Iplanet ds 5.1sp4 + digest-md5 - slapd crash

Sol9 bundled iplanet directory server with sp4 on Sparc.
Everything is doing fine, until: when trying to connect into the directory with ms outlook 'secure password authentication' on, serverprocess crashes immediately. No coredumps, nothing left.
Debugging shows, that outlook tries to bind with DIGEST-MD5, server tries it,
responds with "auth failed", and crashes with internal authentication error..
-> Almost everyone can DOS our servers, just knowing its address and clicking 'search'.
Has anyone any suggestions?

Ok, that might be it.
So there is no patch nor documentation across it?
Makes me wonder how many admins run their servers unaware of that bug..
Thanks!

Similar Messages

Are there any known issues concerning using DIGEST-MD5 SASL authentication with iPlanet Directory Server 5.0 on Windows NT 4.0?

I am developing support for the DIGEST-MD5 sasl mechnism on a c-ldap client. I am using the evaluation version of the iPlanet Directory Server 5.0 which lists DIGEST-MD5 as a supported SASL mechanism. The server is running on NT 4.0 After installing the Directory Server with the test database, a changed the passwordStorageScheme from the default of SSHA to clear text. I then added my test user. When I run my test I always get back a resultCode of 49 (invalidCredentials). The digest-challenge I receive from the server and my digest-response are shown below. I have satisfied myself that the calculation of the response directive in the digest response is correct. Does anyone see any problems in the digest response or have any other suggestions? Is there a known problem with the iPlanet Directory Server 5.0?
digest-challenge:
realm="BGB2.ndp.provo.novell.com",nonce="Ed8UPLXsWaC6CN",qop="auth",algorithm=md5-sess,charset=utf-8
digest-response:
username="uid=bgbrown,ou=people,dc=siroe,dc=com",realm="BGB2.ndp.provo.novell.com",cnonce="A9IuPJKr30RiwL",nc=00000001,qop=auth,digest-uri="ldap/BGB2.ndp.provo.novell.com",response=97061205298e5ebaf206c8ac3598fdce,charset=utf-8,nonce="Ed8UPLXsWaC6CN"

Found the answer. When the username is an LDAP DN it needs to be proceeded by "dn:".
example: username="dn:uid=bgbrown,ou=people,dc=siroe,dc=com"
The server also accepts a simple uid value.
example: username="bgbrown"

AuthenticationNotSupportedException :SASL support not available DIGEST-MD5 while using JNDI, SASL

I am using JNDI to use the SASL mechanism to authenticate to the Iplanet Directory server 5.0, and get the above error.
I have enabled clear text passwords, and then created a test user.Here is the code snippet
     envEnterprise.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
          envEnterprise.put(Context.SECURITY_PRINCIPAL,"test");
          envEnterprise.put(Context.SECURITY_CREDENTIALS,"changed");
Can you please help me with where it is that I need to make the appropriate changes to get this working
Thanks,
sriad

Sriad,
I think that the SECURITY_PRINCIPAL field requires a DN and not just a user name. If you created the user using the directory server console, then you can get the DN if you open double-click on the user entry and click on the Advanced... button. The user's DN will probably start with uid=test,dc=...
I hope this helps.
Bertold

SASL DIGEST-MD5

Did anybody have any problem with using DIGEST-MD5 with iPlanet running on a 2000 Advanced Server?
I have no problem when iPlanet is running on 2000 Professional but always get the error 49 with message: "Internal authentication error." when trying to authenticate the user through SASL DIGEST-MD5. Simple authentication with the same credentials work fine.
Looking at the LDAP packets I can see no differences, that makes me think that this is somehow related to the OS or iPlanet configuration.
In both cases it was the same version iPlanet Server 5.1SP2 with default settings.
BTW: It fails the same way with NT4SP6 Server.

Michael,
Sun ONE Directory Server 5.2 is not supported on Windows 2000 Professional. It is only supported on server versions of Windows 2000 (Server and Advanced Server).
You should not have any problems running Directory Server on Windows 2000 Professional, though, but you should always keep in mind that the product has not been tested and is not supported on this platform.
Bertold

Message Digest MD5 Problem

My application downloads a zip file from given URL and also gets message digest (MD5) for the file.
Then, it creates another message digest and compares them.
I have tried files from tomcat.apache.org
The results are below:
apache-tomcat-6.0.20-deployer.zip (downloaded)
1b3287c53a12e935a8c965b15af39f07 --> code from the website
1b3287c53a12e935a8c965b15af39f7 --> code by the application
apache-tomcat-6.0.20.zip (downloaded)
714b973e98d47ec2df6d5e1486019f22 --> code from the website
714b973e98d47ec2df6d5e148619f22 --> code by the application
I could not understand why 0's are missing in my code. Should I try another files except from Apache?

