which will disable all mechanisms that are susceptible to active non-dictionary attacks. (Note: There are other options as well see: https://docs.oracle.com/javase/jndi/tutorial/ldap/security/sasl.html)

vi modify_olcSaslSecProps.ldif

dn: cn=config
chagetype: modify
replace: olcSaslSecProps
olcSaslSecProps: noplain,noanonymous,noactive

ldapmodify -Y EXTERNAL -H ldapi:/// -f modify_olcSaslSecProps.ldif

To view the changes before and after the modify:

ldapsearch -H ldapi:/// -x -s base -b "" -LLL "+" | grep sasl

BEFORE:
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN

AFTER:
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: GSSAPI

METHOD 2: Which gives even more control is to create a configuration file that allows the specific SASL mechanisms desired. For me on a CentOS 7.9 server with Cyrus SASL 2.1.26 package installed. Create a file named slapd.conf with the contents shown below and then reload slapd service for the changes to take effect. Edit the SASL mechanisms as desired in lowercase with a single space between each.

vi /usr/lib64/sasl2/slapd.conf

mech_list: plain login external gssapi gss-spnego

systemctl reload slapd.service

Also the the olcSaslSecProps should be set to "noplain,noanonymous".

vi modify_olcSaslSecProps.ldif

dn: cn=config
chagetype: modify
replace: olcSaslSecProps
olcSaslSecProps: noplain,noanonymous

ldapmodify -Y EXTERNAL -H ldapi:/// -f modify_olcSaslSecProps.ldif

Solution 2:

I FIGURED IT OUT!

Okay so the issue is that macOS tries to authenticate using CRAM-MD5. OpenLDAP default is DIGEST-MD5. In order for this to work you have to add the hashing algorithm to the plist for when the SASL authentication fails. To do so:

sudo su 
/usr/libexec/PlistBuddy -c "add ':module options:ldap:Denied SASL Methods:' string DIGEST-MD5" /Library/Preferences/OpenDirectory/Configurations/LDAPv3/yourldapserver.plist 
/usr/libexec/PlistBuddy -c "add ':module options:ldap:Denied SASL Methods:' string CRAM-MD5" /Library/Preferences/OpenDirectory/Configurations/LDAPv3/yourldapserver.plist
/usr/libexec/PlistBuddy -c "add ':module options:ldap:Denied SASL Methods:' string NTLM" /Library/Preferences/OpenDirectory/Configurations/LDAPv3/yourldapserver.plist
/usr/libexec/PlistBuddy -c "add ':module options:ldap:Denied SASL Methods:' string GSSAPI" /Library/Preferences/OpenDirectory/Configurations/LDAPv3/yourldapserver.plist

Restart the Mac, and it will work successfully. Also, make sure you copy the plist so you don't have to screw with it anymore!

Related

Error adding Starship command line in Windows PowerShell profile
Filter multidimensional array based on another array
How to maximize the GCD of n positive integers with minimum number of removals from the sequence that represents them?
Attaching a Textbox to a point or line on a chart in Excel/VBA
Extracting a common Object from two Javascript objects with same keys
Return from included file
What does the util module in node.js do?
e.pageX return undefined when mousewheel event on FireFox
How to serialize a Map in javascript?
Get all ltree nodes at depth
Split a cell into multiple rows based on line break and formats data elements
Meaning of the prefix I in Java-Classnames [closed]