You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@qpid.apache.org by Sree82 <sy...@hotmail.com> on 2013/05/29 13:41:10 UTC
SASL Error
HI
I am using Qpid C++ broker version 0-10.
I m trying to connect to a broker in another machine.
I get the following error:
warning Closing connection due to internal-error: Sasl error: SASL(-1):
generic failure: GSSAPI Error: An invalid name was supplied (Cannot
determine realm for numeric host address) (qpid/SaslFactory.cpp:279)
I could see this as an authentication mechanism issue .. I am not sure
though.
The auth mechanism is not mentioned in the qpidd.conf file on the system to
which I am trying to connect.
What is the default authentication mechanism that qpidd uses ? and should i
mention the authentication mechanism in my code as well ?
Thanks
Sree.
--
View this message in context: http://qpid.2158936.n2.nabble.com/SASL-Error-tp7593596.html
Sent from the Apache Qpid users mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: SASL Error
Posted by Pavel Moravec <pm...@redhat.com>.
Hi Jagan,
see inline responses.
Kind regards,
Pavel
----- Original Message -----
> From: "Sree82" <sy...@hotmail.com>
> To: users@qpid.apache.org
> Sent: Wednesday, May 29, 2013 2:04:11 PM
> Subject: Re: SASL Error
>
> Gordon,
>
> I m using qpid client and qpid messaging apis to open a connection.
>
> i)Is it sufficient to use auth mechanism as "PLAIN" (say) through the api or
> should the mechanism be present in the qpidd.conf file for sure ?
Assuming you mean /etc/sasl2/qpidd.conf file (i.e. SASL config file, not /etc/qpidd.conf, the broker conf.file), then yes.
>
> ii)If more than one authentication mechanism is present in qpidd.conf file
> then should I mention the auth type through the api I am trying to connect ?
It depends. Without specifying it, the client choses the most secure from the list. If that is suitable for your purposes, you dont need to specify the mechanism in API. But if e.g. the mech_list contains PLAIN and also DIGEST-MD5, and you would like to use the less secure PLAIN in some client, you have to specify it.
>
> What is the default authentication mechanism qpidd uses if no mechanism is
> present in the qpidd.conf file ?
By default, ANONYMOUS, PLAIN, LOGIN, CRAM-MD5, DIGEST-MD5 and GSSAPI mechanisms (listed from least secure to most) are available and offered to a client. (technically, there is also EXTERNAL mechanism for SSL but I suppose that isnt relevant to you).
Note that the list can be shorter if you dont have installed relevant cyrus-sasl libraries.
>
>
> Thanks
> Jagan.
>
>
>
> --
> View this message in context:
> http://qpid.2158936.n2.nabble.com/SASL-Error-tp7593596p7593598.html
> Sent from the Apache Qpid users mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> For additional commands, e-mail: users-help@qpid.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: SASL Error
Posted by Sree82 <sy...@hotmail.com>.
Gordon,
I m using qpid client and qpid messaging apis to open a connection.
i)Is it sufficient to use auth mechanism as "PLAIN" (say) through the api or
should the mechanism be present in the qpidd.conf file for sure ?
ii)If more than one authentication mechanism is present in qpidd.conf file
then should I mention the auth type through the api I am trying to connect ?
What is the default authentication mechanism qpidd uses if no mechanism is
present in the qpidd.conf file ?
Thanks
Jagan.
--
View this message in context: http://qpid.2158936.n2.nabble.com/SASL-Error-tp7593596p7593598.html
Sent from the Apache Qpid users mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: SASL Error
Posted by Gordon Sim <gs...@redhat.com>.
On 05/29/2013 12:41 PM, Sree82 wrote:
> HI
>
> I am using Qpid C++ broker version 0-10.
> I m trying to connect to a broker in another machine.
>
>
> I get the following error:
>
> warning Closing connection due to internal-error: Sasl error: SASL(-1):
> generic failure: GSSAPI Error: An invalid name was supplied (Cannot
> determine realm for numeric host address) (qpid/SaslFactory.cpp:279)
>
> I could see this as an authentication mechanism issue .. I am not sure
> though.
>
> The auth mechanism is not mentioned in the qpidd.conf file on the system to
> which I am trying to connect.
>
> What is the default authentication mechanism that qpidd uses ? and should i
> mention the authentication mechanism in my code as well ?
On linux, the c++ client & broker use the Cyrus SASL libraries to
implement SASL. The error above comes from GSSAPI being chosen as the
most secure mutually supported option, but not having it actually
correctly configured for use.
Assuming you don't want to use that mechanism, you can restrict the set
of valid mechanisms. This can be done either on the client, or through
the broker side configuration. The /etc/sasl2/qpidd.conf file can
contain a mech_list option, specifying the allowed mechanisms. E.g.
mech_list: ANONYMOUS DIGEST-MD5 EXTERNAL PLAIN
When you say you are trying to connect to a broker on another machine,
is that through a particular client API (if so which one?) or by setting
up an inter-broker connection?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org