directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Yang, Gang CTR (US)" <>
Subject RE: Diguest-MD5 authentication
Date Tue, 05 Feb 2013 17:49:18 GMT
After some experiments based on the errors I was getting and tips I found from searching the
Internet, here's a summary on using diguest-MD5 authentication with Apache DS so far:

On the ApacheDS server side: (using Apache Directory Studio for configuration)

- Define a host domain name in host file for

- Use host domain name instead of in ApacheDS configuration for SASL Host

- Make sure the Search Base DN parameter in SASL settings points to where the users entries
are stored in DIT

- Store the user password in clear text. In order to acchieve this, some discussions from
the mailing list suggested to disable the default passwordPolicies and passwordHashing interceptors

- Restart ApacheDS after chaning the configuration

On the client side: (using Apache Directory Studio)

- Use host domain name instead of in connection configuration for Hostname under
Network Parameters

- Use uid alone w/o "uid=" instead of full DN of the user for Bind DN or User under Authentication

- Make sure to select the right SASL realm, in my case, in SASL Settings

Ater doing all these, I'm still getting the error:

LDAP: error code 49 - INVALID_CREDENTIALS: DIGEST-MD5: cannot acquire password for Gang.Yang
in realm :

Anyone who's knowledgeable in this area, please help. I'm using a newly downloaded latest
ApacheDS and Apache Directory Studio (2.0.0-M10 and 2.0.0-M4).

Thanks in advance,


From: Yang, Gang CTR (US) []
Sent: Monday, February 04, 2013 12:28 PM
Subject: Diguest-MD5 authentication


I'm using the latest ApacheDS and Apache Directory Studio. I can bind using Simple authentication,
but failed using Diguest-MD5 or Kerboros. I'm sure it's the configuration, but I could not
find any section in the user's guide (basic or advanced) that tells me how. Any help and pointers
are appreciated.



  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message