Work’s been super busy, so I had to put it off longer than I liked, but I finally got to test setting up a Lion OpenLDAP client. Success! OS X 10.7.3 finally fixes our problems. 10.7 and 10.7.1 were of course vulnerable to the widely publicized issue where it would accept any password after binding to an LDAP server. 10.7.2 fixed this problem, but at the expense of breaking our ability to log in at all.
The only downside was that the switch from the old Directory Service to the new Open Directory meant that I had to reenter all our custom mappings through the GUI tool. (The files were soooo close, and yet, not quite the same.) I did notice one oddity in the process. In previous versions of Mac OS X, we didn’t both specifying a record name for our Groups. If you don’t do that in Lion and try to look at NFS file permissions or run the id command from Terminal, it prints out No Record Name in place of your group id. There might be other similar oddities that I haven’t uncovered yet. Happily, they’re easily fixed.