Catalina fails to autenticate to OpenLDAP

New Contributor

I am wondering if anyone else may have come across this issue.

So I have to integrate about 30 new iMacs into my network. My network is primarily Linux and FreeBSD. All hosts authenticate to an OpenLDAP server running on FreeBSD, all home directories are mounted with autofs to a ZFS server. OpenLDAP runs TLS.

On a fresh updated install of Catalina I am able to configure the LDAP directory just fine, using RFC2307 and proper binding. I had to disable certain SASL methods to make it work this far. This was done with:

for m in CRAM-MD5 DIGEST-MD5 LOGIN NTLM PLAIN GSSAPI; do /usr/libexec/PlistBuddy -c "add ':module options:ldap:Denied SASL Methods:' string $m" /Library/Preferences/OpenDirectory/Configurations/LDAPv3/ldap1.plist done

Using the Directory Utility/Directory Editor I am able to view all users and I can click the lock and authenticate just fine there and view all of the users details.

Using the terminal logged in with "sudo su" I am able to "su <ldap-user>" just fine, the user account loads and my automount home directory works perfectly. Any user can use "id <ldap-user>" to view user details. Running "dscl localhost -list /LDAPv3/ldap1/Users" returns the full list of users properly.

Problem is when I try to login on the GUI, SSH OR via "su <ldap-user>" while not under sudo. The logins fail. The logs show:

opendirectoryd found password attribute - using a very low security method of 'crypt' opendirectoryd Invalid password for <private> opendirectoryd ODRecordVerifyPassword failed with result ODErrorCredentialsInvalid

The LDAP server stores passwords using {CRYPT} using SHA512 (aka $6$) for encryption, all of this works fine with any linux/bsd client (and using p-Gina on Windows). Changing this encryption will be really difficult as it would require everyone to change their password. The users are required to change passwords every 90 days, and with the staggering of that schedule it will take forever.

Last year we did have a few Mojave macbooks running just fine using this exact setup, LDAP has not changed since as we enforce a frozen schema and configuration to avoid any issues.

To me the problem seems to come from Catalina denying "crypt" but any searches I have done have come up with zero ideas. So I am out of ideas, anyone else know what maybe going on??

Thanks in advance for any insights!