directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Ayyagari <kayyag...@apache.org>
Subject Re: SASL DIGEST-MD5 Authentication
Date Thu, 07 Aug 2014 17:24:52 GMT
On Thu, Aug 7, 2014 at 10:46 PM, Ike Ikonne <iikonne@us.ibm.com> wrote:

> Hi Kiran,
>
> I have modified the hosts file where my Apache DS and client
> are running to:
>
> # localhost name resolution is handled within DNS itself.
>         127.0.0.1       localhost
>         127.0.0.1       example.com
> #       ::1             localhost
>
>
> Here is my Apache DS configuration:
>
> dn:
> ads-serverId=ldapServer,ou=servers,ads-directoryServiceId=default,ou=con
>  fig
> objectclass: top
> objectclass: ads-base
> objectclass: ads-dsBasedServer
> objectclass: ads-ldapServer
> objectclass: ads-server
> ads-confidentialityrequired: FALSE
> ads-maxpdusize: 2000000
> ads-maxsizelimit: 1000
> ads-maxtimelimit: 15000
> ads-replenabled: true
> ads-replpingersleep: 5
> ads-saslhost: iikonne.xxx.xxx.com <------------
> ads-saslprincipal: ldap/ldap.example.com@EXAMPLE.COM
> ads-saslrealms: example.com <------
> ads-saslrealms: apache.org
> ads-serverid: ldapServer
> ads-enabled: TRUE
> ads-searchbasedn: ou=system  <------
>
>
> But, I still continue to get the error message:
>
> LDAP: error code 49 - INVALID_CREDENTIALS: DIGEST-MD5: digest response
> format violation. Nonexis
> tent realm: example.com
>
> What could I still be doing wrong?
>
make sure the credentials are stored in plain text in the server
By default they are all hashed and you need to disable the hashing
interceptor
1. go to
ads-interceptorId=passwordHashingInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
2. set ads-enabled to FALSE
3. restart the server

>
>
> Thanks,
>
> Ike
>
>
>
>
>
>
> From:   Kiran Ayyagari <kayyagari@apache.org>
> To:     "users@directory.apache.org" <users@directory.apache.org>,
> Date:   08/07/2014 12:08 AM
> Subject:        Re: SASL DIGEST-MD5 Authentication
>
>
>
> On Thu, Aug 7, 2014 at 4:10 AM, Ike Ikonne <iikonne@us.ibm.com> wrote:
>
> > Hi,
> >
> > I use JNDI API  on JRE 1.7  to establish connection to APACHE DS.
> > I am able to establish SIMPLE authentication to APACHE DS, I am
> > just trying to get DIGEST-MD5 to work.  Here are my enironment:
> >
> >          Hashtable env = new Hashtable();
> >         env.put(Context.INITIAL_CONTEXT_FACTORY, ldapCtxFactory);
> >
> >         if (authMethod != null)
> >             env.put(Context.SECURITY_AUTHENTICATION, authMethod);
> >         if (principal != null)
> >             env.put(Context.SECURITY_PRINCIPAL, principal);
> >         if (credentials != null)
> >             env.put(Context.SECURITY_CREDENTIALS, credentials);
> >         if (referral != null)
> >             env.put(Context.REFERRAL, referral);
> >         if (ldapVer != null)
> >             env.put("java.naming.ldap.version", ldapVer);
> >        env.put("java.naming.security.sasl.realm", "example.com");
> >
> > Tell me, do I need to configure the example.com realm or is it
> > configured as a default by APACHE DS?
> >
> your must be able to resolve your realm name (here example.com), either
> add an entry in your hosts file or in your internal DNS server
>
> >
> > Thanks,
> >
> > Ike
> >
> >
> >
> >
> > From:   Emmanuel Lécharny <elecharny@gmail.com>
> > To:     users@directory.apache.org,
> > Date:   08/06/2014 04:28 PM
> > Subject:        Re: SASL DIGEST-MD5 Authentication
> >
> >
> >
> > Le 06/08/14 22:40, Ike Ikonne a écrit :
> > > Hi all,
> > >
> > > Again, thanks all for your response;  so, do I need to make any
> > > external configuration other than the configuration to the APACHE DS?
> > > How do I change the default realm to point to my domain realm?
> > > Do I need to install/setup cyrus-sasl library to make this to work?
> >
> > No. We depends on the JVM which supports SASL.
> >
> > What client are you using ?
> >
> >
> >
>
>
> --
> Kiran Ayyagari
> http://keydap.com
>
>


-- 
Kiran Ayyagari
http://keydap.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message