Unable to authenticate OpenLDAP users on macOS clients "user not found: no secret in database"
Solution 1:
I recently had an issue with this. I was unable to get user authentication to work while the DIGEST-MD5 and CRAM-MD5 mechanisms were being presented as options from the server. I wanted to make the change on the LDAP server rather than modify each client with plist settings.
The following two methods worked to fix user authentication by blocking the server from using the 2 SASL MD5 mechanisms. Tested with macOS Yosemite and Mojave clients bound to an OpenLDAP server version 2.4.44.
METHOD 1: Set the olcSaslSecProps noactive option which will disable all mechanisms that are susceptible to active non-dictionary attacks. (Note: There are other options as well see: https://docs.oracle.com/javase/jndi/tutorial/ldap/security/sasl.html)
vi modify_olcSaslSecProps.ldif
dn: cn=config
chagetype: modify
replace: olcSaslSecProps
olcSaslSecProps: noplain,noanonymous,noactive
ldapmodify -Y EXTERNAL -H ldapi:/// -f modify_olcSaslSecProps.ldif
To view the changes before and after the modify:
ldapsearch -H ldapi:/// -x -s base -b "" -LLL "+" | grep sasl
BEFORE:
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN
AFTER:
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: GSSAPI
METHOD 2: Which gives even more control is to create a configuration file that allows the specific SASL mechanisms desired. For me on a CentOS 7.9 server with Cyrus SASL 2.1.26 package installed. Create a file named slapd.conf with the contents shown below and then reload slapd service for the changes to take effect. Edit the SASL mechanisms as desired in lowercase with a single space between each.
vi /usr/lib64/sasl2/slapd.conf
mech_list: plain login external gssapi gss-spnego
systemctl reload slapd.service
Also the the olcSaslSecProps should be set to "noplain,noanonymous".
vi modify_olcSaslSecProps.ldif
dn: cn=config
chagetype: modify
replace: olcSaslSecProps
olcSaslSecProps: noplain,noanonymous
ldapmodify -Y EXTERNAL -H ldapi:/// -f modify_olcSaslSecProps.ldif
Solution 2:
I FIGURED IT OUT!
Okay so the issue is that macOS tries to authenticate using CRAM-MD5
. OpenLDAP default is DIGEST-MD5. In order for this to work you have to add the hashing algorithm to the plist for when the SASL authentication fails. To do so:
sudo su
/usr/libexec/PlistBuddy -c "add ':module options:ldap:Denied SASL Methods:' string DIGEST-MD5" /Library/Preferences/OpenDirectory/Configurations/LDAPv3/yourldapserver.plist
/usr/libexec/PlistBuddy -c "add ':module options:ldap:Denied SASL Methods:' string CRAM-MD5" /Library/Preferences/OpenDirectory/Configurations/LDAPv3/yourldapserver.plist
/usr/libexec/PlistBuddy -c "add ':module options:ldap:Denied SASL Methods:' string NTLM" /Library/Preferences/OpenDirectory/Configurations/LDAPv3/yourldapserver.plist
/usr/libexec/PlistBuddy -c "add ':module options:ldap:Denied SASL Methods:' string GSSAPI" /Library/Preferences/OpenDirectory/Configurations/LDAPv3/yourldapserver.plist
Restart the Mac, and it will work successfully. Also, make sure you copy the plist so you don't have to screw with it anymore!