Re: [LDAP API] SASL Ream name format when binding against Microsoft AD

[Kiran Ayyagari <ka...@apache.org>]

On Tue, Mar 11, 2014 at 4:38 PM, Andrew Hastie <an...@ahastie.net> wrote:

> Hi all.
>
> I am looking for some advice on the following topic and hoping someone out
> there may have hit the same problem before:
>
> I'm experimenting with the API in an attempt to authenticate a
> User+Password combination against an instance of MS Active Directory. My
> problem occurs when I use the SASL Mechanism "DIGEST-MD5", and relates to
> how I set the value for the SASL Realm. Here's an example of what I see:
>
> 1. I have a standard user account in the MS Active Directory.
> 2. Say the Windows "Realm" is COMPANY1 and my userID is "somebody"
>
> If I set the UserID to "somebody" and the Realm to "COMPANY1", this works
> OK.
> If I set the UserID to "somebody" and the Realm to "company1", this works
> OK.
> But if set the UserID to "somebody" and the Realm to "Company1", the bind
> request is rejected.
>
> looks like AD is rejecting the last realm name, check the server settings,
LDAP API doesn't modify or make
use of this value other than passing it to the server

> I have read in several places that the Realm name when using
> GSSAPI/Kerberos should be supplied in upper case, so I guess there must be
> something connected with case sensitivity somewhere.
>
> realm names are case-sensitive (they need not be in upper case, but that
is a general convention to distinguish from the DNS host names)

> Is anyone able to shed any light as to where I am going wrong here?
>
> Thanks
> Andrew
>
>


-- 
Kiran Ayyagari
http://keydap.com