HOWTO Bind using SASL DIGEST-MD5?

Similar Messages

• Reuse the LDAP connection when Using SASL DIGEST-MD5

  I have problem to use the same ldap connection for multiple SASL authenticaiton.
  step1, LDAPConection conn=new LDAPCo...
  conn.conect()..
  step2, do a SASL DIGEST-MD5, successfully get a challenge from server and server confirmation after the response is correct.
  step3, I want to use the same connection for another authetincation of different user, some how the server did not give back the challenge and reject the authenticaiton request again.
  So my question is how can we reuse the same connection for SASL authentication?
  Any switch or reset on the LDAP connection or the LDAP server has to be configured in some way to take multiple authentication using the same connection?

  More than fifty people have read this post, but there are no replies as
  of yet. I'm going to interpret that as "SASL DIGEST-MD5 is not
  supported by the Novell CSharp library."
  danielnapierski;1995522 Wrote:
  > I haven't been able to bind to an LDAP server using SASL DIGEST-MD5
  > using the Novell CSharp library. Can anyone explain how this is done,
  > or point me to a code example?
  >
  > I can connect, bind, and search this LDAP server using Apache Directory
  > Studio, so I know that my credentials are correct.
  >
  > Also, I have already used the Novell CSharp library for searching other
  > LDAP servers using simple authentication, and SSL, but never SASL
  > DIGEST-MD5.
  >
  > Thanks in advance for any help.
  danielnapierski
  danielnapierski's Profile: http://forums.novell.com/member.php?userid=63370
  View this thread: http://forums.novell.com/showthread.php?t=414964

• Using tls:sasl/DIGEST-MD5 with client authentication

  Hi
  Have installed a certificate on the server and enabled it. Using Netscape i got the cert7.db and key3.db
  These work with ldapsearch with -Z -p options to get data securely through port 636.
  But when i copy db file to /var/ldap on the Solaris 8 client, and use a profile with tls:sasl/DIGEST-MD5 or tls:simple
  i get :
  Mesg: Session error , no avalible connection. And openConnection: sasl/DIGEST-MD5 (or simple) bind failed - Invalid credentials.
  Must i use Certificate based Authentication instead?
  Like the proxyagent must have a certificate installed. Or is there something that must be done to the cert7.db and key3.db files i got from Netscape?