try{
             MessageDigest algo = MessageDigest.getInstance("MD5");
             algo.reset();
             algo.update(data);
             byte messageDigest[] = algo.digest();
             StringBuffer hexString = new StringBuffer();
             for (int i=0;i<messageDigest.length;i++) {
                  hexString.append(Integer.toHexString(0xFF & messageDigest));
     System.out.println(hexString.toString());
catch(NoSuchAlgorithmException e) {
     e.printStackTrace();
}I have got the content of the file in a byte array --> data.

What property is used to disable SASL's DIGEST-MD5 domain name check.

I've read somewhere that I can prevent SASL's DIGEST-MD5 (maybe other mechanisms?) from checking that the hostname specified by the client exactly matches the hostname on the server. Apparently this option is useful in networks where DNS is not set up full and/or correctly.
Thanks,
Rowland

Not an expert. Maybe you can read or debug into the exact place when the names are compared. Anyway, Java is open sourced now.

Server Switching from STARTTLS to AUTH DIGEST-MD5

We have been trying to track down the reason why our transaction against our Tumbleweed SMTP servers appear to be switching in midstream from STARTTLS to AUTH DIGEST-MD5 which causes us to get an authentication error. With Wire-shark, we have been capturing the transactions between the servers and CF appears it appears to be the culprit. I am hoping someone can shed some light on what is wrong or direct me on how I can further troubleshoot this issue.
---Enviroment --------------------------------------------------------------------------
Windows Server 2003 Standard
IIS6
CF 9 Standard
---CFMail Tag -------------------------------------------------------------------------
<cfmail to="#varTo#" from="#varFrom#" replyto="#varReplayTo#" subject="#varSubject#" useTLS="yes">Msg Body</cfmail>
---CF Admin Settings --------------------------------------------------------------
Server: smtp.xxx123.com
Port: 25
User: defined
Pwd: defined
TLS: Enabled
---Mail Log -------------(two different emails: both bad)--------------
"Error","scheduler-0","05/20/10","10:57:24",,"failed to connect"
"Error","scheduler-0","05/20/10","10:57:25",,"Could not connect to SMTP host: smtp.xxx123.com, port: 25"
----Exception Log ----------------------------------------------------------------
"Error","scheduler-2","05/19/10","14:03:22",,"failed to connect"
javax.mail.AuthenticationFailedException: failed to connect
at javax.mail.Service.connect(Service.java:322)
at coldfusion.mail.MailSpooler.getConnection(MailSpooler.java:1199)
at coldfusion.mail.MailSpooler.deliver(MailSpooler.java:984)
at coldfusion.mail.MailSpooler.sendMail(MailSpooler.java:905)
at coldfusion.mail.MailSpooler.deliverStandard(MailSpooler.java:1275)
at coldfusion.mail.MailSpooler.run(MailSpooler.java:1240)
at coldfusion.scheduling.ThreadPool.run(ThreadPool.java:201)
at coldfusion.scheduling.WorkerThread.run(WorkerThread.java:71)
----Wire Shark Transaction(s) --------------------------------------------------
---Good------------(Red is our CF server replying)------
220 RNR ESMTP
EHLO CFxxx-123250-smtp.xxx123.com Hello CFxxx-123. xxx123.edu [19.19.19.19], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-AUTH DIGEST-MD5
250-STARTTLS
250-DELIVERBY
250 HELP
STARTTLS
220 2.0.0 Ready to start TLS
---End Good---------------------------------------------------------------------------
---Bad--------- ---(Red is our CF server replying)---------------------------
220 RNR ESMTP
EHLO CFxxx-123
250-smtp.xxx123.com Hello CFxxx-123. xxx123.edu [19.19.19.19], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5
250-STARTTLS
250-DELIVERBY
250 HELP
AUTH DIGEST-MD5
334

I'm not sure. That's why I asked. :) And I only ask because one of the settings made via
idsconfig is which "Authentication Methods" the DS will support. The choices being:
* none
* simple
* sasl/DIGEST-MD5
* tls:simple
* tls:sasl/DIGEST-MD5
When I set this DS up, I chose only tls:simple. A SunSolve document I read indicated that you
could have chosen more than one at that time, but I didn't. What I need to know is how to add support
for additional Authenticaion Methods after the fact. I assume there is a directory object somewhere and
its a matter of modifying or adding an attribute, but I wanted to make sure there were no gotchas
or caveats I should be aware of beforehand.

