directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Ayyagari <kayyag...@apache.org>
Subject Re: SASL authentication with DIGEST-MD5
Date Sat, 13 Aug 2011 13:26:18 GMT
Hi Brian,

    found the issue, you are using the full DN as user name instead
just use the 'testdigest' alone as the username.

   P.S:- there is a bit of valuable information logged in :)

> Operation Context: SearchContext for DN 'ou=people,ou=pingtoo.com', filter
> :'(0.9.2342.19200300.100.1.1=uid=testdigest,ou=people,o=pingtoo.com)'  <----- see
the wrong filter

but it was difficult to trace it until I reproduced the issue and
checked the logs

HTH

On Sat, Aug 13, 2011 at 3:23 PM, Brian Burch <brian@pingtoo.com> wrote:
> On 12/08/11 16:12, Brian Burch wrote:
>>
>> I will try to do the test again tomorrow with debugging turned on unless
>> you see something useful above.
>
> Well, I am baffled. The debug log is quite big but doesn't tell me anything
> we didn't know already. I don't want to fill up the mail archive, so here is
> a summary:
>
> The SASL dialog progresses normally until the client response to the server
> challenge arrives, and is decoded without error.
>
> [10:24:08] DEBUG [org.apache.directory.shared.ldap.codec.TwixTransformer] -
> Transforming LdapMessage <2, BIND_REQUEST> from Twix to Snickers.
> [10:24:08] DEBUG [org.apache.directory.server.ldap.handlers.BindHandler] -
> Received:     BindRequest
>        Version : '3'
>        Name : ''
>        Sasl credentials
>            Mechanism :'DIGEST-MD5'
>            Credentials :
> 'charset=utf-8,username="uid=testDigest,ou=people,o=pingtoo.com",realm="pingtoo.com",nonce="G33N7OiolRjzUUPZ0rt9Xd+yekVkscWuLSGaTbpV",nc=00000001,cnonce="NLeTmnE3GMTyaUC7fm0PvSu6rLzCgdr5aNIZvGrj",digest-uri="ldap/ldap.pingtoo.com",maxbuf=65536,response=01f3099702d77231b7e00b0ce97ed1fd,qop=auth
> (hex snipped out)'
>
> Then only this is logged:
>
> [10:24:08] DEBUG
> [org.apache.directory.server.ldap.handlers.bind.AbstractSaslCallbackHandler]
> - Processing callback 1 of 3: {}class javax.security.sasl.RealmCallback
> [10:24:08] DEBUG
> [org.apache.directory.server.ldap.handlers.bind.AbstractSaslCallbackHandler]
> - RealmCallback default text:  pingtoo.com
> [10:24:08] DEBUG
> [org.apache.directory.server.ldap.handlers.bind.AbstractSaslCallbackHandler]
> - Processing callback 2 of 3: {}class
> javax.security.auth.callback.NameCallback
> [10:24:08] DEBUG
> [org.apache.directory.server.ldap.handlers.bind.AbstractSaslCallbackHandler]
> - NameCallback default name:  uid=testDigest,ou=people,o=pingtoo.com
> [10:24:08] DEBUG
> [org.apache.directory.server.ldap.handlers.bind.AbstractSaslCallbackHandler]
> - Processing callback 3 of 3: {}class
> javax.security.auth.callback.PasswordCallback
> [10:24:08] DEBUG
> [org.apache.directory.server.schema.registries.DefaultOidRegistry] - looked
> up OID '2.5.4.35' with id 'userPassword'
> [10:24:08] DEBUG
> [org.apache.directory.server.schema.registries.DefaultAttributeTypeRegistry]
> - lookup with id2.5.4.35' of attributeType: <2.5.4.35, userPassword>
> [10:24:08] DEBUG
> [org.apache.directory.server.core.authn.AuthenticationInterceptor] -
> Operation Context: LookupContext for DN 'ou=people,ou=pingtoo.com',
> attributes : <>
> [10:24:08] DEBUG
> [org.apache.directory.server.core.partition.DefaultPartitionNexus] - Check
> if DN '2.5.4.11=people,2.5.4.11=pingtoo.com' exists.
> [10:24:08] DEBUG
