You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@directory.apache.org by Ike Ikonne <ii...@us.ibm.com> on 2014/08/06 21:16:32 UTC
SASL DIGEST-MD5 Authentication
Hi all,
I would appreciate it if someone could direct me on how to setup
APACHE DS to support SASL DIGEST-MD5. How can I setup
the realm for the example.com default domain?
Thanks,
Ike
Re: SASL DIGEST-MD5 Authentication
Posted by Kiran Ayyagari <ka...@apache.org>.
On Sat, Aug 16, 2014 at 2:30 AM, Ike Ikonne <ii...@us.ibm.com> wrote:
> Hi Kiran,
>
> Thanks, the example that you sent made a huge difference; I have now
> managed to
> get DIGEST-MD5 to work. One of the problem is that I needed to restart
> APACHE DS
> for all the configurations to take effect, that is my observation.
>
> Again, thank you for the wonderful example, it made a difference; now,
> would CRAM-MD5
> follow the same pattern?
>
> yes
> Thanks,
>
> Ike
>
>
>
> From: Kiran Ayyagari <ka...@apache.org>
> To: "users@directory.apache.org" <us...@directory.apache.org>,
> Date: 08/15/2014 02:11 PM
> Subject: Re: SASL DIGEST-MD5 Authentication
>
>
>
> I have successfully tested DIGEST-MD5(SASL) using Studio
>
> Here is my server configuration http://pastebin.com/b0tsyVGK
> I have added the below entry in my /etc/hosts file
> 127.0.0.1 example.com
>
> I have added a user entry with DN uid=kirana,ou=system
>
> The Studio connection network tab looks like this
> http://i.imgur.com/qfg2Aii.png
> and the Authentication tab like this http://i.imgur.com/eUFu3Gq.png
>
> HTH
>
>
> On Thu, Aug 14, 2014 at 6:10 AM, Ike Ikonne <ii...@us.ibm.com> wrote:
>
> > Hi all,
> >
> > Anyone has any more suggestions on how I can get DIGEST-MD5 SASL
> > to work for me? I haven't had any luck yet and I have tried all the
> > suggestions
> > from the group and I do thank you all for that, I still have a need to
> > get that authentication mechanism to work in my environment.
> >
> > Thanks,
> >
> > Ike
> >
> >
> >
> >
> > From: Kiran Ayyagari <ka...@apache.org>
> > To: "users@directory.apache.org" <us...@directory.apache.org>,
> > Date: 08/07/2014 12:08 AM
> > Subject: Re: SASL DIGEST-MD5 Authentication
> >
> >
> >
> > On Thu, Aug 7, 2014 at 4:10 AM, Ike Ikonne <ii...@us.ibm.com> wrote:
> >
> > > Hi,
> > >
> > > I use JNDI API on JRE 1.7 to establish connection to APACHE DS.
> > > I am able to establish SIMPLE authentication to APACHE DS, I am
> > > just trying to get DIGEST-MD5 to work. Here are my enironment:
> > >
> > > Hashtable env = new Hashtable();
> > > env.put(Context.INITIAL_CONTEXT_FACTORY, ldapCtxFactory);
> > >
> > > if (authMethod != null)
> > > env.put(Context.SECURITY_AUTHENTICATION, authMethod);
> > > if (principal != null)
> > > env.put(Context.SECURITY_PRINCIPAL, principal);
> > > if (credentials != null)
> > > env.put(Context.SECURITY_CREDENTIALS, credentials);
> > > if (referral != null)
> > > env.put(Context.REFERRAL, referral);
> > > if (ldapVer != null)
> > > env.put("java.naming.ldap.version", ldapVer);
> > > env.put("java.naming.security.sasl.realm", "example.com");
> > >
> > > Tell me, do I need to configure the example.com realm or is it
> > > configured as a default by APACHE DS?
> > >
> > your must be able to resolve your realm name (here example.com), either
> > add an entry in your hosts file or in your internal DNS server
> >
> > >
> > > Thanks,
> > >
> > > Ike
> > >
> > >
> > >
> > >
> > > From: Emmanuel Lécharny <el...@gmail.com>
> > > To: users@directory.apache.org,
> > > Date: 08/06/2014 04:28 PM
> > > Subject: Re: SASL DIGEST-MD5 Authentication
> > >
> > >
> > >
> > > Le 06/08/14 22:40, Ike Ikonne a écrit :
> > > > Hi all,
> > > >
> > > > Again, thanks all for your response; so, do I need to make any
> > > > external configuration other than the configuration to the APACHE
> DS?
> > > > How do I change the default realm to point to my domain realm?
> > > > Do I need to install/setup cyrus-sasl library to make this to work?
> > >
> > > No. We depends on the JVM which supports SASL.
> > >
> > > What client are you using ?
> > >
> > >
> > >
> >
> >
> > --
> > Kiran Ayyagari
> > http://keydap.com
> >
> >
>
>
> --
> Kiran Ayyagari
> http://keydap.com
>
>
--
Kiran Ayyagari
http://keydap.com
Re: SASL DIGEST-MD5 Authentication
Posted by Ike Ikonne <ii...@us.ibm.com>.
Hi Kiran,
Thanks, the example that you sent made a huge difference; I have now
managed to
get DIGEST-MD5 to work. One of the problem is that I needed to restart
APACHE DS
for all the configurations to take effect, that is my observation.
Again, thank you for the wonderful example, it made a difference; now,
would CRAM-MD5
follow the same pattern?
