It Seems That "Security Last" Is Lion's Motto

P. J. Connolly began writing for IT publications in 1997 and has a lengthy track record in both news and reviews. Since then, he's built two test labs from scratch and earned a reputation as the nicest skeptic you'll ever meet. Before taking up journalism, P. J. was an IT manager and consultant in San Francisco with a knack for networking the Apple Macintosh, and his love for technology is exceeded only by his contempt for the flavor of the month. Speaking of which, you can follow P. J. on Twitter at pjc415, or drop him an email at
By P. J. Connolly  |  Posted 2011-08-26 Email Print this article Print

I know folks at Apple's headquarters are kind of preoccupied this week, but in between the obligatory valedictions for the Dear Leader, maybe some of their brighter engineers could sit down and fix a huge problem that's been hiding below the surface of Mac OS X Lion.

lion logo

With OS X Lion's LDAP authentication utterly broken, Apple's new OS looks mangy and toothless.

It seems that the company's implementation of LDAP (the Lightweight Directory Access Protocol) just doesn't work as it should. To summarize, when you log into a server, one of four things ought to happen:

  • access is denied when invalid authentication credentials are presented
  • access is granted when valid credentials are presented
  • access is denied despite your presenting valid credentials, or
  • access is granted even when presenting invalid credentials.
The first two outcomes are desirable; of the remaining outcomes, the last one is quite possibly the worst of all, and that what's happening with Lion. It's so bad that at least one recommendation calls for Lion users to disable LDAP authentication altogether, which in many large organizations means that you've just cut yourself off from networked resources.

From all reports, Apple's people can replicate the bug, but the company hasn't acknowledged its existence; a former colleague of mine is speculating that it's because LDAP authentication isn't used that often on Mac clients.

But while that may be the case, where LDAP is used, it's absolutely vital. It's utterly inexcusable for Apple to sweep this problem under the rug. I hate to say "I told you so," but I did.

Apple's given up on its business users, but like abused lovers, we keep saying that we ran into a cabinet door. When will we learn? |

Submit a Comment

Loading Comments...

Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel