SASL Authentication...again...

Similar Messages

• Cannot use SASL Authentication Through GSSAPI on DS 6.3

  I try to kerberized DS 6.3. I do step by step instruction from "Sun Java System Directory Server Enterprise Edition 6.3" and it doesn't work.
  When I try to configure the Directory Server to Enable GSSAPI I get an error:
  modifying entry cn=SASL,cn=security,cn=config
  ldap_modify: DSA is unwilling to perform
  ldap_modify: additional info: Modification not allowed on attribute dsSaslPluginsPath
  After all when I try to authenticate to the Directory Server i get response:
  ldap_sasl_interactive_bind_s: Authentication method not supported
  ldap_sasl_interactive_bind_s: additional info: sasl mechanism not supported
  Logs file:
  +[22/Sep/2008:10:28:11 +0200] conn=2 op=-1 msgId=-1 - fd=22 slot=22 LDAP connection from 10.3.233.4:33054 to 10.3.233.4+
  +[22/Sep/2008:10:28:11 +0200] conn=2 op=0 msgId=1 - BIND dn="" method=sasl version=3 mech=GSSAPI+
  +[22/Sep/2008:10:28:11 +0200] conn=2 op=0 msgId=1 - RESULT err=7 tag=97 nentries=0 etime=0, sasl mechanism not supported+
  +[22/Sep/2008:10:28:11 +0200] conn=2 op=1 msgId=2 - UNBIND+
  +[22/Sep/2008:10:28:11 +0200] conn=2 op=1 msgId=-1 - closing from 10.3.233.4:33054 - U1 - Connection closed by unbind client -+
  +[22/Sep/2008:10:28:12 +0200] conn=2 op=-1 msgId=-1 - closed.+
  system specyfication:
  Solaris 10 x86 64-bit
  DS 6.3 B2008.0311.0212 NAT

  See http://forums.sun.com/thread.jspa?forumID=761&threadID=5202246 for a description of the problem and a workaround.
  If you have a Sun support contract, you can request an escalation of CR 6637404.
  Also, note that it looks like part of the documentation went missing. In DS5.2 the docs included an additional step
  Chapter 11 Implementing Security
  Configuring Client Authentication
  SASL Authentication Through GSSAPI (Solaris Only)
  http://docs.sun.com/source/816-6698-10/ssl.html#18500
  ldapmodify -D 'cn=directory manager'
  dn: cn=SASL,cn=security,cn=config
  changetype: modify
  add: dsSaslPluginsEnable
  dsSaslPluginsEnable: GSSAPI
  replace: dsSaslPluginsPath
  dsSaslPluginsPath: /usr/lib/mps/sasl2/libsasl.so
  modifying entry cn=SASL,cn=security,cn=config
  ldap_modify: DSA is unwilling to perform
  ldap_modify: additional info: Adding attributes is not allowed
  -------------------------------------------------------------

• Jdk1.3 vs jdk1.4 and SASL authentication

  I'm trying to get SASL authentication work with jdk1.3 and iPlanet Directory Server. Everytime I get same exception:
  SASL authentication failed. Root exception is java.lang.NoSuchMethodError
  When I try with jdk1.4 everything works fine. Now I'm just wondering that is there other things that I should take care when I try get authentication work with jdk1.3. I know that all the extension packages are integrated to the jdk1.4 and I have set same packages to the CLASSPATH when I'm trying to do same with jdk1.3, but same exception occurs than above.
  Does anyone know what's the problem?
  Thanks,
  Janne

  Hi ,
  Jsse 1.0.3 (strictly this version only) is needed along with jdk1.3 for the SASL or SSL authentication to be done fine.
  Hope this helps,
  Regards,
  Sathya