Thanks,
Ike
From: Kiran Ayyagari <ka...@apache.org>
To: "users@directory.apache.org" <us...@directory.apache.org>,
Date: 08/15/2014 02:11 PM
Subject: Re: SASL DIGEST-MD5 Authentication
I have successfully tested DIGEST-MD5(SASL) using Studio
Here is my server configuration http://pastebin.com/b0tsyVGK
I have added the below entry in my /etc/hosts file
127.0.0.1 example.com
I have added a user entry with DN uid=kirana,ou=system
The Studio connection network tab looks like this
http://i.imgur.com/qfg2Aii.png
and the Authentication tab like this http://i.imgur.com/eUFu3Gq.png
HTH
On Thu, Aug 14, 2014 at 6:10 AM, Ike Ikonne <ii...@us.ibm.com> wrote:
> Hi all,
>
> Anyone has any more suggestions on how I can get DIGEST-MD5 SASL
> to work for me? I haven't had any luck yet and I have tried all the
> suggestions
> from the group and I do thank you all for that, I still have a need to
> get that authentication mechanism to work in my environment.
>
> Thanks,
>
> Ike
>
>
>
>
> From: Kiran Ayyagari <ka...@apache.org>
> To: "users@directory.apache.org" <us...@directory.apache.org>,
> Date: 08/07/2014 12:08 AM
> Subject: Re: SASL DIGEST-MD5 Authentication
>
>
>
> On Thu, Aug 7, 2014 at 4:10 AM, Ike Ikonne <ii...@us.ibm.com> wrote:
>
> > Hi,
> >
> > I use JNDI API on JRE 1.7 to establish connection to APACHE DS.
> > I am able to establish SIMPLE authentication to APACHE DS, I am
> > just trying to get DIGEST-MD5 to work. Here are my enironment:
> >
> > Hashtable env = new Hashtable();
> > env.put(Context.INITIAL_CONTEXT_FACTORY, ldapCtxFactory);
> >
> > if (authMethod != null)
> > env.put(Context.SECURITY_AUTHENTICATION, authMethod);
> > if (principal != null)
> > env.put(Context.SECURITY_PRINCIPAL, principal);
> > if (credentials != null)
> > env.put(Context.SECURITY_CREDENTIALS, credentials);
> > if (referral != null)
> > env.put(Context.REFERRAL, referral);
> > if (ldapVer != null)
> > env.put("java.naming.ldap.version", ldapVer);
> > env.put("java.naming.security.sasl.realm", "example.com");
> >
> > Tell me, do I need to configure the example.com realm or is it
> > configured as a default by APACHE DS?
> >
> your must be able to resolve your realm name (here example.com), either
> add an entry in your hosts file or in your internal DNS server
>
> >
> > Thanks,
> >
> > Ike
> >
> >
> >
> >
> > From: Emmanuel Lécharny <el...@gmail.com>
> > To: users@directory.apache.org,
> > Date: 08/06/2014 04:28 PM
> > Subject: Re: SASL DIGEST-MD5 Authentication
> >
> >
> >
> > Le 06/08/14 22:40, Ike Ikonne a écrit :
> > > Hi all,
> > >
> > > Again, thanks all for your response; so, do I need to make any
> > > external configuration other than the configuration to the APACHE
DS?
> > > How do I change the default realm to point to my domain realm?
> > > Do I need to install/setup cyrus-sasl library to make this to work?
> >
> > No. We depends on the JVM which supports SASL.
> >
> > What client are you using ?
> >
> >
> >
>
>
> --
> Kiran Ayyagari
> http://keydap.com
>
>
--
Kiran Ayyagari
http://keydap.com
Re: SASL DIGEST-MD5 Authentication
Posted by Kiran Ayyagari <ka...@apache.org>.
I have successfully tested DIGEST-MD5(SASL) using Studio
Here is my server configuration http://pastebin.com/b0tsyVGK
I have added the below entry in my /etc/hosts file
127.0.0.1 example.com
I have added a user entry with DN uid=kirana,ou=system
The Studio connection network tab looks like this
http://i.imgur.com/qfg2Aii.png
and the Authentication tab like this http://i.imgur.com/eUFu3Gq.png
HTH
On Thu, Aug 14, 2014 at 6:10 AM, Ike Ikonne <ii...@us.ibm.com> wrote:
> Hi all,
>
> Anyone has any more suggestions on how I can get DIGEST-MD5 SASL
> to work for me? I haven't had any luck yet and I have tried all the
> suggestions
> from the group and I do thank you all for that, I still have a need to
> get that authentication mechanism to work in my environment.
>
> Thanks,
>
> Ike
>
>
>
>
> From: Kiran Ayyagari <ka...@apache.org>
> To: "users@directory.apache.org" <us...@directory.apache.org>,
> Date: 08/07/2014 12:08 AM
> Subject: Re: SASL DIGEST-MD5 Authentication
>
>
>
> On Thu, Aug 7, 2014 at 4:10 AM, Ike Ikonne <ii...@us.ibm.com> wrote:
>
> > Hi,
> >
> > I use JNDI API on JRE 1.7 to establish connection to APACHE DS.
> > I am able to establish SIMPLE authentication to APACHE DS, I am
> > just trying to get DIGEST-MD5 to work. Here are my enironment:
> >
> > Hashtable env = new Hashtable();
> > env.put(Context.INITIAL_CONTEXT_FACTORY, ldapCtxFactory);
> >
> > if (authMethod != null)
> > env.put(Context.SECURITY_AUTHENTICATION, authMethod);
> > if (principal != null)
> > env.put(Context.SECURITY_PRINCIPAL, principal);
> > if (credentials != null)
> > env.put(Context.SECURITY_CREDENTIALS, credentials);
> > if (referral != null)
> > env.put(Context.REFERRAL, referral);
> > if (ldapVer != null)
> > env.put("java.naming.ldap.version", ldapVer);
> > env.put("java.naming.security.sasl.realm", "example.com");
> >
> > Tell me, do I need to configure the example.com realm or is it
> > configured as a default by APACHE DS?
