Bug allows Mac OS X Lion clients to use any LDAP password

Summary: If you have Mac OS X 'Lion' clients and use LDAP authentication, you need to read this.

By Adrian Kingsley-Hughes for Hardware 2.0 | August 27, 2011 -- 04:13 GMT (21:13 PDT)

Reports are circulating that Apple's latest incarnation of Mac OS X - 10.7 'Lion' - contains a serious LDAP network authentication bug.

The bug is a simple one, but at the same time a serious one - users logging in to Macs running OS X 10.7 can access restricted network resources using any password at all when LDAP is used for authentication (for example Apple's Open Directory or OpenLDAP).

At the moment it's not clear what the problem is because Apple doesn't own up to bugs until it has a patch for them but there's a fair bit of discussion about the problem on various forums. Some users claim that they can log into the network using any username and password while others claim to be completely locked out when using the correct username and password. Others are seeing a problem where they need the correct password initially but then other resources that require LDAP authentication are given automatic credentials.

Bottom line, if you use LDAP for authentication, and you have clients using 10.7 'Lion' then this is a pretty big deal. If that doesn't describe your setup then you don't need to worry about this.

Despite the problem first being reported on July 25, five days after Lion was released, Apple as yet to offer users a fix. This issue was not addressed in Apple's 10.7.1 update for Lion.

Topics: Software, Apple, Hardware, Operating Systems

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

50 comments

Log in or register to join the discussion

Message has been deleted.

slickjim
27 August, 2011 05:03

Reply Vote
RE: Bug allows Mac OS X Lion clients to use any LDAP password

*Jedi hand wave*

There is no bug.

The one and only, Cylon Centurion
27 August, 2011 05:05

Reply Vote
- RE: Bug allows Mac OS X Lion clients to use any LDAP password
 
 @Cylon Centurion Emperor Jobs has gone to sit on his Emperors Chair while his Apprentice Darth Cook Takes over.
 
 slickjim
 27 August, 2011 05:17
 
 Reply Vote
- RE: Bug allows Mac OS X Lion clients to use any LDAP password
 
 @Cylon Centurion
 +1
 
 LoverockDavidson_-24231404894599612871915491754222
 27 August, 2011 09:15
 
 Reply Vote
- RE: Bug allows Mac OS X Lion clients to use any LDAP password
 
 @Cylon Centurion Yeah because no other OS ever had a bug did it?
 
 Jeremy-UK
 27 August, 2011 09:57
 
 Reply Vote
 - RE: Bug allows Mac OS X Lion clients to use any LDAP password
 
 @Jeremy-UK We're not talking about other OSes. And if we were, say, talking about Windows, Apple fans would be listing security bugs from 15 years ago. Some still insist that the Mac Defender fiasco "doesn't count" as malware because the user had to click something.
 
 jgm@...
 27 August, 2011 10:43
 
 Reply Vote
 - RE: Bug allows Mac OS X Lion clients to use any LDAP password
 
 @Jeremy-UK
 
 It's not that other operating systems have a bug, it's the fact that Apple can't admit to them, and because of that, the customers are hurt. Remember what Ed had reported a couple of moths ago with the Mac Guard malware? Apple couldn't admit that there was a problem, and as a result, customers suffered.
 
 The one and only, Cylon Centurion
 27 August, 2011 11:45
 
 Reply Vote
 - And how does an operating system from another vendor
 
 @Jeremy-UK with it's own set of issues stop users of OS X Lion from logging into a network without credentials? I believe you are implying that these issues cause those in OS X Lion to disapear, am I correct? "|
 
 Tim Cook
 27 August, 2011 15:42
 
 Reply Vote
 - RE: Bug allows Mac OS X Lion clients to use any LDAP password
 
 @Cylon Centurion It is a simple "we don't talk about [whatever] until there is something to say". How does this hurt consumers? With Apple you don't get that drip, drip of information - you get (single) a well considered response.
 
 Jeremy-UK
 28 August, 2011 12:57
 
 Reply Vote
 - RE: Bug allows Mac OS X Lion clients to use any LDAP password
 
 @Jeremy-UK Only if you are admitting that OS X is just like any other OS, and not floating angelically on a pedestal above all others. In my experience, Macs are just like any other computers. The whole Mac vs. PC war is the intellectual equivalent of racism. IT'S ABSURD!
 
 scubashnurpel
 29 August, 2011 07:06
 
 Reply Vote
- RE: Bug allows Mac OS X Lion clients to use any LDAP password
 
 @Cylon Centurion +1
 
 ruffyleaf
 29 August, 2011 20:32
 
 Reply Vote
AD Integration was weak

AD Integration (LDAP) was weak in previous interation. It did not respect sites and services to the point where you had to manually configure each mac client to point to a particular domain controller. This comes as no surprise. Like DHX, Apple does not know how to play in the enterprise space.

Your Non Advocate
27 August, 2011 05:37

Reply Vote
RE: Bug allows Mac OS X Lion clients to use any LDAP password

Oops! Seems like that needs an update (understatement).

Best not deploy that quite yet!

Jeremy-UK
27 August, 2011 05:39

Reply Vote
Message has been deleted.

Stark_Industries
27 August, 2011 06:05

Reply Vote
- Message has been deleted.
 
 shellcodes_coder
 27 August, 2011 07:54
 
 Reply Vote
 - Message has been deleted.
 
 Your Non Advocate
 27 August, 2011 09:09
 
 Reply Vote
 - RE: Bug allows Mac OS X Lion clients to use any LDAP password
 
 @facebook Actually it was the Apple II that saw the appearance of the first virus. :-)
 
 jgm@...
 27 August, 2011 10:44
 
 Reply Vote
 - RE: Bug allows Mac OS X Lion clients to use any LDAP password
 
 @shellcodes_coder
 What's a virus? That's so last decade.
 
 Stark_Industries
 27 August, 2011 19:18
 
 Reply Vote
 - cum hoc ergo propter hoc
 
 @shellcodes_coder Mac OS only began to implement the use of a Unix-based kernel with the advent of OS X - phew, glad I got that off my chest. Anyway, having a Unix core does not automatically grant instant immunity against malicious attacks. As most Linux users (and Computer-literate Windows Users) could tell you, keeping yourself protected all stems down to using common sense and a touch of logic. Oh, and this god status credit you keep hurling towards Mac OS X is deserved elsewhere as it's not the only Unix-like OS out there. Simply put, Mac OS X isn't perfect on its own merits, it's basically picked up a few pointers from history; consider the following: In essense, Unix was built with a multi-user framework in mind, as a result, this clearly defined access rights of both users and programs before they can be initiated. This is where a root account comes into play. In order to initiate and in turn make use of said programs you need to grant access (i.e, type in your password). Here is where the tricky part comes in: LOGIC! Not everybody has it, but most should find the following fairly simple to do: 1)Only download from trusted sources(Windows/Linux/OS X) 2)Determine the integrity of the data through the use of checksum(Windows, Linux, OS X) 3)Use a Firewall(Windows, Linux, OS X) 4)Use a secure web browser(disable all plugins; make use of incognito/private sessions)(Windows, Linux, OS X) 5)Set up a decent anti-virus/anti-malware program(Windows) 6)Be wary of sites that you visit(Windows, Linux, OS X)
 
 G'Dammit!
 28 August, 2011 14:36
 
 Reply Vote
 - RE: Bug allows Mac OS X Lion clients to use any LDAP password
 
 @shellcodes_coder Simple, economically proven fact: "Macs are for consumers who don't want to know how their computer works, and don't mind missing out on the customization of Windows"
 
 scubashnurpel
 29 August, 2011 07:12
 
 Reply Vote