A U.K. website called The H reports that Mac OS X 10.7 has a bug that doesn't check the password when authenticating to a Lightweight Directory Access Protocol (LDAP) directory. The result, according to the report, is that in some circumstances, any password a user types in will be accepted. The H says the only way to get around the problem is to deactive LDAP authentication. The report says that Apple is aware of the problem. However, another report at the Register says that Apple has not admitted the problem. This report also says that the problem persists with the 10.7.1 update. Either way, the problem is a potentially serious security hole.
If you're seeing this problem with LDAP and passwords
.
Lion was criticized earlier this month when a security expert at the Black Hat security conference said that Mac OS X -- and in particular, Mac OS X server -- is less secure than Windows 7, for various other reasons. ITworld quoted the expert as saying "Once you turn on the administrator stuff, once you install OS X Server, you are toast."