> >
> your must be able to resolve your realm name (here example.com), either
> add an entry in your hosts file or in your internal DNS server
>
> >
> > Thanks,
> >
> > Ike
> >
> >
> >
> >
> > From: Emmanuel Lécharny <el...@gmail.com>
> > To: users@directory.apache.org,
> > Date: 08/06/2014 04:28 PM
> > Subject: Re: SASL DIGEST-MD5 Authentication
> >
> >
> >
> > Le 06/08/14 22:40, Ike Ikonne a écrit :
> > > Hi all,
> > >
> > > Again, thanks all for your response; so, do I need to make any
> > > external configuration other than the configuration to the APACHE DS?
> > > How do I change the default realm to point to my domain realm?
> > > Do I need to install/setup cyrus-sasl library to make this to work?
> >
> > No. We depends on the JVM which supports SASL.
> >
> > What client are you using ?
> >
> >
> >
>
>
> --
> Kiran Ayyagari
> http://keydap.com
>
>
--
Kiran Ayyagari
http://keydap.com
Re: SASL DIGEST-MD5 Authentication
Posted by Ike Ikonne <ii...@us.ibm.com>.
Hi all,
Anyone has any more suggestions on how I can get DIGEST-MD5 SASL
to work for me? I haven't had any luck yet and I have tried all the
suggestions
from the group and I do thank you all for that, I still have a need to
get that authentication mechanism to work in my environment.
Thanks,
Ike
From: Kiran Ayyagari <ka...@apache.org>
To: "users@directory.apache.org" <us...@directory.apache.org>,
Date: 08/07/2014 12:08 AM
Subject: Re: SASL DIGEST-MD5 Authentication
On Thu, Aug 7, 2014 at 4:10 AM, Ike Ikonne <ii...@us.ibm.com> wrote:
> Hi,
>
> I use JNDI API on JRE 1.7 to establish connection to APACHE DS.
> I am able to establish SIMPLE authentication to APACHE DS, I am
> just trying to get DIGEST-MD5 to work. Here are my enironment:
>
> Hashtable env = new Hashtable();
> env.put(Context.INITIAL_CONTEXT_FACTORY, ldapCtxFactory);
>
> if (authMethod != null)
> env.put(Context.SECURITY_AUTHENTICATION, authMethod);
> if (principal != null)
> env.put(Context.SECURITY_PRINCIPAL, principal);
> if (credentials != null)
> env.put(Context.SECURITY_CREDENTIALS, credentials);
> if (referral != null)
> env.put(Context.REFERRAL, referral);
> if (ldapVer != null)
> env.put("java.naming.ldap.version", ldapVer);
> env.put("java.naming.security.sasl.realm", "example.com");
>
> Tell me, do I need to configure the example.com realm or is it
> configured as a default by APACHE DS?
>
your must be able to resolve your realm name (here example.com), either
add an entry in your hosts file or in your internal DNS server
>
> Thanks,
>
> Ike
>
>
>
>
> From: Emmanuel Lécharny <el...@gmail.com>
> To: users@directory.apache.org,
> Date: 08/06/2014 04:28 PM
> Subject: Re: SASL DIGEST-MD5 Authentication
>
>
>
> Le 06/08/14 22:40, Ike Ikonne a écrit :
> > Hi all,
> >
> > Again, thanks all for your response; so, do I need to make any
> > external configuration other than the configuration to the APACHE DS?
> > How do I change the default realm to point to my domain realm?
> > Do I need to install/setup cyrus-sasl library to make this to work?
>
> No. We depends on the JVM which supports SASL.
>
> What client are you using ?
>
>
>
--
Kiran Ayyagari
http://keydap.com
Re: SASL DIGEST-MD5 Authentication
Posted by Ike Ikonne <ii...@us.ibm.com>.
Hi all,
Here is my hash mechanism configuration, it is turned off: My apache DS is
running
on Windows 7 OS, the user that I am trying to authenticate is
"uid=admin,ou=system"
and my sasl base DN is pointed at ou=system .
dn:
ads-interceptorId=passwordHashingInterceptor,ou=interceptors,ads-directo
ryServiceId=default,ou=config
objectclass: ads-interceptor
objectclass: ads-base
objectclass: top
ads-interceptorclassname:
org.apache.directory.server.core.hash.SshaPassword
HashingInterceptor
ads-interceptorid: passwordHashingInterceptor
ads-interceptororder: 9
ads-enabled: FALSE
From: Kiran Ayyagari <ka...@apache.org>
To: "users@directory.apache.org" <us...@directory.apache.org>,
Date: 08/07/2014 12:24 PM
Subject: Re: SASL DIGEST-MD5 Authentication
On Thu, Aug 7, 2014 at 10:46 PM, Ike Ikonne <ii...@us.ibm.com> wrote:
> Hi Kiran,
>
> I have modified the hosts file where my Apache DS and client
> are running to:
>
> # localhost name resolution is handled within DNS itself.
> 127.0.0.1 localhost
> 127.0.0.1 example.com
> # ::1 localhost
>
>
> Here is my Apache DS configuration:
>
> dn:
> ads-serverId=ldapServer,ou=servers,ads-directoryServiceId=default,ou=con
> fig
> objectclass: top
> objectclass: ads-base
> objectclass: ads-dsBasedServer
> objectclass: ads-ldapServer
> objectclass: ads-server
> ads-confidentialityrequired: FALSE
> ads-maxpdusize: 2000000
> ads-maxsizelimit: 1000
> ads-maxtimelimit: 15000
> ads-replenabled: true
> ads-replpingersleep: 5
> ads-saslhost: iikonne.xxx.xxx.com <------------
> ads-saslprincipal: ldap/ldap.example.com@EXAMPLE.COM
> ads-saslrealms: example.com <------
> ads-saslrealms: apache.org
> ads-serverid: ldapServer
> ads-enabled: TRUE
> ads-searchbasedn: ou=system <------
>
>
> But, I still continue to get the error message:
>
> LDAP: error code 49 - INVALID_CREDENTIALS: DIGEST-MD5: digest response
> format violation. Nonexis
> tent realm: example.com
>
> What could I still be doing wrong?
