A bug in the module for authenticating (Open)LDAP under Mac OS X 10.7.x Lion can result in any password being accepted during log-in – all that's required is a valid user name. The problem occurs when logging in both via a graphical interface on a client and over the web via SSH on a server. Lion does not use LDAP to log-in by default; LDAP authentication tends to be used in large infrastructures for centralised user administration (name, password, group, etc.).

Apple has been informed of the problem and has apparently succeeded in reproducing it. Additionally, some users are reporting that they are completely unable to log-in using LDAP after updating to Lion. Whether or not the problem occurs appears to depend on whether the LDAP server is running on a local or on a separate system.

It is not clear whether the problem will be fixed by means of a security update or in the next Lion point release, Mac OS X 10.7.2. At present, the only remedy is to deactivate LDAP authentication for critical services.

(crve)