• Jdk1.3 vs jdk1.4 SASL authentication

  I'm trying to get SASL authentication work with jdk1.3 and iPlanet Directory Server. Everytime I get same exception:
  SASL authentication failed. Root exception is java.lang.NoSuchMethodError
  When I try with jdk1.4 everything works fine. Now I'm just wondering that is there other things that I should take care when I try get authentication work with jdk1.3. I know that all the extension packages are integrated to the jdk1.4 and I have set same packages to the CLASSPATH when I'm trying to do same with jdk1.3, but same exception occurs than above.
  Does anyone know what's the problem?
  Thanks,
  Janne

  Hi ,
  Jsse 1.0.3 (strictly this version only) is needed along with jdk1.3 for the SASL or SSL authentication to be done fine.
  Hope this helps,
  Regards,
  Sathya

• Mail SASL authentication problem - solved

  My outgoing mail stopped working. I had been relaying mail through my ISP's smtp server and at some point i started getting SASL authentication errors ("no worthy mechs found").
  I searched and found a thread that contained a fix: http://discussions.apple.com/thread.jspa?threadID=2207959
  The fix was rather mysterious (to me at least) in that it involved adding one line to my /etc/postcript/main.cf file. The line was: "smtpsasl_securityoptions =".
  I was going to post a reply to the thread, but the thread is "archived".
  Why do threads get archived? Too old?
  Well, anyway, I don't like having to open a separate thread for this, but I hope this helps someone solve the same problem I was having.
  Also, if anyone has any kind of real explanation for why this fix works and/or whether it is likely to survive future software changes made by apple (or has a better way to fix that will), I would love to hear about it.
  Thanks.

  Try installing ldap1.2.4 and putting ldap.jar and providerutil.jar in your bootclasspath.

• IOS 8 Safari not working with sites using Windows Authentication (again)

  A testbed of iPhones and iPads were updated to iOS 8 today. When trying to access intranet sites in our company that use Windows (IIS) Authentication, it challenges for the login and password 2 or 3 times, then nothing - just hangs.  These sites work fine on iOS 7 devices - and worked on the same devices that were upgraded.
  Windows Authentication was broken in iOS 7.0 also and not fixed until a later update. Why does this keep getting broken?

  This was a thread that discussed this when it was broken in iOS 7.0...
  https://discussions.apple.com/thread/5327078?start=0&tstart=0    
  I just tested with Chrome on the iPhone upgraded to iOS 8 and it works fine. It is Safari that is broken again.
  Of course, Apple won't give us a way to make Chrome the default browser when links are clicked in emails, so it's not exactly a solution.

• SASL-authentication

  While using iDS 5.1 and a test user "uid=jdoe,ou=xxx,o=xxx" we've been getting same results over and over again: Authentication failed. Passwords are being set to CLEARTEXT, user being created using default user template so it contains the userpassword-attribute, and in the Java-code we've been using MD5 Digest authentication 'cause that's the method it supports. This is what is being done in the code:
  1. Client connects server using ldapHost and ldapPort.
  2. Hashtable "env" is being constructed.
  3. Environment properties INITIAL_CONTEXT_FACTORY, PROVIDER_URL, SECURITY_PRINCIPAL and SECURITY_CREDENTIALS of context are being specified.
  4. if ldapconnection.isauthenticated() is TRUE, print "success", else print "failed".
  All environment properties are of course used via env.put(context.property_name, "value");
  Is this it? What else should it do? All values match the ones being set in DS. Still authentication fails.

  Some update, i got it working with SSL disabled.

• Authenticating agains AD with Kerberos, by a user with an explicit UPN

  Hello
  My situation :
  I have a 2008 functionnal level domain with a technical name, lets say tec.domain.com
  I have for this domain configured an alternate UPN : domain.com (that is only a DNS domain name, not an existing AD domain)
  My users have a SamAccountName like j.doe and a UPN like [email protected] (which is their email address, on our Exchange organization)
  Now, from a Linux server (running Apache and kerberos), i can do a kinit with [email protected], but not with [email protected]
  When i capture trafic, the DC answers "error-code: eRR-WRONG-REALM (68)", saying it is not able to handle the DOMAIN.COM realm.
  According to this article ( http://msdn.microsoft.com/en-us/library/Cc212351.aspx ) , my DC should be able to handle it, as far as i understand it.
  Am i missing something ?
  Thanks in advance.