>
make sure the credentials are stored in plain text in the server
By default they are all hashed and you need to disable the hashing
interceptor
1. go to
ads-interceptorId=passwordHashingInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
2. set ads-enabled to FALSE
3. restart the server
>
>
> Thanks,
>
> Ike
>
>
>
>
>
>
> From: Kiran Ayyagari <ka...@apache.org>
> To: "users@directory.apache.org" <us...@directory.apache.org>,
> Date: 08/07/2014 12:08 AM
> Subject: Re: SASL DIGEST-MD5 Authentication
>
>
>
> On Thu, Aug 7, 2014 at 4:10 AM, Ike Ikonne <ii...@us.ibm.com> wrote:
>
> > Hi,
> >
> > I use JNDI API on JRE 1.7 to establish connection to APACHE DS.
> > I am able to establish SIMPLE authentication to APACHE DS, I am
> > just trying to get DIGEST-MD5 to work. Here are my enironment:
> >
> > Hashtable env = new Hashtable();
> > env.put(Context.INITIAL_CONTEXT_FACTORY, ldapCtxFactory);
> >
> > if (authMethod != null)
> > env.put(Context.SECURITY_AUTHENTICATION, authMethod);
> > if (principal != null)
> > env.put(Context.SECURITY_PRINCIPAL, principal);
> > if (credentials != null)
> > env.put(Context.SECURITY_CREDENTIALS, credentials);
> > if (referral != null)
> > env.put(Context.REFERRAL, referral);
> > if (ldapVer != null)
> > env.put("java.naming.ldap.version", ldapVer);
> > env.put("java.naming.security.sasl.realm", "example.com");
> >
> > Tell me, do I need to configure the example.com realm or is it
> > configured as a default by APACHE DS?
> >
> your must be able to resolve your realm name (here example.com), either
> add an entry in your hosts file or in your internal DNS server
>
> >
> > Thanks,
> >
> > Ike
> >
> >
> >
> >
> > From: Emmanuel Lécharny <el...@gmail.com>
> > To: users@directory.apache.org,
> > Date: 08/06/2014 04:28 PM
> > Subject: Re: SASL DIGEST-MD5 Authentication
> >
> >
> >
> > Le 06/08/14 22:40, Ike Ikonne a écrit :
> > > Hi all,
> > >
> > > Again, thanks all for your response; so, do I need to make any
> > > external configuration other than the configuration to the APACHE
DS?
> > > How do I change the default realm to point to my domain realm?
> > > Do I need to install/setup cyrus-sasl library to make this to work?
> >
> > No. We depends on the JVM which supports SASL.
> >
> > What client are you using ?
> >
> >
> >
>
>
> --
> Kiran Ayyagari
> http://keydap.com
>
>
--
Kiran Ayyagari
http://keydap.com
Re: SASL DIGEST-MD5 Authentication
Posted by Kiran Ayyagari <ka...@apache.org>.
On Thu, Aug 7, 2014 at 10:46 PM, Ike Ikonne <ii...@us.ibm.com> wrote:
> Hi Kiran,
>
> I have modified the hosts file where my Apache DS and client
> are running to:
>
> # localhost name resolution is handled within DNS itself.
> 127.0.0.1 localhost
> 127.0.0.1 example.com
> # ::1 localhost
>
>
> Here is my Apache DS configuration:
>
> dn:
> ads-serverId=ldapServer,ou=servers,ads-directoryServiceId=default,ou=con
> fig
> objectclass: top
> objectclass: ads-base
> objectclass: ads-dsBasedServer
> objectclass: ads-ldapServer
> objectclass: ads-server
> ads-confidentialityrequired: FALSE
> ads-maxpdusize: 2000000
> ads-maxsizelimit: 1000
> ads-maxtimelimit: 15000
> ads-replenabled: true
> ads-replpingersleep: 5
> ads-saslhost: iikonne.xxx.xxx.com <------------
> ads-saslprincipal: ldap/ldap.example.com@EXAMPLE.COM
> ads-saslrealms: example.com <------
> ads-saslrealms: apache.org
> ads-serverid: ldapServer
> ads-enabled: TRUE
> ads-searchbasedn: ou=system <------
>
>
> But, I still continue to get the error message:
>
> LDAP: error code 49 - INVALID_CREDENTIALS: DIGEST-MD5: digest response
> format violation. Nonexis
> tent realm: example.com
>
> What could I still be doing wrong?
>
make sure the credentials are stored in plain text in the server
By default they are all hashed and you need to disable the hashing
interceptor
1. go to
ads-interceptorId=passwordHashingInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
2. set ads-enabled to FALSE
3. restart the server
>
>
> Thanks,
>
> Ike
>
>
>
>
>
>
> From: Kiran Ayyagari <ka...@apache.org>
> To: "users@directory.apache.org" <us...@directory.apache.org>,
> Date: 08/07/2014 12:08 AM
> Subject: Re: SASL DIGEST-MD5 Authentication
>
>
>
> On Thu, Aug 7, 2014 at 4:10 AM, Ike Ikonne <ii...@us.ibm.com> wrote:
>
> > Hi,
> >
> > I use JNDI API on JRE 1.7 to establish connection to APACHE DS.
> > I am able to establish SIMPLE authentication to APACHE DS, I am
> > just trying to get DIGEST-MD5 to work. Here are my enironment:
> >
> > Hashtable env = new Hashtable();
> > env.put(Context.INITIAL_CONTEXT_FACTORY, ldapCtxFactory);
> >
> > if (authMethod != null)
> > env.put(Context.SECURITY_AUTHENTICATION, authMethod);
> > if (principal != null)
> > env.put(Context.SECURITY_PRINCIPAL, principal);
> > if (credentials != null)
> > env.put(Context.SECURITY_CREDENTIALS, credentials);
> > if (referral != null)
> > env.put(Context.REFERRAL, referral);
> > if (ldapVer != null)
> > env.put("java.naming.ldap.version", ldapVer);
> > env.put("java.naming.security.sasl.realm", "example.com");
> >
> > Tell me, do I need to configure the example.com realm or is it
> > configured as a default by APACHE DS?