Using tls:sasl/DIGEST-MD5 with client authentication

Hi
Have installed a certificate on the server and enabled it. Using Netscape i got the cert7.db and key3.db
These work with ldapsearch with -Z -p options to get data securely through port 636.
But when i copy db file to /var/ldap on the Solaris 8 client, and use a profile with tls:sasl/DIGEST-MD5 or tls:simple
i get :
Mesg: Session error , no avalible connection. And openConnection: sasl/DIGEST-MD5 (or simple) bind failed - Invalid credentials.
Must i use Certificate based Authentication instead?
Like the proxyagent must have a certificate installed. Or is there something that must be done to the cert7.db and key3.db files i got from Netscape?

Im trying to get sasl/DIGEST-MD5 to work with Solaris 9 client. This command work:
ldapsearch -D "" -w test1234 -o mech=DIGEST-MD5 -o authid="dn:cn=proxyagent,ou=profile,dc=net2,dc=kongsberg,dc=com" -o authzid="dn:cn=proxyagent,ou=profile,dc=net2,dc=kongsberg,dc=com" -b "dc=net2,dc=kongsberg,dc=com" "(objectclass=*)"
Client configured with this:
ldapclient -v init -a profileName=default -a domainName=net2.kongsberg.com -a proxyDN="cn=proxyagent,ou=profile,dc=net2,dc=kongsberg,dc=com" -a proxyPassword=test1234 172.18.2.19
Profile:
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=net2,dc=kongsberg,dc=com
NS_LDAP_BINDPASSWD= {NS1}4a3788e8c053424f
NS_LDAP_SERVERS= 172.18.2.19
NS_LDAP_SEARCH_BASEDN= dc=net2,dc=kongsberg,dc=com
NS_LDAP_AUTH= sasl/DIGEST-MD5
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_PROFILE= default
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_BIND_TIME= 10
messages log on client:
Jan 14 08:00:32 panzer ldap_cachemgr[904]: [ID 293258 daemon.error] libsldap: Status: 49 Mesg: openConnection: sasl/DIGEST-MD5 bind failed - Invalid credentials
Jan 14 08:00:32 panzer last message repeated 1 time
Jan 14 08:00:32 panzer ldap_cachemgr[904]: [ID 293258 daemon.error] libsldap: Status: 7 Mesg: Session error no available conn.
error log on server:
[14/Jan/2004:08:06:47 +0100] conn=1622 op=2 msgId=-1 - closing - U1
[14/Jan/2004:08:06:47 +0100] conn=1623 op=-1 msgId=-1 - fd=47 slot=47 LDAP connection from 172.18.2.41 to 172.18.2.19
[14/Jan/2004:08:06:47 +0100] conn=1622 op=-1 msgId=-1 - closed.
[14/Jan/2004:08:06:47 +0100] conn=1623 op=0 msgId=1 - BIND dn="dn: cn=proxyagent,ou=profile,dc=net2,dc=kongsberg,dc=com" method=sasl version=3 mech=DIGEST-MD5
[14/Jan/2004:08:06:47 +0100] conn=1623 op=0 msgId=1 - RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
[14/Jan/2004:08:06:47 +0100] conn=1623 op=1 msgId=2 - BIND dn="dn: cn=proxyagent,ou=profile,dc=net2,dc=kongsberg,dc=com" method=sasl version=3 mech=DIGEST-MD5
[14/Jan/2004:08:06:47 +0100] conn=1623 op=1 msgId=2 - RESULT err=49 tag=97 nentries=0 etime=0
Not sure why i get Invalid credentials, the passwords
are stored in CLEAR. And you can see i use the same in ldapsearch and ldapclient.

HOWTO Bind using SASL DIGEST-MD5?

I haven't been able to bind to an LDAP server using SASL DIGEST-MD5
using the Novell CSharp library. Can anyone explain how this is done,
or point me to a code example?
I can connect, bind, and search this LDAP server using Apache Directory
Studio, so I know that my credentials are correct.
Also, I have already used the Novell CSharp library for searching other
LDAP servers using simple authentication, and SSL, but never SASL
DIGEST-MD5.
Thanks in advance for any help.
danielnapierski
danielnapierski's Profile: http://forums.novell.com/member.php?userid=63370
View this thread: http://forums.novell.com/showthread.php?t=414964