  Im trying to get sasl/DIGEST-MD5 to work with Solaris 9 client. This command work:
  ldapsearch -D "" -w test1234 -o mech=DIGEST-MD5 -o authid="dn:cn=proxyagent,ou=profile,dc=net2,dc=kongsberg,dc=com" -o authzid="dn:cn=proxyagent,ou=profile,dc=net2,dc=kongsberg,dc=com" -b "dc=net2,dc=kongsberg,dc=com" "(objectclass=*)"
  Client configured with this:
  ldapclient -v init -a profileName=default -a domainName=net2.kongsberg.com -a proxyDN="cn=proxyagent,ou=profile,dc=net2,dc=kongsberg,dc=com" -a proxyPassword=test1234 172.18.2.19
  Profile:
  NS_LDAP_FILE_VERSION= 2.0
  NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=net2,dc=kongsberg,dc=com
  NS_LDAP_BINDPASSWD= {NS1}4a3788e8c053424f
  NS_LDAP_SERVERS= 172.18.2.19
  NS_LDAP_SEARCH_BASEDN= dc=net2,dc=kongsberg,dc=com
  NS_LDAP_AUTH= sasl/DIGEST-MD5
  NS_LDAP_SEARCH_REF= FALSE
  NS_LDAP_SEARCH_SCOPE= one
  NS_LDAP_SEARCH_TIME= 30
  NS_LDAP_PROFILE= default
  NS_LDAP_CREDENTIAL_LEVEL= proxy
  NS_LDAP_BIND_TIME= 10
  messages log on client:
  Jan 14 08:00:32 panzer ldap_cachemgr[904]: [ID 293258 daemon.error] libsldap: Status: 49 Mesg: openConnection: sasl/DIGEST-MD5 bind failed - Invalid credentials
  Jan 14 08:00:32 panzer last message repeated 1 time
  Jan 14 08:00:32 panzer ldap_cachemgr[904]: [ID 293258 daemon.error] libsldap: Status: 7 Mesg: Session error no available conn.
  error log on server:
  [14/Jan/2004:08:06:47 +0100] conn=1622 op=2 msgId=-1 - closing - U1
  [14/Jan/2004:08:06:47 +0100] conn=1623 op=-1 msgId=-1 - fd=47 slot=47 LDAP connection from 172.18.2.41 to 172.18.2.19
  [14/Jan/2004:08:06:47 +0100] conn=1622 op=-1 msgId=-1 - closed.
  [14/Jan/2004:08:06:47 +0100] conn=1623 op=0 msgId=1 - BIND dn="dn: cn=proxyagent,ou=profile,dc=net2,dc=kongsberg,dc=com" method=sasl version=3 mech=DIGEST-MD5
  [14/Jan/2004:08:06:47 +0100] conn=1623 op=0 msgId=1 - RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
  [14/Jan/2004:08:06:47 +0100] conn=1623 op=1 msgId=2 - BIND dn="dn: cn=proxyagent,ou=profile,dc=net2,dc=kongsberg,dc=com" method=sasl version=3 mech=DIGEST-MD5
  [14/Jan/2004:08:06:47 +0100] conn=1623 op=1 msgId=2 - RESULT err=49 tag=97 nentries=0 etime=0
  Not sure why i get Invalid credentials, the passwords
  are stored in CLEAR. And you can see i use the same in ldapsearch and ldapclient.

• SASL DIGEST-MD5

  Did anybody have any problem with using DIGEST-MD5 with iPlanet running on a 2000 Advanced Server?
  I have no problem when iPlanet is running on 2000 Professional but always get the error 49 with message: "Internal authentication error." when trying to authenticate the user through SASL DIGEST-MD5. Simple authentication with the same credentials work fine.
  Looking at the LDAP packets I can see no differences, that makes me think that this is somehow related to the OS or iPlanet configuration.
  In both cases it was the same version iPlanet Server 5.1SP2 with default settings.
  BTW: It fails the same way with NT4SP6 Server.

  Michael,
  Sun ONE Directory Server 5.2 is not supported on Windows 2000 Professional. It is only supported on server versions of Windows 2000 (Server and Advanced Server).
  You should not have any problems running Directory Server on Windows 2000 Professional, though, but you should always keep in mind that the product has not been tested and is not supported on this platform.
  Bertold

• Switching from tls:simple to tls:sasl/DIGEST-MD5

  How can I do this, and can someone post an example of how? Can DS 5.2 support more than one Authentication Method at a time?
  TIA,
  Chris

  I'm not sure. That's why I asked. :) And I only ask because one of the settings made via
  idsconfig is which "Authentication Methods" the DS will support. The choices being:
  * none
  * simple
  * sasl/DIGEST-MD5
  * tls:simple
  * tls:sasl/DIGEST-MD5
  When I set this DS up, I chose only tls:simple. A SunSolve document I read indicated that you
  could have chosen more than one at that time, but I didn't. What I need to know is how to add support
  for additional Authenticaion Methods after the fact. I assume there is a directory object somewhere and
  its a matter of modifying or adding an attribute, but I wanted to make sure there were no gotchas
  or caveats I should be aware of beforehand.