> >
> your must be able to resolve your realm name (here example.com), either
> add an entry in your hosts file or in your internal DNS server
>
> >
> > Thanks,
> >
> > Ike
> >
> >
> >
> >
> > From: Emmanuel Lécharny <el...@gmail.com>
> > To: users@directory.apache.org,
> > Date: 08/06/2014 04:28 PM
> > Subject: Re: SASL DIGEST-MD5 Authentication
> >
> >
> >
> > Le 06/08/14 22:40, Ike Ikonne a écrit :
> > > Hi all,
> > >
> > > Again, thanks all for your response; so, do I need to make any
> > > external configuration other than the configuration to the APACHE DS?
> > > How do I change the default realm to point to my domain realm?
> > > Do I need to install/setup cyrus-sasl library to make this to work?
> >
> > No. We depends on the JVM which supports SASL.
> >
> > What client are you using ?
> >
> >
> >
>
>
> --
> Kiran Ayyagari
> http://keydap.com
>
>
--
Kiran Ayyagari
http://keydap.com
Re: SASL DIGEST-MD5 Authentication
Posted by Ike Ikonne <ii...@us.ibm.com>.
Hi Kiran,
I have modified the hosts file where my Apache DS and client
are running to:
# localhost name resolution is handled within DNS itself.
127.0.0.1 localhost
127.0.0.1 example.com
# ::1 localhost
Here is my Apache DS configuration:
dn:
ads-serverId=ldapServer,ou=servers,ads-directoryServiceId=default,ou=con
fig
objectclass: top
objectclass: ads-base
objectclass: ads-dsBasedServer
objectclass: ads-ldapServer
objectclass: ads-server
ads-confidentialityrequired: FALSE
ads-maxpdusize: 2000000
ads-maxsizelimit: 1000
ads-maxtimelimit: 15000
ads-replenabled: true
ads-replpingersleep: 5
ads-saslhost: iikonne.xxx.xxx.com <------------
ads-saslprincipal: ldap/ldap.example.com@EXAMPLE.COM
ads-saslrealms: example.com <------
ads-saslrealms: apache.org
ads-serverid: ldapServer
ads-enabled: TRUE
ads-searchbasedn: ou=system <------
But, I still continue to get the error message:
LDAP: error code 49 - INVALID_CREDENTIALS: DIGEST-MD5: digest response
format violation. Nonexis
tent realm: example.com
What could I still be doing wrong?
Thanks,
Ike
From: Kiran Ayyagari <ka...@apache.org>
To: "users@directory.apache.org" <us...@directory.apache.org>,
Date: 08/07/2014 12:08 AM
Subject: Re: SASL DIGEST-MD5 Authentication
On Thu, Aug 7, 2014 at 4:10 AM, Ike Ikonne <ii...@us.ibm.com> wrote:
> Hi,
>
> I use JNDI API on JRE 1.7 to establish connection to APACHE DS.
> I am able to establish SIMPLE authentication to APACHE DS, I am
> just trying to get DIGEST-MD5 to work. Here are my enironment:
>
> Hashtable env = new Hashtable();
> env.put(Context.INITIAL_CONTEXT_FACTORY, ldapCtxFactory);
>
> if (authMethod != null)
> env.put(Context.SECURITY_AUTHENTICATION, authMethod);
> if (principal != null)
> env.put(Context.SECURITY_PRINCIPAL, principal);
> if (credentials != null)
> env.put(Context.SECURITY_CREDENTIALS, credentials);
> if (referral != null)
> env.put(Context.REFERRAL, referral);
> if (ldapVer != null)
> env.put("java.naming.ldap.version", ldapVer);
> env.put("java.naming.security.sasl.realm", "example.com");
>
> Tell me, do I need to configure the example.com realm or is it
> configured as a default by APACHE DS?
>
your must be able to resolve your realm name (here example.com), either
add an entry in your hosts file or in your internal DNS server
>
> Thanks,
>
> Ike
>
>
>
>
> From: Emmanuel Lécharny <el...@gmail.com>
> To: users@directory.apache.org,
> Date: 08/06/2014 04:28 PM
> Subject: Re: SASL DIGEST-MD5 Authentication
>
>
>
> Le 06/08/14 22:40, Ike Ikonne a écrit :
> > Hi all,
> >
> > Again, thanks all for your response; so, do I need to make any
> > external configuration other than the configuration to the APACHE DS?
> > How do I change the default realm to point to my domain realm?
> > Do I need to install/setup cyrus-sasl library to make this to work?
>
> No. We depends on the JVM which supports SASL.
>
> What client are you using ?
>
>
>
--
Kiran Ayyagari
http://keydap.com
Re: SASL DIGEST-MD5 Authentication
Posted by Kiran Ayyagari <ka...@apache.org>.
On Thu, Aug 7, 2014 at 4:10 AM, Ike Ikonne <ii...@us.ibm.com> wrote:
> Hi,
>
> I use JNDI API on JRE 1.7 to establish connection to APACHE DS.
> I am able to establish SIMPLE authentication to APACHE DS, I am
> just trying to get DIGEST-MD5 to work. Here are my enironment:
>
> Hashtable env = new Hashtable();
> env.put(Context.INITIAL_CONTEXT_FACTORY, ldapCtxFactory);
>
> if (authMethod != null)
> env.put(Context.SECURITY_AUTHENTICATION, authMethod);
> if (principal != null)
> env.put(Context.SECURITY_PRINCIPAL, principal);
> if (credentials != null)
> env.put(Context.SECURITY_CREDENTIALS, credentials);
> if (referral != null)
> env.put(Context.REFERRAL, referral);
> if (ldapVer != null)
> env.put("java.naming.ldap.version", ldapVer);
> env.put("java.naming.security.sasl.realm", "example.com");
>
> Tell me, do I need to configure the example.com realm or is it
> configured as a default by APACHE DS?
