directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lécharny <>
Subject Re: SASL DIGEST-MD5 Authentication
Date Wed, 06 Aug 2014 23:30:21 GMT
Le 07/08/14 00:40, Ike Ikonne a écrit :
> Hi,
> I use JNDI API  on JRE 1.7  to establish connection to APACHE DS.
> I am able to establish SIMPLE authentication to APACHE DS, I am 
> just trying to get DIGEST-MD5 to work.  Here are my enironment:
>          Hashtable env = new Hashtable();
>         env.put(Context.INITIAL_CONTEXT_FACTORY, ldapCtxFactory);
>         if (authMethod != null)
>             env.put(Context.SECURITY_AUTHENTICATION, authMethod);
>         if (principal != null)
>             env.put(Context.SECURITY_PRINCIPAL, principal);
>         if (credentials != null)
>             env.put(Context.SECURITY_CREDENTIALS, credentials);
>         if (referral != null)
>             env.put(Context.REFERRAL, referral);
>         if (ldapVer != null)
>             env.put("java.naming.ldap.version", ldapVer);
>        env.put("", "");
> Tell me, do I need to configure the realm or is it
> configured as a default by APACHE DS?

It's not configured by default. The configuration file should contain
the elements required for SASL to work :

         +--ads-serverId=ldapServer   <-- here, declare the saslHost (localhost, or your
server name), saslQop set to auth, saslRealms

Here are the entries to add :

objectclass: ads-server
objectclass: ads-ldapServer
objectclass: ads-dsBasedServer
objectclass: ads-base
objectclass: top
ads-serverId: ldapServer
ads-confidentialityRequired: FALSE
ads-maxSizeLimit: 1000
ads-maxTimeLimit: 15000
ads-maxpdusize: 2000000
ads-saslHost:        <----------- Set this to your
server's host
ads-saslPrincipal: ldap/
ads-searchBaseDN: ou=users,ou=system  <----------- Be sure to store the
users you want to authent here, or change this value
ads-replEnabled: true
ads-replPingerSleep: 5
ads-enabled: TRUE

ou: saslMechHandlers
objectclass: organizationalUnit
objectclass: top

objectclass: ads-saslMechHandler
objectclass: ads-base
objectclass: top
ads-saslMechName: DIGEST-MD5
ads-enabled: TRUE

I think the trouble you have is with the missing twoi entries, which are
used to enable the SASL DIGEST-MD5 mechanism.

I'm going to crash, so I won't be able to provide direction for the next
few hours. Just keep me informed.

Note : I think we will need to update the doco at some point... Sorry
for that !

View raw message