  Hi,
  Thanks for your post.
  It seems like you could not enable Kerberos authentication for users logon using their alternative UPNs.
  Please refer to the similar thread:
  Authenticating to Active Directory using an alternate UPN
  http://social.technet.microsoft.com/Forums/en-US/f93e23d7-e910-4ae7-96ba-3a8038766f9f/authenticating-to-active-directory-using-an-alternate-upn?forum=winserverDS
  Regards.
  Vivian Wang

• Are there any known issues concerning using DIGEST-MD5 SASL authentication with iPlanet Directory Server 5.0 on Windows NT 4.0?

  I am developing support for the DIGEST-MD5 sasl mechnism on a c-ldap client. I am using the evaluation version of the iPlanet Directory Server 5.0 which lists DIGEST-MD5 as a supported SASL mechanism. The server is running on NT 4.0 After installing the Directory Server with the test database, a changed the passwordStorageScheme from the default of SSHA to clear text. I then added my test user. When I run my test I always get back a resultCode of 49 (invalidCredentials). The digest-challenge I receive from the server and my digest-response are shown below. I have satisfied myself that the calculation of the response directive in the digest response is correct. Does anyone see any problems in the digest response or have any other suggestions? Is there a known problem with the iPlanet Directory Server 5.0?
  digest-challenge:
  realm="BGB2.ndp.provo.novell.com",nonce="Ed8UPLXsWaC6CN",qop="auth",algorithm=md5-sess,charset=utf-8
  digest-response:
  username="uid=bgbrown,ou=people,dc=siroe,dc=com",realm="BGB2.ndp.provo.novell.com",cnonce="A9IuPJKr30RiwL",nc=00000001,qop=auth,digest-uri="ldap/BGB2.ndp.provo.novell.com",response=97061205298e5ebaf206c8ac3598fdce,charset=utf-8,nonce="Ed8UPLXsWaC6CN"

  Found the answer. When the username is an LDAP DN it needs to be proceeded by "dn:".
  example: username="dn:uid=bgbrown,ou=people,dc=siroe,dc=com"
  The server also accepts a simple uid value.
  example: username="bgbrown"

• Database Admin Authentication Agains Central LDAP or AD

  Hi
  I'm wondering if it is possible to use a Central LDAP or AD to authentice DBAs of a Oracle DB 10 or 11, standalone?
  I had looked over the net but everything points to Oracle IAM or SSO Suites. I'm looking for a configuration or stand alone solution which needs nothing more than the existing Oracle DB, if possible.
  Any clue, reference or tutorial would be appreciated.
  Cheers

  Those are all doc questions aren't they? And Google (I just checked) isn't down.
  So, found by Google, just by entering 'os authentication oracle 10g'
  http://www.oracle-base.com/articles/misc/OsAuthentication.php
  And no, Oracle doesn't know PAM, and using OS authentication remotely will pose security risks.
  Sybrand Bakker
  Senior Oracle DBA

• SASL authentication with SMTP

  I want to authenticate using GSS-API for SMTP.
  Can anyone please guide me?
  Is there any doc or sample code available?

  Wow, this is an obscure solution, but it works. According to this thread, the problem is that:
  Although Comcast advertises "AUTH LOGIN PLAIN", the Postfix SASL library won't do plain text auth by default. It needs to be told it's okay with:
  smtp_sasl_security_options = noanonymous
  Solution:
  $ su -
  $ cd /etc/postfix
  $ cp main.cf main.cf.no_smtp_sasl_security_options
  $ echo 'smtp_sasl_security_options = noanonymous' >> ./main.cf
  $ serveradmin stop mail
  $ serveradmin start mail
  I'm not sure how often /etc/postfix/main.cf is overwritten, but presumably this happens every time you change and save Mail settings in Server Admin, so you must redo these steps every time you change the Mail server if you want to use smtp.comcast.net as your mail relay.
  AAPL, would you please add a toggle to handle this in Server Admin?

