When using a Kerberos login and integration with an LDAPv3 server, a account password may be sent in clear text format. When the authentication authority attribute is not set, Login Window tries to authenticate the account to the configured LDAP server. After trying to authenticate the user with an encrypted password, Login Window falls back to trying a simple bind on the server. This simple bind transmits the account password in clear text.
To prevent this, map the AuthenticationAuthority attribute to an existing non-null attribute in your LDAP server. Which attribute you map it to is not important as long as that attribute is not null and exists in the directory. Do not use a static map entry. This may keep the Login Window from completing the login process and you may need to restart the computer.
To update your configuration, follow these steps at each client computer:
System Requirements
Note: When using LDAP, you should use it with SSL to reduce risk of other data security issues.
To prevent this, map the AuthenticationAuthority attribute to an existing non-null attribute in your LDAP server. Which attribute you map it to is not important as long as that attribute is not null and exists in the directory. Do not use a static map entry. This may keep the Login Window from completing the login process and you may need to restart the computer.
To update your configuration, follow these steps at each client computer:
- 1. Open Directory Access (/Applications/Utilities/).
2. Click the lock button to authenticate.
3. Select LDAPv3.
4. Click the Configure button.
5. Click the Search and Mappings tab.
6. Select the Users record entry.
7. Click the triangle to expose the configured attributes.
8. Click the Add button.
9. Select the Attributes Types.
10. Scroll down and select AuthenticationAuthority from the list. See Figure 1.
Figure 1
11. Click OK.
12. With AuthenticationAuthority selected, click the Add button on the "Map to in list" window (right side of screen).
13. Type in an existing Attribute to map the AuthenticationAuthority to. In Figure 2, it is mapped to loginshell.
Figure 2
14. Click OK to save the configuration.
15. Click OK again to close configuration entries screen.
16. Quit Directory Access.
17. The changes will propagate in approximately two to three minutes, but you can restart the computer to immediately test the new configuration
System Requirements
- Mac OS X 10.2 and later
- Mac OS X 10.2 Server and later
Note: When using LDAP, you should use it with SSL to reduce risk of other data security issues.