directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pierre-Arnaud Marcelot ...@marcelot.net>
Subject Re: [ApacheDS] DIGEST-MD5: cannot acquire password
Date Fri, 25 Feb 2011 14:44:30 GMT
Hi Cristiano,

Sorry for the late answer.

I installed a testing instance of ApacheDS 1.5.7 with the files you sent.
I was indeed able to test the issue but it is main a configuration issue.
Some properties in your server.xml were not correctly set.

The 'searchBaseDn' in the 'ldapServer' bean needs to be updated to the dn where your users
are stored.
Most likely "ou=users,o=mycompany" in your case.

In your Java sample file, you had also forgot to mention the SASL realm with the following
property added to the environment:
env.put("java.naming.security.sasl.realm", "mycompany.com");

Also make sure to use the id of the user you want to bind and not it's complete in the case
of DIGEST-MD5 bind.

With all these correct settings you should be able to bind successfully with one of your users.

Regards,
Pierre-Arnaud
On jeudi 24 février 2011 at 19:49, Cristiano Gavião wrote: 
> Hi Pierre, have you reproduced the described problem?
> 
> cheers
> 
> Cristiano
> 
> On 15/02/11 17:55, Cristiano Gavião wrote:
> > Hi Pierre...
> > 
> > I am sending the zip with 3 files: a server.xml, an ldif data and a 
> > java class to test.
> > 
> > As I said, I've created a fake host on my Hosts file point to 
> > localhost. Let me know if you need more info.
> > 
> > thanks again
> > 
> > Cristiano
> > 
> > On 15/02/11 16:30, Pierre-Arnaud Marcelot wrote:
> > > Le 15 févr. 2011 à 19:56, Cristiano Gavião<cvgaviao@gmail.com> a 
> > > écrit :
> > > 
> > > > Hi Pierre. Thanks for answer, but I think I didn't understand what 
> > > > do you mean about should be stored as plaintext...
> > > > 
> > > > Are you saying that when I'm using Studio to create the userPassword 
> > > > attribute for some user, should I select plaintext in the "Select 
> > > > Hash Method" combobox?
> > > Yeah, that's what I meant.
> > > 
> > > > If it is, I've removed the created passwords again and recreated all 
> > > > using plainText but nothing change at all.
> > > > 
> > > > public static void main(String[] args) throws NamingException {
> > > > 
> > > >  Hashtable env = new Hashtable();
> > > >  env.put(Context.INITIAL_CONTEXT_FACTORY, 
> > > > "com.sun.jndi.ldap.LdapCtxFactory");
> > > >  env.put(Context.PROVIDER_URL, 
> > > > "ldap://ldap.mycompany.com:20389");
> > > >  env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
> > > >  env.put( "java.naming.security.sasl.realm", "MYCOMPANY.COM" );
> > > >  env.put(Context.SECURITY_PRINCIPAL, 
> > > > "uid=cvgaviao,ou=users,o=mycompany");
> > > >  env.put("com.sun.jndi.ldap.trace.ber", System.err);
> > > > // env.put(Context.SECURITY_PRINCIPAL, 
> > > > "uid=cvgaviao,ou=users,o=mycompany");
> > > > // env.put(Context.SECURITY_CREDENTIALS, "c123qweg");
> > > >  env.put( "javax.security.sasl.qop", "auth-conf" );
> > > > 
> > > > 
> > > >  try {
> > > >  Context ctx = new InitialContext(env);
> > > >  NamingEnumeration<?> enm = ctx.list("");
> > > >  while (enm.hasMore()) {
> > > >  System.out.println(enm.next());
> > > >  }
> > > >  ctx.close();
> > > >  } catch (NamingException e) {
> > > >  System.out.println(e.getMessage());
> > > >  }
> > > >  }
> > > > 
> > > > I'm still getting:
> > > > [LDAP: error code 49 - INVALID_CREDENTIALS: DIGEST-MD5: cannot 
> > > > acquire password for uid=cvgaviao,ou=users,o=mob4biz in realm : 
> > > > MYCOMPANY.COM]
> > > > 
> > > > :-(
> > > Can you also send us the complete server.xml and an LDIF extract of
> > > required entries for testing the issue?
> > > 
> > > Thanks,
> > > Pierre-Arnaud
> > > 
> > > > cheers
> > > > 
> > > > Cristiano
> > > > 
> > > > On 15/02/11 15:26, Pierre-Arnaud Marcelot wrote:
> > > > > Hi Cristiano,
> > > > > 
> > > > > AFAIR, ApacheDS requires passwords to be stored as plaintext to be

> > > > > able to use DIGEST-MD5 or CRAM-MD5 authentication mechanisms.
> > > > > 
> > > > > Regards,
> > > > > Pierre-Arnaud
> > > > > On mardi 15 février 2011 at 19:05, Cristiano Gavião wrote:
> > > > > > Hi,
> > > > > > 
> > > > > > I'm studying DS and Studio 1.5.7. I'm using a MacOSX 10.6.
> > > > > > I've created my first server (on localhost and I've put dns
on 
> > > > > > etc/hosts)
> > > > > > containing two partitions: system and mycompany. I've created

> > > > > > o=mycompany
> > > > > > context with two units: ou=users and ou=groups.
> > > > > > 
> > > > > > It's was nice and easy to create and connect to and search my
new 
> > > > > > ldap
> > > > > > tree... :-)
> > > > > > 
> > > > > > But this first time I was using simple mechanism and I want

> > > > > > something a
> > > > > > little more secure. So, I've decide to setup DIGEST-MD5 mechanism

> > > > > > and I've
> > > > > > changed server.xml with this:
> > > > > > Host: ldap.mycompany.com
> > > > > > Principal: ldap/ldap.mycompany.com@MYCOMPANY.COM
> > > > > > BaseDN: ou=users,o=mycompany
> > > > > > 
> > > > > > I've remove the users that I've create before and created new
ones 
> > > > > > and setup
> > > > > > userPassword to a MD5 new one.
> > > > > > 
> > > > > > Well, no so easy this time... doesn't work using both java Ldap

> > > > > > api or
> > > > > > studio connection. I'm getting the same error:
> > > > > > 
> > > > > >  LDAP: error code 49 - INVALID_CREDENTIALS: DIGEST-MD5: cannot

> > > > > > acquire
> > > > > > password for johnUser in realm : MYCOMPANY.COM
> > > > > > 
> > > > > > and I can't find anything about the problem on net.
> > > > > > 
> > > > > > I don't know more what to do. Could anyone help me with this
please?
> > > > > > 
> > > > > > thanks a lot
> > > > > > 
> > > > > > Cristiano
> 

Mime
  • Unnamed multipart/alternative (inline, 8-Bit, 0 bytes)
View raw message