• SMTP Authentication (SASL on Postfix)

  I am migrating my personal mail server from Tiger Server to Snow Leopard Server.
  I have had Postfix on the Tiger Server working for years. I am having trouble configuring Snow Leopard to do the same. My set up for SMTP is to relay email from my respective Postfix server to my ISP, mail.speakeasy.net, and then authenticate with my speakeasy name/password. As I use SSL, I come in on port 995.
  From Postfix's perspective, this involves configuring SASL.
  Here are the relevant SASL configuration lines from postfix.conf
  smtpsasl_authenable = yes
  smtpsasl_passwordmaps = hash:/etc/postfix/sasl/passwd
  smtpdclientrestrictions = permit_mynetworks permitsaslauthenticated rejectrblclient zen.spamhaus.org rejectrblclient bl.spamcop.net permit
  smtpdrecipientrestrictions = permitsaslauthenticated permit_mynetworks rejectunauthdestination checkpolicyservice unix:private/policy permit
  smtpdsasl_authenable = yes
  When I attempt to relay through mail.speakeasy.net, here are the log file entries in my Snow Leopard SMTP Log files:
  Oct 22 17:26:38 tin postfix/smtp[98906]: warning: SASL authentication failure: No worthy mechs found
  Oct 22 17:26:38 tin postfix/smtp[98906]: D6EC5500F2: to=<[email protected]>, relay=mail.speakeasy.net[69.12.123.12]:25, delay=0.29, delays=0/0/0.28/0, dsn=4.7.0, status=deferred (SASL authentication failed; cannot authenticate to server mail.speakeasy.net[69.12.123.12]: no mechanism available)
  Any advice would be appreciated.
  Thanks,

  combining prarie-guy and kevin mck posts, heres what worked on my snow leopard 10.6.2 box:
  error was:
  Jan 6 17:05:10 cavell postfix/smtp[36921]: warning: SASL authentication failure: No worthy mechs found
  Jan 6 17:05:10 cavell postfix/smtp[36921]: 08A7856920: to=<[email protected]>, relay=mail.telushosting.com[216.251.32.97]:25, delay=1.2, delays=0/0.01/1.2/0, dsn=4.7.0, status=deferred (SASL authentication failed; cannot authenticate to server mail.telushosting.com[216.251.32.97]: no mechanism available)
  to fix:
  stop mail using server admin or cmd line
  in terminal window, sudo -s -H
  cd /etc/postfix
  cp -p main.cf main.cf.orig
  vi main.cf
  check the following lines are set up as follows:
  smtpsasl_authenable = yes
  smtpsasl_securityoptions =
  smtpsasl_passwordmaps = hash:/etc/postfix/sasl/passwd
  smtpdclientrestrictions = permit_mynetworks permitsaslauthenticated permit
  smtpdrecipientrestrictions = permitsaslauthenticated permit_mynetworks rejectunauthdestination checkpolicyservice unix:private/policy permit
  smtpdsasl_authenable = yes
  restart mail.

• Authentication with SASL

  Hello,
  I recently installed POSTFIX which uses SASL authentication, I have found javadocs for javax.security.sasl but am unsure how to implement these, does anyone have any experience of doing this?
  Can I leave the rest of my smtp code and just alter the authentication bit, or will more need to change?
  Any pointers appreciated

