qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gordon Sim <g...@redhat.com>
Subject Re: Is it normal to have to turn SASL off to get qpid-config and qpid-stat to work with SSL?
Date Fri, 12 Aug 2016 08:46:11 GMT
On 12/08/16 04:39, Jeff Donner wrote:
> Hi -- the only way I can get the tools qpid-config and qpid-stat to talk to qpidd (the
broker) is to turn off SASL, which I do with
>
>   qpidd --auth=no (.. other flags)
>
> Is it advisable / ok to do that, if you otherwise have a good, SSL dual-authentication
certificate exchange working?
> I've tried with SASL on, and using both --sasl-mechanism=PLAIN and --sasl-mechanism=EXTERNAL,
with no success.
>
> I can leave SASL on and get the same cross-authentication going from a simple C++ client
(which uses EXTERNAL).
>
> Is this known about the tools - or is there something I'm missing? I've tried the tools
both with the fully-(SASL)qualified url, eg: --broker=amqps://admin/morpho@localhost:5671
and without, and variations. And had the database set up I believe properly, too:
>
> # passwords both 'morpho'
>   qpidd$ sudo sasldblistusers2 -f /var/lib/qpidd/qpidd.sasldb
>   qpid-admin@QPID: userPassword
>   admin@QPID: userPassword
>
> # system SASL + qpidd points to the above db
> sasl2$ less /etc/sasl2/qpidd.conf
> pwcheck_method: auxprop
> auxprop_plugin: sasldb
> sasldb_path: /var/lib/qpidd/qpidd.sasldb
> mech_list: ANONYMOUS DIGEST-MD5 EXTERNAL PLAIN
>
> I'm happy not to use SASL, I just wonder whether I've missed something.


If you allow ANONYMOUS, that allows someone to connect without 
authenticating, so I would remove that mech from the mech_list.

For EXTERNAL, you need to have the swigged wrapper for cyrus-sasl[1]. If 
you don't have that, that could explain why EXTERNAL doesn't work. What 
error do you get if you try to use EXTERNAL?

For PLAIN, have you verified that the username and password works when 
connecting over plain tcp (i.e. non ssl)? Does it work from the c++ client?

Try turning on protocol tracing on the broker (e.g. --log-enable notice+ 
--log-enable trace+:Protocol) and see what mechanisms the broker is 
offering.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org


Mime
View raw message