• SASL - Digest MD5 - JNDI Help needed

  Hi All,
  I am using Sunone Directory Server 5.2 and jsdk1.4.1. I tried the Digest-MD5 SASL authentication example given in JNDI tutorial and it worked fine. The problem is , when i try to run the same program thrice or more in succession, it hangs. Actually, the initial context gets created but the operations like simple getAttrs etc does not happen. what could be the problem or rather what is the solution to overcome it.
  Attached below is the sample source code used...
  try {
  Hashtable env = new Hashtable(11);
  env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
  env.put(Context.PROVIDER_URL, "ldap://localhost:389/");
  env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
  env.put(Context.SECURITY_PRINCIPAL, "dn:uid=xxx,ou=xxx,dc=xxx,dc=xxx");
  env.put(Context.SECURITY_CREDENTIALS, "xxxxx");
  System.out.println("about to get context");
  DirContext ctx = new InitialDirContext(env);
  System.out.println("got context");
  Attributes attrs = ctx.getAttributes("ldap://localhost:389", new String[]{"supportedSASLMechanisms"});
  System.out.println(attrs);
  } catch (NamingException e) {
    e.printStackTrace();
  }thanks in advance
  sridhar

  As i have metioned , this was the message from the other forum
  I have posted the mail correspondences we had (hope they won't consider this as an offence)...
  There was a bug in the provider. It has been fixed in 1.4.2 and later
  releases.
  Rosanna Lee
  Java Software, Sun Microsystems, Inc
  [email protected]
  Date: Mon, 13 Oct 2003 04:46:49 +0100 (BST)
  From: anala sridhar <[email protected]>
  Subject: JNDI problem
  To: [email protected]
  Hi,
  First, I would like to thank everyone behind the
  excellent JNDI tutorial. It acted as the bible for my
  JNDI learning.
  I tried the sample code ServerSasl.java provided. I
  got it working after a few trials. I tried to get the
  supportedSasl Mechanisms by the Sunone Directory
  Server 5.2 . I got them. Then i tried to authenticate
  using the default Digest-MD5 (am using jsdk 1.4.1).
  When, i try to run the same program in succession, it
  hangs up (4 or 5 times in a row). I am getting the
  initial context with the credentials provided but it
  hangs at doing the simple getAttrs operation. What
  could be the problem?
  Please reply to this query
  thanks in advance
  sridhar

• Using SASL to bind to OID

  I have read that OID supports SASL but don't see any evidence of it in the product...
  Has anyone successfully used LDAP SASL to bind to OID? How can you tell which SASL mechanisms are supported by OID? I queried the RootDSE and didn't see the attribute SupportedSASLMechanisms anywhere - how do you connect using SASL?
  Any help would be greatly appreciated!
  Thanks,
  Leigh

  Hi,
  Currently, OID only support SASL External mechanism over SSL.
  In the next release, OID will support SASL/Digest-MD5 as additional SASL
  mechanism.
  Thanks,
  -Quan

