Since Mac OS X 10.7.2 (Lion) Open Directory will attempt to connect to OpenLDAP via SASL mechanisms. If your OpenLDAP server uses Simple Bind Lion will not fall back to that, but will refuse to log you on. Versions before 10.7 only used Simple Bind and thus worked without problems.
Wireshark shows that the first thing a Mac does is connecting to the LDAP server and asking the server root to filter on (objectClass=*) and requesting supportedSASLMechanisms, defaultNamingContext, schemaNamingContext and saslRealm.
If we mimick that with ldapsearch for the supportedSASLMechanisms it would look like this:
# ldapsearch -x -h localhost -b '' -D "cn=manager,dc=example,dc=com" -y /etc/secrets/ldap-manager.secret -s base -LLL "(objectclass=*)" supportedSASLMechanismsWhich results in something like this:
supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: NTLM
To make the Mac play nice again, we have to run the following command on the Mac (replace yourldapserver with the name of of your LDAP server) for every mechanism offered by your LDAP server:
/usr/libexec/PlistBuddy -c "add ':module options:ldap:Denied SASL Methods:' string DIGEST-MD5" /Library/Preferences/OpenDirectory/Configurations/LDAPv3/yourldapserver.plist Opendirectoryd.plist?