  I think I have get little bit closer to get SASL authentication work, but now my program throws this kind of exception:
  javax.naming.AuthenticationException: SASL authentication failed. Root exception is java.lang.NoSuchMethodError
  at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:116)
  at java.lang.reflect.Method.invoke(Native Method)
  at com.sun.jndi.ldap.LdapClient.saslBind(LdapClient.java:369)
  at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:185)
  at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2386)
  at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:239)
  at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:74)
  at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:660)
  at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:241)
  at javax.naming.InitialContext.init(InitialContext.java:217)
  at javax.naming.InitialContext.<init>(InitialContext.java:193)
  at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:78)
  My code (I'm using jdk1.3.1):
  import javax.naming.*;
  import javax.naming.directory.*;
  import java.util.Hashtable;
  class DigestTesti {
  public static void main(String[] args) {
       Hashtable env = new Hashtable();
       env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
       env.put(Context.PROVIDER_URL, "ldap://000.000.000.000:000");
       env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
       env.put(Context.SECURITY_PRINCIPAL, "dn:uid=JDoe,ou=...,o=...,dc=..., dc=...");
       env.put(Context.SECURITY_CREDENTIALS, "...");
       env.put("java.naming.security.sasl.realm", "...");
       try {
       DirContext ctx = new InitialDirContext(env);
       System.out.println(ctx);
       } catch (NamingException e) {
       e.printStackTrace();
  What could been wrong with my code?
  Regards,
  Janne

• SASL's DIGEST-MD5 is causing the smtp authentication failure

  Hello,
  I've asked this question in JavaMail forums [at this link|http://kenai.com/projects/javamail/forums/forum/topics/2944-DIGEST-MD5-sasl-authentication-failing-after-verifying-rspauth] and was forwarded here.
  Basically, I'm trying to authenticate to the email server using JavaMail(latest source) via sasl's Digest-MD5.
  Problem: Looks like sasl's DigestMD5 implementation (com.sun.security.sasl.digest.DigestMD5Client) is returning a null after a successful authentication in evaluateChallenge(). The SMTPTransport thinks this is wrong and sends a "*" to server and the server responds with "Authentication aborted".
  The java doc for SaslClient's evaluateChallenge() says this..
  Returns: The possibly null reponse to send to the server. It is null if the challenge accompanied a "SUCCESS" status and the challenge only contains data for the client to update its state and no response needs to be sent to the server. The response is a zero-length byte array if the client is to send a response with no data.
  In this case, client do need to send a response with no data. I don't know if Digest-md5 implementation is generic and if it's behavior is correct.
  I appreciate any suggestions to solve this problem.
  Thanks

  Not an expert. Maybe you can read or debug into the exact place when the names are compared. Anyway, Java is open sourced now.

• Reuse the LDAP connection when Using SASL DIGEST-MD5

  I have problem to use the same ldap connection for multiple SASL authenticaiton.
  step1, LDAPConection conn=new LDAPCo...
  conn.conect()..
  step2, do a SASL DIGEST-MD5, successfully get a challenge from server and server confirmation after the response is correct.
  step3, I want to use the same connection for another authetincation of different user, some how the server did not give back the challenge and reject the authenticaiton request again.
  So my question is how can we reuse the same connection for SASL authentication?
  Any switch or reset on the LDAP connection or the LDAP server has to be configured in some way to take multiple authentication using the same connection?

  More than fifty people have read this post, but there are no replies as
  of yet. I'm going to interpret that as "SASL DIGEST-MD5 is not
  supported by the Novell CSharp library."
  danielnapierski;1995522 Wrote:
  > I haven't been able to bind to an LDAP server using SASL DIGEST-MD5
  > using the Novell CSharp library. Can anyone explain how this is done,
  > or point me to a code example?
  >
  > I can connect, bind, and search this LDAP server using Apache Directory
  > Studio, so I know that my credentials are correct.
  >
  > Also, I have already used the Novell CSharp library for searching other
  > LDAP servers using simple authentication, and SSL, but never SASL
  > DIGEST-MD5.
  >
  > Thanks in advance for any help.
  danielnapierski
  danielnapierski's Profile: http://forums.novell.com/member.php?userid=63370
  View this thread: http://forums.novell.com/showthread.php?t=414964