Last week Apple released OS X 10.7.2. They fixed the bug that allowed one to use any password to login when LDAP authentication is enabled. Now one can't use any password to login. Fortunately, I found a workaround for this bug.

The new bug is that Opendirectoryd uses the best SASL authentication method advertised by the LDAP server. The options for forcing simple anonymous binds in Directory Utility are greyed out.

Here is how I managed to get 10.7.2 to authenticate against our OpenLDAP servers running on Ubuntu Linux.

1. Configure Directory Utility to use your LDAPv3 server as you did with Snow Leopard.
2. Search your LDAP server's RootDSE for the advertised SASL methods.

   $ ldapsearch -x -h ldapserver -b "" -s base "(objectclass=*)" supportedSASLMechanisms
   supportedSASLMechanisms: NTLM
   supportedSASLMechanisms: GSSAPI
   supportedSASLMechanisms: DIGEST-MD5
   supportedSASLMechanisms: CRAM-MD5

3. Open the Opendirectoryd plist for your LDAPv3 server in /Library/Preferences/OpenDirectory/Configurations/LDAPv3, and add all of the advertised SASL methods to the Denied SASL Methods array.

Once you restart, you should be able to log in using users and passwords stored in your LDAP server just as your were able in Snow Leopard.