• Server Switching from STARTTLS to AUTH DIGEST-MD5

  We have been trying to track down the reason why our transaction against our Tumbleweed SMTP servers appear to be switching in midstream from STARTTLS to AUTH DIGEST-MD5 which causes us to get an authentication error. With Wire-shark, we have been capturing the transactions between the servers and CF appears it appears to be the culprit. I am hoping someone can shed some light on what is wrong or direct me on how I can further troubleshoot this issue.
  ---Enviroment --------------------------------------------------------------------------
  Windows Server 2003 Standard
  IIS6
  CF 9 Standard
  ---CFMail Tag -------------------------------------------------------------------------
  <cfmail to="#varTo#" from="#varFrom#" replyto="#varReplayTo#" subject="#varSubject#" useTLS="yes">Msg Body</cfmail>
  ---CF Admin Settings --------------------------------------------------------------
  Server: smtp.xxx123.com
  Port: 25
  User: defined
  Pwd: defined
  TLS: Enabled
  ---Mail Log -------------(two different emails: both bad)--------------
  "Error","scheduler-0","05/20/10","10:57:24",,"failed to connect"
  "Error","scheduler-0","05/20/10","10:57:25",,"Could not connect to SMTP host: smtp.xxx123.com, port: 25"
  ----Exception Log ----------------------------------------------------------------
  "Error","scheduler-2","05/19/10","14:03:22",,"failed to connect"
  javax.mail.AuthenticationFailedException: failed to connect
  at javax.mail.Service.connect(Service.java:322)
  at coldfusion.mail.MailSpooler.getConnection(MailSpooler.java:1199)
  at coldfusion.mail.MailSpooler.deliver(MailSpooler.java:984)
  at coldfusion.mail.MailSpooler.sendMail(MailSpooler.java:905)
  at coldfusion.mail.MailSpooler.deliverStandard(MailSpooler.java:1275)
  at coldfusion.mail.MailSpooler.run(MailSpooler.java:1240)
  at coldfusion.scheduling.ThreadPool.run(ThreadPool.java:201)
  at coldfusion.scheduling.WorkerThread.run(WorkerThread.java:71)
  ----Wire Shark Transaction(s) --------------------------------------------------
  ---Good------------(Red is our CF server replying)------
  220 RNR ESMTP
  EHLO CFxxx-123250-smtp.xxx123.com Hello CFxxx-123. xxx123.edu [19.19.19.19], pleased to meet you
  250-ENHANCEDSTATUSCODES
  250-PIPELINING
  250-8BITMIME
  250-SIZE
  250-DSN
  250-AUTH DIGEST-MD5
  250-STARTTLS
  250-DELIVERBY
  250 HELP
  STARTTLS
  220 2.0.0 Ready to start TLS
  ---End Good---------------------------------------------------------------------------
  ---Bad--------- ---(Red is our CF server replying)---------------------------
  220 RNR ESMTP
  EHLO CFxxx-123
  250-smtp.xxx123.com Hello CFxxx-123. xxx123.edu [19.19.19.19], pleased to meet you
  250-ENHANCEDSTATUSCODES
  250-PIPELINING
  250-8BITMIME
  250-SIZE
  250-DSN
  250-ETRN
  250-AUTH DIGEST-MD5
  250-STARTTLS
  250-DELIVERBY
  250 HELP
  AUTH DIGEST-MD5
  334

  I'm not sure. That's why I asked. :) And I only ask because one of the settings made via
  idsconfig is which "Authentication Methods" the DS will support. The choices being:
  * none
  * simple
  * sasl/DIGEST-MD5
  * tls:simple
  * tls:sasl/DIGEST-MD5
  When I set this DS up, I chose only tls:simple. A SunSolve document I read indicated that you
  could have chosen more than one at that time, but I didn't. What I need to know is how to add support
  for additional Authenticaion Methods after the fact. I assume there is a directory object somewhere and
  its a matter of modifying or adding an attribute, but I wanted to make sure there were no gotchas
  or caveats I should be aware of beforehand.

• Are there any known issues concerning using DIGEST-MD5 SASL authentication with iPlanet Directory Server 5.0 on Windows NT 4.0?

  I am developing support for the DIGEST-MD5 sasl mechnism on a c-ldap client. I am using the evaluation version of the iPlanet Directory Server 5.0 which lists DIGEST-MD5 as a supported SASL mechanism. The server is running on NT 4.0 After installing the Directory Server with the test database, a changed the passwordStorageScheme from the default of SSHA to clear text. I then added my test user. When I run my test I always get back a resultCode of 49 (invalidCredentials). The digest-challenge I receive from the server and my digest-response are shown below. I have satisfied myself that the calculation of the response directive in the digest response is correct. Does anyone see any problems in the digest response or have any other suggestions? Is there a known problem with the iPlanet Directory Server 5.0?
  digest-challenge:
  realm="BGB2.ndp.provo.novell.com",nonce="Ed8UPLXsWaC6CN",qop="auth",algorithm=md5-sess,charset=utf-8
  digest-response:
  username="uid=bgbrown,ou=people,dc=siroe,dc=com",realm="BGB2.ndp.provo.novell.com",cnonce="A9IuPJKr30RiwL",nc=00000001,qop=auth,digest-uri="ldap/BGB2.ndp.provo.novell.com",response=97061205298e5ebaf206c8ac3598fdce,charset=utf-8,nonce="Ed8UPLXsWaC6CN"

  Found the answer. When the username is an LDAP DN it needs to be proceeded by "dn:".
  example: username="dn:uid=bgbrown,ou=people,dc=siroe,dc=com"
  The server also accepts a simple uid value.
  example: username="bgbrown"

• What property is used to disable SASL's DIGEST-MD5 domain name check.