>
your must be able to resolve your realm name (here example.com), either
add an entry in your hosts file or in your internal DNS server
>
> Thanks,
>
> Ike
>
>
>
>
> From: Emmanuel Lécharny <el...@gmail.com>
> To: users@directory.apache.org,
> Date: 08/06/2014 04:28 PM
> Subject: Re: SASL DIGEST-MD5 Authentication
>
>
>
> Le 06/08/14 22:40, Ike Ikonne a écrit :
> > Hi all,
> >
> > Again, thanks all for your response; so, do I need to make any
> > external configuration other than the configuration to the APACHE DS?
> > How do I change the default realm to point to my domain realm?
> > Do I need to install/setup cyrus-sasl library to make this to work?
>
> No. We depends on the JVM which supports SASL.
>
> What client are you using ?
>
>
>
--
Kiran Ayyagari
http://keydap.com
Re: SASL DIGEST-MD5 Authentication
Posted by Emmanuel Lécharny <el...@gmail.com>.
Le 07/08/14 00:40, Ike Ikonne a écrit :
> Hi,
>
> I use JNDI API on JRE 1.7 to establish connection to APACHE DS.
> I am able to establish SIMPLE authentication to APACHE DS, I am
> just trying to get DIGEST-MD5 to work. Here are my enironment:
>
> Hashtable env = new Hashtable();
> env.put(Context.INITIAL_CONTEXT_FACTORY, ldapCtxFactory);
>
> if (authMethod != null)
> env.put(Context.SECURITY_AUTHENTICATION, authMethod);
> if (principal != null)
> env.put(Context.SECURITY_PRINCIPAL, principal);
> if (credentials != null)
> env.put(Context.SECURITY_CREDENTIALS, credentials);
> if (referral != null)
> env.put(Context.REFERRAL, referral);
> if (ldapVer != null)
> env.put("java.naming.ldap.version", ldapVer);
> env.put("java.naming.security.sasl.realm", "example.com");
>
> Tell me, do I need to configure the example.com realm or is it
> configured as a default by APACHE DS?
It's not configured by default. The configuration file should contain
the elements required for SASL to work :
http://directory.apache.org/apacheds/configuration/ads-2.0-configuration.html
ou=config
|
+--ads-directoryServiceId=default
|
+--ou=servers
|
+--ads-serverId=ldapServer <-- here, declare the saslHost (localhost, or your server name), saslQop set to auth, saslRealms
|
+--ou=saslMechHandlers
|
+--ads-saslMechName=DIGEST-MD5
Here are the entries to add :
dn:
ads-serverId=ldapServer,ou=servers,ads-directoryServiceId=default,ou=config
objectclass: ads-server
objectclass: ads-ldapServer
objectclass: ads-dsBasedServer
objectclass: ads-base
objectclass: top
ads-serverId: ldapServer
ads-confidentialityRequired: FALSE
ads-maxSizeLimit: 1000
ads-maxTimeLimit: 15000
ads-maxpdusize: 2000000
ads-saslHost: ldap.example.com <----------- Set this to your
server's host
ads-saslPrincipal: ldap/ldap.example.com@EXAMPLE.COM
ads-saslRealms: example.com
ads-saslRealms: apache.org
ads-searchBaseDN: ou=users,ou=system <----------- Be sure to store the
users you want to authent here, or change this value
ads-replEnabled: true
ads-replPingerSleep: 5
ads-enabled: TRUE
dn:
ou=saslMechHandlers,ads-serverId=ldapServer,ou=servers,ads-directoryServiceId=default,ou=config
ou: saslMechHandlers
objectclass: organizationalUnit
objectclass: top
dn:
ads-saslMechName=DIGEST-MD5,ou=saslMechHandlers,ads-serverId=ldapServer,ou=servers,ads-directoryServiceId=default,ou=config
ads-saslMechClassName:
org.apache.directory.server.ldap.handlers.sasl.digestMD5.DigestMd5MechanismHandler
objectclass: ads-saslMechHandler
objectclass: ads-base
objectclass: top
ads-saslMechName: DIGEST-MD5
ads-enabled: TRUE
I think the trouble you have is with the missing twoi entries, which are
used to enable the SASL DIGEST-MD5 mechanism.
I'm going to crash, so I won't be able to provide direction for the next
few hours. Just keep me informed.
Note : I think we will need to update the doco at some point... Sorry
for that !
Re: SASL DIGEST-MD5 Authentication
Posted by Ike Ikonne <ii...@us.ibm.com>.
Hi,
I use JNDI API on JRE 1.7 to establish connection to APACHE DS.
I am able to establish SIMPLE authentication to APACHE DS, I am
just trying to get DIGEST-MD5 to work. Here are my enironment:
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, ldapCtxFactory);
if (authMethod != null)
env.put(Context.SECURITY_AUTHENTICATION, authMethod);
if (principal != null)
env.put(Context.SECURITY_PRINCIPAL, principal);
if (credentials != null)
env.put(Context.SECURITY_CREDENTIALS, credentials);
if (referral != null)
env.put(Context.REFERRAL, referral);
if (ldapVer != null)
env.put("java.naming.ldap.version", ldapVer);
env.put("java.naming.security.sasl.realm", "example.com");
Tell me, do I need to configure the example.com realm or is it
configured as a default by APACHE DS?
Thanks,
Ike
From: Emmanuel Lécharny <el...@gmail.com>
To: users@directory.apache.org,
Date: 08/06/2014 04:28 PM
Subject: Re: SASL DIGEST-MD5 Authentication
Le 06/08/14 22:40, Ike Ikonne a écrit :
> Hi all,
>
> Again, thanks all for your response; so, do I need to make any
> external configuration other than the configuration to the APACHE DS?