More than fifty people have read this post, but there are no replies as
of yet. I'm going to interpret that as "SASL DIGEST-MD5 is not
supported by the Novell CSharp library."
danielnapierski;1995522 Wrote:
> I haven't been able to bind to an LDAP server using SASL DIGEST-MD5
> using the Novell CSharp library. Can anyone explain how this is done,
> or point me to a code example?
>
> I can connect, bind, and search this LDAP server using Apache Directory
> Studio, so I know that my credentials are correct.
>
> Also, I have already used the Novell CSharp library for searching other
> LDAP servers using simple authentication, and SSL, but never SASL
> DIGEST-MD5.
>
> Thanks in advance for any help.
danielnapierski
danielnapierski's Profile: http://forums.novell.com/member.php?userid=63370
View this thread: http://forums.novell.com/showthread.php?t=414964

SASL's DIGEST-MD5 is causing the smtp authentication failure

Hello,
I've asked this question in JavaMail forums [at this link|http://kenai.com/projects/javamail/forums/forum/topics/2944-DIGEST-MD5-sasl-authentication-failing-after-verifying-rspauth] and was forwarded here.
Basically, I'm trying to authenticate to the email server using JavaMail(latest source) via sasl's Digest-MD5.
Problem: Looks like sasl's DigestMD5 implementation (com.sun.security.sasl.digest.DigestMD5Client) is returning a null after a successful authentication in evaluateChallenge(). The SMTPTransport thinks this is wrong and sends a "*" to server and the server responds with "Authentication aborted".
The java doc for SaslClient's evaluateChallenge() says this..
Returns: The possibly null reponse to send to the server. It is null if the challenge accompanied a "SUCCESS" status and the challenge only contains data for the client to update its state and no response needs to be sent to the server. The response is a zero-length byte array if the client is to send a response with no data.
In this case, client do need to send a response with no data. I don't know if Digest-md5 implementation is generic and if it's behavior is correct.
I appreciate any suggestions to solve this problem.
Thanks

Not an expert. Maybe you can read or debug into the exact place when the names are compared. Anyway, Java is open sourced now.

AuthenticationException in DIGEST-MD5 in LDAP

hi,
when iam trying to use DIGEST-MD5 as Context.SECURITY_AUTHENTICATION it showingup the following Exception
here is my code
import javax.naming.*;
import javax.naming.ldap.*;
import javax.naming.directory.*;
import java.util.Hashtable;
import java.net.*;
public class LdapAuth
public static void main(String[] args)
// Set up environment for creating initial context
Hashtable authEnv = new Hashtable(11);
String userName = "sm0013391";
String passWord = "East321";
String base = "ou=people,dc=company,dc=com";
String dn = "sAMAccountName=" + userName + "," + base;
authEnv.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
authEnv.put(Context.PROVIDER_URL, "ldap://company.com");
authEnv.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5 ");
authEnv.put(Context.SECURITY_PRINCIPAL, dn);
authEnv.put(Context.SECURITY_CREDENTIALS, passWord);
try {
DirContext authContext = new InitialDirContext(authEnv);
System.out.println("Authentication Success!");
} catch (AuthenticationException authEx)
System.out.println("Authentication failed!");
authEx.printStackTrace();
catch (NamingException namEx) {
System.out.println("Something went wrong!");
namEx.printStackTrace();
}when i am run this program it shows..
javax.naming.AuthenticationException: [LDAP: error code 49 - 8009030C: LdapErr: DSID-0C09043E, comment: AcceptSecurityContext error, data 0, vece ]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2988)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2934)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2735)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2649)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:290)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:662)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:243)
at javax.naming.InitialContext.init(InitialContext.java:219)
at javax.naming.InitialContext.<init>(InitialContext.java:195)
at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:80)
at LdapAuth.main(LdapAuth.java:35)
plz any one have idea on this..iam using j2sdk1.4.1
is there any need to include any jar files to j2sdk1.4.1??? to run this
need help onthis

Why don't you at least look up RFC 2251 and understand what LDAP Error 49 really means ?
If you look at the post titled JNDI, Active Directory & Authentication (part 3) (Digest-MD5) available at http://forum.java.sun.com/thread.jspa?threadID=581868&tstart=150
you will clearly see that submitting the distinguished name as the user's credential is not supported by Active Directory for Digest-MD5 authentication.

Reuse the LDAP connection when Using SASL DIGEST-MD5

I have problem to use the same ldap connection for multiple SASL authenticaiton.
step1, LDAPConection conn=new LDAPCo...
conn.conect()..
step2, do a SASL DIGEST-MD5, successfully get a challenge from server and server confirmation after the response is correct.
step3, I want to use the same connection for another authetincation of different user, some how the server did not give back the challenge and reject the authenticaiton request again.
So my question is how can we reuse the same connection for SASL authentication?
Any switch or reset on the LDAP connection or the LDAP server has to be configured in some way to take multiple authentication using the same connection?