  I've read somewhere that I can prevent SASL's DIGEST-MD5 (maybe other mechanisms?) from checking that the hostname specified by the client exactly matches the hostname on the server. Apparently this option is useful in networks where DNS is not set up full and/or correctly.
  Thanks,
  Rowland

  Not an expert. Maybe you can read or debug into the exact place when the names are compared. Anyway, Java is open sourced now.

• AuthenticationNotSupportedException :SASL support not available DIGEST-MD5 while using JNDI, SASL

  I am using JNDI to use the SASL mechanism to authenticate to the Iplanet Directory server 5.0, and get the above error.
  I have enabled clear text passwords, and then created a test user.Here is the code snippet
       envEnterprise.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
            envEnterprise.put(Context.SECURITY_PRINCIPAL,"test");
            envEnterprise.put(Context.SECURITY_CREDENTIALS,"changed");
  Can you please help me with where it is that I need to make the appropriate changes to get this working
  Thanks,
  sriad

  Sriad,
  I think that the SECURITY_PRINCIPAL field requires a DN and not just a user name. If you created the user using the directory server console, then you can get the DN if you open double-click on the user entry and click on the Advanced... button. The user's DN will probably start with uid=test,dc=...
  I hope this helps.
  Bertold

• SASL's DIGEST-MD5 is causing the smtp authentication failure

  Hello,
  I've asked this question in JavaMail forums [at this link|http://kenai.com/projects/javamail/forums/forum/topics/2944-DIGEST-MD5-sasl-authentication-failing-after-verifying-rspauth] and was forwarded here.
  Basically, I'm trying to authenticate to the email server using JavaMail(latest source) via sasl's Digest-MD5.
  Problem: Looks like sasl's DigestMD5 implementation (com.sun.security.sasl.digest.DigestMD5Client) is returning a null after a successful authentication in evaluateChallenge(). The SMTPTransport thinks this is wrong and sends a "*" to server and the server responds with "Authentication aborted".
  The java doc for SaslClient's evaluateChallenge() says this..
  Returns: The possibly null reponse to send to the server. It is null if the challenge accompanied a "SUCCESS" status and the challenge only contains data for the client to update its state and no response needs to be sent to the server. The response is a zero-length byte array if the client is to send a response with no data.
  In this case, client do need to send a response with no data. I don't know if Digest-md5 implementation is generic and if it's behavior is correct.
  I appreciate any suggestions to solve this problem.
  Thanks

  Not an expert. Maybe you can read or debug into the exact place when the names are compared. Anyway, Java is open sourced now.

• Can J2ME use Digest-MD5 Authentication?

  We are writing a Java application with J2ME for cellphones which will use Microsoft MapPoint.net services that requires Digest-MD5 Authentication. Can J2ME use Digest-MD5 Authentication?

  Well, you can either implement it yourself or take a look at :
  http://java.sun.com/products/jce/
  You will probably not want the whole package, but I think you can have access to the sources, so... :-)
  Anthony

• AD authentication using DIGEST-MD5: users have to reset password?

