qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From fadams <fraser.ad...@blueyonder.co.uk>
Subject Re: Authentication newbie help sought - I'm afraid I'm failing at the first hurdle :-(
Date Tue, 04 Oct 2011 20:08:12 GMT
Hi again all.
Firstly apologies. I've just noticed that some of my recent posts have gone
to the wrong threads in Nabble. I've recently been using Thunderbird and I
simply changed the subject line in a reply to all and Nabble seemed to link
the new post with the original thread. Sorry again!!

So, to authentication problems...

I've just got further, but it seems plain WRONG.
So, I'm running Ubuntu and I noticed that I've got a file "/etc/sasldb2"
(weird location!)

in the spirit of nothing ventured nothing gained I did:
sudo saslpasswd2 -u QPID guest

sure enough
sudo sasldblistusers2
gave
guest@QPID: userPassword

And when I did sudo qpidd my clients authenticated and ran.

But this seems to suggest that
a) The default locations for the sasl config  don't seem to be being picked
up (in my case I installed qpid to /usr/local)
/usr/local/etc/sasl2/qpidd.conf
/usr/local/var/lib/qpidd/qpidd.sasldb

and
b) The "--sasl-config" option on the broker (I've been trying 0.10 for this
stuff) seems to be broken

I'd really appreciate some advice, I'm far from an expert in this stuff and
it seems rather obtuse to me. Could someone please explain exactly what
paths qpid (or is it libsasl) ends up looking through.

Clearly I can play in /etc/sasldb2 on a box I've got privileges on, but I'd
really much rather be able to specify where my sasl config comes from rather
than have to rely on some Byzantine voodoo magic :-(

MTIA
Frase


Fraser Adams wrote:
> Hi all,
> I thought I'd have an initial play with authentication, but I'm afraid
> that I seem to be failing at the first hurdle.
>
> So what I've done so far is:
>
> I knew that there are potential issues with permissions with the
> qpidd.sasldb so my first step was to copy etc/sasl2/qpidd.conf and
> qpidd.sasldb to my home directory (just to make things easier while I'm
> playing). I modified qpidd.conf with
> sasldb_path: /home/fadams/qpidd.sasldb
>
> I checked
> sasldblistusers2 -f /home/fadams/qpidd.sasldb
> and got (as expected)
> guest@QPID: userPassword
>
> and was able to add other users using
> saslpasswd2 -f /home/fadams/qpidd.sasldb -u QPID fadams
>
> So I started qpidd as myself with:
> qpidd --sasl-config /home/fadams/qpidd.conf -t
>
> And in the trace I got:
> 2011-10-04 18:57:59 info SASL: config path set to /home/fadams/qpidd.conf
> 2011-10-04 18:57:59 info SASL enabled
> 2011-10-04 18:57:59 notice Listening on TCP port 5672
> 2011-10-04 18:57:59 info Policy file not specified. ACL Disabled, no ACL
> checking being done!
> 2011-10-04 18:57:59 notice Broker running
> 2011-10-04 18:58:04 debug RECV [127.0.0.1:5672-127.0.0.1:35444] INIT(0-10)
> 2011-10-04 18:58:04 debug External ssf=0 and auth=
> 2011-10-04 18:58:04 debug min_ssf: 0, max_ssf: 256, external_ssf: 0
> 2011-10-04 18:58:04 info SASL: Mechanism list: NTLM CRAM-MD5 LOGIN
> DIGEST-MD5 ANONYMOUS PLAIN
>
> Which looked OK to me.
>
> However I then tried to connect with a Java consumer using a fairly basic
> connection URL
>
> connectionfactory.ConnectionFactory =
> amqp://guest:guest@clientid/test?brokerlist='tcp://localhost:5672'
>
> Which failed with "session creation failed"
>
> And a broker trace of:
>
> 2011-10-04 18:58:04 trace SENT [127.0.0.1:5672-127.0.0.1:35444]:
> Frame[BEbe; channel=0; {ConnectionStartBody:
> server-properties={qpid.federation_tag:V2:36:str16(04cb2a36-ccaa-4762-9e9a-56329c267085)};
> mechanisms=str16{V2:4:str16(NTLM), V2:8:str16(CRAM-MD5),
> V2:5:str16(LOGIN), V2:10:str16(DIGEST-MD5), V2:9:str16(ANONYMOUS),
> V2:5:str16(PLAIN)}; locales=str16{V2:5:str16(en_US)}; }]
> 2011-10-04 18:58:04 trace RECV [127.0.0.1:5672-127.0.0.1:35444]:
> Frame[BEbe; channel=0; {ConnectionStartOkBody:
> client-properties={clientName:V2:8:str16(clientid),qpid.client_pid:F4:int32(7032),qpid.client_process:V2:16:str16(Qpid
> Java Client),qpid.session_flow:F4:int32(1)}; mechanism=PLAIN;
> response=xxxxxx; }]
> 2011-10-04 18:58:04 debug SASL: Starting authentication with mechanism:
> PLAIN
> 2011-10-04 18:58:04 info SASL: Authentication failed for
> guest@QPID:SASL(-13): user not found: Password verification failed
> 2011-10-04 18:58:04 debug Exception constructed: Authentication failed
> 2011-10-04 18:58:04 debug SEND raiseEvent (v1)
> class=org.apache.qpid.broker.clientConnectFail
> 2011-10-04 18:58:04 debug SEND raiseEvent (v2)
> class=org.apache.qpid.broker.clientConnectFail
> 2011-10-04 18:58:04 trace SENT [127.0.0.1:5672-127.0.0.1:35444]:
> Frame[BEbe; channel=0; {ConnectionCloseBody: reply-code=320;
> reply-text=connection-forced: Authentication failed; }]
> 2011-10-04 18:58:04 trace RECV [127.0.0.1:5672-127.0.0.1:35444]:
> Frame[BEbe; channel=0; {ConnectionCloseOkBody: }]
> 2011-10-04 18:58:04 debug DISCONNECTED [127.0.0.1:5672-127.0.0.1:35444]
>
>
> I also tried explicitly setting the realm using:
> qpidd --sasl-config /home/fadams/qpidd.conf --realm QPID -t
>
> but that was equally unsuccessful.
>
> Finally as much out of desperation as anything I tried:
> sudo qpidd -t
>
> which clearly should have picked up the default stuff in the default
> qpidd.sasldb locations and clearly would have the correct read
> permissions. Again I got:
>
> 2011-10-04 19:41:59 info SASL: Authentication failed for
> guest@QPID:SASL(-13): user not found: Password verification failed
>
>
>
> I'd be really grateful if someone who knows about this stuff could suggest
> what I've done wrong. I can't see why I should be getting "user not found"
> with a fairly vanilla set up.
>
> MTIA
> Frase
>
>
>
>
>
>
>
>
>
> ---------------------------------------------------------------------
> Apache Qpid - AMQP Messaging Implementation
> Project:      http://qpid.apache.org
> Use/Interact: mailto:users-subscribe@qpid.apache.org
>
>


--
View this message in context: http://apache-qpid-users.2158936.n2.nabble.com/Re-Authentication-newbie-help-sought-I-m-afraid-I-m-failing-at-the-first-hurdle-tp6859963p6859963.html
Sent from the Apache Qpid users mailing list archive at Nabble.com.

---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org


Mime
View raw message