> [org.apache.directory.server.schema.registries.DefaultOidRegistry] - looked
> up OID '0.9.2342.19200300.100.1.1' with id 'uid'
> [10:24:08] DEBUG
> [org.apache.directory.server.schema.registries.DefaultOidRegistry] - looked
> up OID '0.9.2342.19200300.100.1.1' with id 'uid'
> [10:24:08] DEBUG
> [org.apache.directory.server.schema.registries.DefaultAttributeTypeRegistry]
> - lookup with id0.9.2342.19200300.100.1.1' of attributeType:
> <0.9.2342.19200300.100.1.1, uid>
> [10:24:08] DEBUG
> [org.apache.directory.server.schema.registries.DefaultOidRegistry] - looked
> up OID '0.9.2342.19200300.100.1.1' with id 'uid'
> [10:24:08] DEBUG
> [org.apache.directory.server.schema.registries.DefaultAttributeTypeRegistry]
> - lookup with id0.9.2342.19200300.100.1.1' of attributeType:
> <0.9.2342.19200300.100.1.1, uid>
> [10:24:08] DEBUG
> [org.apache.directory.server.schema.registries.DefaultOidRegistry] - looked
> up OID '0.9.2342.19200300.100.1.1' with id 'uid'
> [10:24:08] DEBUG
> [org.apache.directory.server.schema.registries.DefaultAttributeTypeRegistry]
> - lookup with id0.9.2342.19200300.100.1.1' of attributeType:
> <0.9.2342.19200300.100.1.1, uid>
> [10:24:08] DEBUG
> [org.apache.directory.server.schema.registries.DefaultNormalizerRegistry] -
> registered normalizer with oid: 2.5.13.2
> [10:24:08] DEBUG
> [org.apache.directory.server.schema.registries.DefaultOidRegistry] - looked
> up OID '0.9.2342.19200300.100.1.1' with id 'uid'
> [10:24:08] DEBUG
> [org.apache.directory.server.core.authn.AuthenticationInterceptor] -
> Operation Context: SearchContext for DN 'ou=people,ou=pingtoo.com', filter
> :'(0.9.2342.19200300.100.1.1=uid=testdigest,ou=people,o=pingtoo.com)'
> [10:24:08] DEBUG
> [org.apache.directory.server.schema.registries.DefaultAttributeTypeRegistry]
> - lookup with id0.9.2342.19200300.100.1.1' of attributeType:
> <0.9.2342.19200300.100.1.1, uid>
> [10:24:08] DEBUG
> [org.apache.directory.server.core.partition.DefaultPartitionNexus] - Check
> if DN '2.5.4.11=people,2.5.4.11=pingtoo.com' exists.
> [10:24:08] ERROR [org.apache.directory.server.ldap.handlers.BindHandler] -
> INVALID_CREDENTIALS: DIGEST-MD5: cannot acquire password for
> uid=testDigest,ou=people,o=pingtoo.com in realm : pingtoo.com
> [10:24:08] DEBUG [org.apache.directory.shared.ldap.codec.TwixTransformer] -
> Transforming message type BIND_RESPONSE
> [10:24:08] DEBUG [org.apache.directory.shared.ldap.codec.TwixTransformer] -
> Transformed message : LdapMessage
>    message Id : 2
>    BindResponse
>        Ldap Result
>            Result code : (INVALID_CREDENTIALS) invalidCredentials
>            Matched DN : ''
>            Error message : 'INVALID_CREDENTIALS: DIGEST-MD5: cannot acquire
> password for uid=testDigest,ou=people,o=pingtoo.com in realm : pingtoo.com'
>
>
> I've looked carefully for some trivial typo, but I can't find any. The user
> entry exists and holds a cleartext userpassword. The SASL authentication
> thread logged earlier that it was running as
>
> dn[n]: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
>
> ... who definitely is able to read the user's password via studio or
> ldapsearch. Why can't it read the userpassword within the SASL
> authentication dialogue?
>
> I don't have a debugger environment set up, so it will take me quite a while
> before I'm able to step through the source at the time of the error.
>
>



-- 
Kiran Ayyagari

Mime
View raw message