It Seems That "Security Last" Is Lion's Motto

lion logo

I know folks at Apple's headquarters are kind of preoccupied this week, but in between the obligatory valedictions for the Dear Leader, maybe some of their brighter engineers could sit down and fix a huge problem that's been hiding below the surface of Mac OS X Lion.


It seems that the company's implementation of LDAP (the Lightweight Directory Access Protocol) just doesn't work as it should. To summarize, when you log into a server, one of four things ought to happen:

  • access is denied when invalid authentication credentials are presented
  • access is granted when valid credentials are presented
  • access is denied despite your presenting valid credentials, or
  • access is granted even when presenting invalid credentials.
The first two outcomes are desirable; of the remaining outcomes, the last one is quite possibly the worst of all, and that what's happening with Lion. It's so bad that at least one recommendation calls for Lion users to disable LDAP authentication altogether, which in many large organizations means that you've just cut yourself off from networked resources.

From all reports, Apple's people can replicate the bug, but the company hasn't acknowledged its existence; a former colleague of mine is speculating that it's because LDAP authentication isn't used that often on Mac clients.

But while that may be the case, where LDAP is used, it's absolutely vital. It's utterly inexcusable for Apple to sweep this problem under the rug. I hate to say "I told you so," but I did.

Apple's given up on its business users, but like abused lovers, we keep saying that we ran into a cabinet door. When will we learn?