More than fifty people have read this post, but there are no replies as
of yet. I'm going to interpret that as "SASL DIGEST-MD5 is not
supported by the Novell CSharp library."
danielnapierski;1995522 Wrote:
> I haven't been able to bind to an LDAP server using SASL DIGEST-MD5
> using the Novell CSharp library. Can anyone explain how this is done,
> or point me to a code example?
>
> I can connect, bind, and search this LDAP server using Apache Directory
> Studio, so I know that my credentials are correct.
>
> Also, I have already used the Novell CSharp library for searching other
> LDAP servers using simple authentication, and SSL, but never SASL
> DIGEST-MD5.
>
> Thanks in advance for any help.
danielnapierski
danielnapierski's Profile: http://forums.novell.com/member.php?userid=63370
View this thread: http://forums.novell.com/showthread.php?t=414964

SASL - Digest MD5 - JNDI Help needed

Hi All,
I am using Sunone Directory Server 5.2 and jsdk1.4.1. I tried the Digest-MD5 SASL authentication example given in JNDI tutorial and it worked fine. The problem is , when i try to run the same program thrice or more in succession, it hangs. Actually, the initial context gets created but the operations like simple getAttrs etc does not happen. what could be the problem or rather what is the solution to overcome it.
Attached below is the sample source code used...
try {
Hashtable env = new Hashtable(11);
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://localhost:389/");
env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
env.put(Context.SECURITY_PRINCIPAL, "dn:uid=xxx,ou=xxx,dc=xxx,dc=xxx");
env.put(Context.SECURITY_CREDENTIALS, "xxxxx");
System.out.println("about to get context");
DirContext ctx = new InitialDirContext(env);
System.out.println("got context");
Attributes attrs = ctx.getAttributes("ldap://localhost:389", new String[]{"supportedSASLMechanisms"});
System.out.println(attrs);
} catch (NamingException e) {
e.printStackTrace();
}thanks in advance
sridhar

As i have metioned , this was the message from the other forum
I have posted the mail correspondences we had (hope they won't consider this as an offence)...
There was a bug in the provider. It has been fixed in 1.4.2 and later
releases.
Rosanna Lee
Java Software, Sun Microsystems, Inc
[email protected]
Date: Mon, 13 Oct 2003 04:46:49 +0100 (BST)
From: anala sridhar <[email protected]>
Subject: JNDI problem
To: [email protected]
Hi,
First, I would like to thank everyone behind the
excellent JNDI tutorial. It acted as the bible for my
JNDI learning.
I tried the sample code ServerSasl.java provided. I
got it working after a few trials. I tried to get the
supportedSasl Mechanisms by the Sunone Directory
Server 5.2 . I got them. Then i tried to authenticate
using the default Digest-MD5 (am using jsdk 1.4.1).
When, i try to run the same program in succession, it
hangs up (4 or 5 times in a row). I am getting the
initial context with the credentials provided but it
hangs at doing the simple getAttrs operation. What
could be the problem?
Please reply to this query
thanks in advance
sridhar

Switching from tls:simple to tls:sasl/DIGEST-MD5

How can I do this, and can someone post an example of how? Can DS 5.2 support more than one Authentication Method at a time?
TIA,
Chris

I'm not sure. That's why I asked. :) And I only ask because one of the settings made via
idsconfig is which "Authentication Methods" the DS will support. The choices being:
* none
* simple
* sasl/DIGEST-MD5
* tls:simple
* tls:sasl/DIGEST-MD5
When I set this DS up, I chose only tls:simple. A SunSolve document I read indicated that you
could have chosen more than one at that time, but I didn't. What I need to know is how to add support
for additional Authenticaion Methods after the fact. I assume there is a directory object somewhere and
its a matter of modifying or adding an attribute, but I wanted to make sure there were no gotchas
or caveats I should be aware of beforehand.

Can J2ME use Digest-MD5 Authentication?

We are writing a Java application with J2ME for cellphones which will use Microsoft MapPoint.net services that requires Digest-MD5 Authentication. Can J2ME use Digest-MD5 Authentication?

Well, you can either implement it yourself or take a look at :
http://java.sun.com/products/jce/
You will probably not want the whole package, but I think you can have access to the sources, so... :-)
Anthony

Iplanet ds 5.1sp4 + digest-md5 - slapd crash

Similar Messages

Maybe you are looking for