> How do I change the default realm to point to my domain realm?
> Do I need to install/setup cyrus-sasl library to make this to work?
No. We depends on the JVM which supports SASL.
What client are you using ?
Re: SASL DIGEST-MD5 Authentication
Posted by Emmanuel Lécharny <el...@gmail.com>.
Le 06/08/14 22:40, Ike Ikonne a écrit :
> Hi all,
>
> Again, thanks all for your response; so, do I need to make any
> external configuration other than the configuration to the APACHE DS?
> How do I change the default realm to point to my domain realm?
> Do I need to install/setup cyrus-sasl library to make this to work?
No. We depends on the JVM which supports SASL.
What client are you using ?
Re: SASL DIGEST-MD5 Authentication
Posted by Ike Ikonne <ii...@us.ibm.com>.
Hi all,
Again, thanks all for your response; so, do I need to make any
external configuration other than the configuration to the APACHE DS?
How do I change the default realm to point to my domain realm?
Do I need to install/setup cyrus-sasl library to make this to work?
Here is my configuration:
dn:
ads-serverId=ldapServer,ou=servers,ads-directoryServiceId=default,ou=con
fig
objectclass: top
objectclass: ads-base
objectclass: ads-dsBasedServer
objectclass: ads-ldapServer
objectclass: ads-server
ads-confidentialityrequired: FALSE
ads-maxpdusize: 2000000
ads-maxsizelimit: 1000
ads-maxtimelimit: 15000
ads-replenabled: true
ads-replpingersleep: 5
ads-saslhost: iikonne.xxx.xxx.com
ads-saslprincipal: ldap/iikonne.xxx.xxx.com@xxx.COM
ads-saslrealms: example.com
ads-saslrealms: apache.org
ads-serverid: ldapServer
ads-enabled: TRUE
ads-searchbasedn: ou=users,ou=system
From: Pierre Smits <pi...@gmail.com>
To: Apache Directory Users List <us...@directory.apache.org>,
Date: 08/06/2014 03:25 PM
Subject: Re: SASL DIGEST-MD5 Authentication
Ike,
Of course, you have to change example.com and EXAMPLE.COM for your realms.
Regards,
Pierre Smits
*ORRTIZ.COM <http://www.orrtiz.com>*
Services & Solutions for Cloud-
Based Manufacturing, Professional
Services and Retail & Trade
http://www.orrtiz.com
On Wed, Aug 6, 2014 at 10:01 PM, Ike Ikonne <ii...@us.ibm.com> wrote:
> Hi
>
> After making the change that you suggested, I get the following from the
> server
>
> LDAP: error code 49 - INVALID_CREDENTIALS: DIGEST-MD5: digest response
> format violation. Nonexis
> tent realm: example.com
>
> Here is how my apache directory configuration looks like:
>
> dn:
>
ads-serverId=ldapServer,ou=servers,ads-directoryServiceId=default,ou=config
> objectclass: ads-server
> objectclass: ads-ldapServer
> objectclass: ads-dsBasedServer
> objectclass: ads-base
> objectclass: top
> ads-serverId: ldapServer
> ads-confidentialityRequired: FALSE
> ads-maxSizeLimit: 1000
> ads-maxTimeLimit: 15000
> ads-maxpdusize: 2000000
> ads-saslHost: iikonne.xxx.com
> ads-saslPrincipal: ldap/ldap.example.com@EXAMPLE.COM
> ads-saslRealms: example.com
> ads-saslRealms: apache.org
> ads-searchBaseDN: ou=users,ou=system
> ads-replEnabled: true
> ads-replPingerSleep: 5
> ads-enabled: TRUE
>
>
>
>
>
> From: Emmanuel Lécharny <el...@gmail.com>
> To: users@directory.apache.org,
> Date: 08/06/2014 02:47 PM
> Subject: Re: SASL DIGEST-MD5 Authentication
>
>
>
> Le 06/08/14 21:16, Ike Ikonne a écrit :
> > Hi all,
> >
> > I would appreciate it if someone could direct me on how to setup
> > APACHE DS to support SASL DIGEST-MD5. How can I setup
> > the realm for the example.com default domain?
>
> You have to set the saslHost parameter in the ldapServer entry :
>
> dn:
>
ads-serverId=ldapServer,ou=servers,ads-directoryServiceId=default,ou=config
> objectclass: ads-server
> objectclass: ads-ldapServer
> objectclass: ads-dsBasedServer
> objectclass: ads-base
> objectclass: top
> ads-serverId: ldapServer
> ads-confidentialityRequired: FALSE
> ads-maxSizeLimit: 1000
> ads-maxTimeLimit: 15000
> ads-maxpdusize: 2000000
> ads-saslHost: ldap.example.com <<<----
> ads-saslPrincipal: ldap/ldap.example.com@EXAMPLE.COM
> ads-saslRealms: example.com
> ads-saslRealms: apache.org
> ads-searchBaseDN: ou=users,ou=system
> ads-replEnabled: true
> ads-replPingerSleep: 5
> ads-enabled: TRUE
>
>
>
Re: SASL DIGEST-MD5 Authentication
Posted by Pierre Smits <pi...@gmail.com>.
Ike,
Of course, you have to change example.com and EXAMPLE.COM for your realms.