  We are using DIGEST-MD5 to authenticate users against Active Directory. Our application ask users for user name and password and pass them to the attached java code. The strange thing is that it works for about 98% of users and it won't work for 2% of users. For those 2% of users, they can login into our domain but the same password won't work for our application.
  We have found the workaround will be to ask those users to change their Windows password and after that they will be able to login.
  My question is why= changing a user's password will make a difference for those 2% users? I am really puzzled.
  Thanks!
  try {
  Hashtable authEnv = new Hashtable();
  //set security credentials, note using DIGEST-MD5
  //Requires user account to be stored with reversible encryption
  authEnv.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
  authEnv.put(Context.PROVIDER_URL, ldapURL);
  authEnv.put(Context.REFERRAL,"follow"); // required
  authEnv.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
  authEnv.put(Context.SECURITY_PRINCIPAL, creds.getUsername());
  authEnv.put(Context.SECURITY_CREDENTIALS, creds.getPassword());
  DirContext ctx1 = new InitialLdapContext(authEnv,null);
  } catch (Exception ex) {
  logger.info("Error authenticating user " + creds.getUsername(), ex);
  throw new AuthenticationException("Authentication Failed for user " + creds.getUsername());
  }

  Make sure which version of AD you are using: AD 2000 or AD 2003. For AD 2000, reversible encryption is required and it's not secure. That's why lots administrators do not like it. But for AD 2003, there is no need for password to be stored in reversible way. But there is limitation as to the client application. What works for AD 2000 may not work for AD 2003. For details, you can check the link below:
  http://www.forumeasy.com/forums/thread.jsp?tid=115170863235&fid=ldapprof5&highlight=Why+DIGEST-MD5+Authentication+Does+Work
  which summarized all working and not-working cases of Digest-Md5 authentication for SunOne, AD 2000 and AD 2003. It's quite informative.

• AuthenticationException  in  DIGEST-MD5 in LDAP

  hi,
  when iam trying to use DIGEST-MD5 as Context.SECURITY_AUTHENTICATION it showingup the following Exception
  here is my code
  import javax.naming.*;
  import javax.naming.ldap.*;
  import javax.naming.directory.*;
  import java.util.Hashtable;
  import java.net.*;
  public class LdapAuth
  public static void main(String[] args)
  // Set up environment for creating initial context
  Hashtable authEnv = new Hashtable(11);
  String userName = "sm0013391";
  String passWord = "East321";
  String base = "ou=people,dc=company,dc=com";
  String dn = "sAMAccountName=" + userName + "," + base;
  authEnv.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
  authEnv.put(Context.PROVIDER_URL, "ldap://company.com");
  authEnv.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5 ");
  authEnv.put(Context.SECURITY_PRINCIPAL, dn);
  authEnv.put(Context.SECURITY_CREDENTIALS, passWord);
  try {
  DirContext authContext = new InitialDirContext(authEnv);
  System.out.println("Authentication Success!");
  } catch (AuthenticationException authEx)
  System.out.println("Authentication failed!");
  authEx.printStackTrace();
  catch (NamingException namEx) {
  System.out.println("Something went wrong!");
  namEx.printStackTrace();
  }when i am run this program it shows..
  javax.naming.AuthenticationException: [LDAP: error code 49 - 8009030C: LdapErr: DSID-0C09043E, comment: AcceptSecurityContext error, data 0, vece ]
  at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2988)
  at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2934)
  at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2735)
  at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2649)
  at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:290)
  at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
  at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
  at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
  at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
  at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:662)
  at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:243)
  at javax.naming.InitialContext.init(InitialContext.java:219)
  at javax.naming.InitialContext.<init>(InitialContext.java:195)
  at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:80)
  at LdapAuth.main(LdapAuth.java:35)
  plz any one have idea on this..iam using j2sdk1.4.1
  is there any need to include any jar files to j2sdk1.4.1??? to run this
  need help onthis

  Why don't you at least look up RFC 2251 and understand what LDAP Error 49 really means ?
  If you look at the post titled JNDI, Active Directory & Authentication (part 3) (Digest-MD5) available at http://forum.java.sun.com/thread.jspa?threadID=581868&tstart=150
  you will clearly see that submitting the distinguished name as the user's credential is not supported by Active Directory for Digest-MD5 authentication.