Regards,
Pierre Smits
*ORRTIZ.COM <http://www.orrtiz.com>*
Services & Solutions for Cloud-
Based Manufacturing, Professional
Services and Retail & Trade
http://www.orrtiz.com
On Wed, Aug 6, 2014 at 10:01 PM, Ike Ikonne <ii...@us.ibm.com> wrote:
> Hi
>
> After making the change that you suggested, I get the following from the
> server
>
> LDAP: error code 49 - INVALID_CREDENTIALS: DIGEST-MD5: digest response
> format violation. Nonexis
> tent realm: example.com
>
> Here is how my apache directory configuration looks like:
>
> dn:
> ads-serverId=ldapServer,ou=servers,ads-directoryServiceId=default,ou=config
> objectclass: ads-server
> objectclass: ads-ldapServer
> objectclass: ads-dsBasedServer
> objectclass: ads-base
> objectclass: top
> ads-serverId: ldapServer
> ads-confidentialityRequired: FALSE
> ads-maxSizeLimit: 1000
> ads-maxTimeLimit: 15000
> ads-maxpdusize: 2000000
> ads-saslHost: iikonne.xxx.com
> ads-saslPrincipal: ldap/ldap.example.com@EXAMPLE.COM
> ads-saslRealms: example.com
> ads-saslRealms: apache.org
> ads-searchBaseDN: ou=users,ou=system
> ads-replEnabled: true
> ads-replPingerSleep: 5
> ads-enabled: TRUE
>
>
>
>
>
> From: Emmanuel Lécharny <el...@gmail.com>
> To: users@directory.apache.org,
> Date: 08/06/2014 02:47 PM
> Subject: Re: SASL DIGEST-MD5 Authentication
>
>
>
> Le 06/08/14 21:16, Ike Ikonne a écrit :
> > Hi all,
> >
> > I would appreciate it if someone could direct me on how to setup
> > APACHE DS to support SASL DIGEST-MD5. How can I setup
> > the realm for the example.com default domain?
>
> You have to set the saslHost parameter in the ldapServer entry :
>
> dn:
> ads-serverId=ldapServer,ou=servers,ads-directoryServiceId=default,ou=config
> objectclass: ads-server
> objectclass: ads-ldapServer
> objectclass: ads-dsBasedServer
> objectclass: ads-base
> objectclass: top
> ads-serverId: ldapServer
> ads-confidentialityRequired: FALSE
> ads-maxSizeLimit: 1000
> ads-maxTimeLimit: 15000
> ads-maxpdusize: 2000000
> ads-saslHost: ldap.example.com <<<----
> ads-saslPrincipal: ldap/ldap.example.com@EXAMPLE.COM
> ads-saslRealms: example.com
> ads-saslRealms: apache.org
> ads-searchBaseDN: ou=users,ou=system
> ads-replEnabled: true
> ads-replPingerSleep: 5
> ads-enabled: TRUE
>
>
>
Re: SASL DIGEST-MD5 Authentication
Posted by Ike Ikonne <ii...@us.ibm.com>.
Hi
After making the change that you suggested, I get the following from the
server
LDAP: error code 49 - INVALID_CREDENTIALS: DIGEST-MD5: digest response
format violation. Nonexis
tent realm: example.com
Here is how my apache directory configuration looks like:
dn:
ads-serverId=ldapServer,ou=servers,ads-directoryServiceId=default,ou=config
objectclass: ads-server
objectclass: ads-ldapServer
objectclass: ads-dsBasedServer
objectclass: ads-base
objectclass: top
ads-serverId: ldapServer
ads-confidentialityRequired: FALSE
ads-maxSizeLimit: 1000
ads-maxTimeLimit: 15000
ads-maxpdusize: 2000000
ads-saslHost: iikonne.xxx.com
ads-saslPrincipal: ldap/ldap.example.com@EXAMPLE.COM
ads-saslRealms: example.com
ads-saslRealms: apache.org
ads-searchBaseDN: ou=users,ou=system
ads-replEnabled: true
ads-replPingerSleep: 5
ads-enabled: TRUE
From: Emmanuel Lécharny <el...@gmail.com>
To: users@directory.apache.org,
Date: 08/06/2014 02:47 PM
Subject: Re: SASL DIGEST-MD5 Authentication
Le 06/08/14 21:16, Ike Ikonne a écrit :
> Hi all,
>
> I would appreciate it if someone could direct me on how to setup
> APACHE DS to support SASL DIGEST-MD5. How can I setup
> the realm for the example.com default domain?
You have to set the saslHost parameter in the ldapServer entry :
dn:
ads-serverId=ldapServer,ou=servers,ads-directoryServiceId=default,ou=config
objectclass: ads-server
objectclass: ads-ldapServer
objectclass: ads-dsBasedServer
objectclass: ads-base
objectclass: top
ads-serverId: ldapServer
ads-confidentialityRequired: FALSE
ads-maxSizeLimit: 1000
ads-maxTimeLimit: 15000
ads-maxpdusize: 2000000
ads-saslHost: ldap.example.com <<<----
ads-saslPrincipal: ldap/ldap.example.com@EXAMPLE.COM
ads-saslRealms: example.com
ads-saslRealms: apache.org
ads-searchBaseDN: ou=users,ou=system
ads-replEnabled: true
ads-replPingerSleep: 5
ads-enabled: TRUE
Re: SASL DIGEST-MD5 Authentication
Posted by Emmanuel Lécharny <el...@gmail.com>.
Le 06/08/14 21:16, Ike Ikonne a écrit :
> Hi all,
>
> I would appreciate it if someone could direct me on how to setup
> APACHE DS to support SASL DIGEST-MD5. How can I setup
> the realm for the example.com default domain?
You have to set the saslHost parameter in the ldapServer entry :
dn:
ads-serverId=ldapServer,ou=servers,ads-directoryServiceId=default,ou=config
objectclass: ads-server
objectclass: ads-ldapServer
objectclass: ads-dsBasedServer
objectclass: ads-base
objectclass: top
ads-serverId: ldapServer
ads-confidentialityRequired: FALSE
ads-maxSizeLimit: 1000
ads-maxTimeLimit: 15000
ads-maxpdusize: 2000000
ads-saslHost: ldap.example.com <<<----
ads-saslPrincipal: ldap/ldap.example.com@EXAMPLE.COM
ads-saslRealms: example.com
ads-saslRealms: apache.org
ads-searchBaseDN: ou=users,ou=system
ads-replEnabled: true
ads-replPingerSleep: 5
ads-enabled: TRUE