Return-Path: 
 <api-return-466-apmail-directory-api-archive=directory.apache.org@directory.apache.org>
X-Original-To: apmail-directory-api-archive@minotaur.apache.org
Delivered-To: apmail-directory-api-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id CA3CF10F32
	for <apmail-directory-api-archive@minotaur.apache.org>;
 Tue, 11 Mar 2014 12:57:10 +0000 (UTC)
Received: (qmail 12036 invoked by uid 500); 11 Mar 2014 12:57:10 -0000
Delivered-To: apmail-directory-api-archive@directory.apache.org
Received: (qmail 11048 invoked by uid 500); 11 Mar 2014 12:57:03 -0000
Mailing-List: contact api-help@directory.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:api-help@directory.apache.org>
List-Unsubscribe: <mailto:api-unsubscribe@directory.apache.org>
List-Post: <mailto:api@directory.apache.org>
List-Id: <api.directory.apache.org>
Reply-To: api@directory.apache.org
Delivered-To: mailing list api@directory.apache.org
Received: (qmail 10990 invoked by uid 99); 11 Mar 2014 12:57:00 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 11 Mar 2014 12:57:00 +0000
X-ASF-Spam-Status: No, hits=1.5 required=5.0
	tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of ayyagarikiran@gmail.com
 designates 74.125.82.170 as permitted sender)
Received: from [74.125.82.170] (HELO mail-we0-f170.google.com) (74.125.82.170)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 11 Mar 2014 12:56:55 +0000
Received: by mail-we0-f170.google.com with SMTP id w61so10125569wes.1
        for <multiple recipients>; Tue, 11 Mar 2014 05:56:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:date:message-id:subject
         :from:to:content-type;
        bh=Wzq6zNOFeRP6CRNH0Qe1nFM4lHup6MA0kUXGN7o3kps=;
        b=HQMZIb3kzOKZWYkCcxz6f71AdVIWH8g2RwLLYy4uWBi5432YVNF3tttKgqfaHSfU/6
         Rv8M7thPG9beBB2NI6X6s+MT9O6MwiCmDI09nZh8uacc+lvlVHzbiyZW7J1In2apdZOO
         UV9xXjct2AVJZr6Cw1XyYjureKaV9cZe/Hyx79wWnR+G1FXNBItRSltxgOqcvAhMgmln
         LRMqpQ2khNz3i0GXsma58cfiFBtJdYwY/0sp8TMLtTadpgVoTylZ3bkSHg5MwhBZcYsH
         yGwB9t51YjkbSARVmSc7Tto1YT6bDhCTPJQP7ablbLfk6D8wFv9uo8ugX6sGaYr1xvRJ
         RAZg==
MIME-Version: 1.0
X-Received: by 10.194.78.16 with SMTP id x16mr208826wjw.86.1394542594714; Tue,
 11 Mar 2014 05:56:34 -0700 (PDT)
Sender: ayyagarikiran@gmail.com
Received: by 10.216.219.137 with HTTP; Tue, 11 Mar 2014 05:56:34 -0700 (PDT)
In-Reply-To: <531EEEB1.2010103@ahastie.net>
References: <531EEEB1.2010103@ahastie.net>
Date: Tue, 11 Mar 2014 18:26:34 +0530
X-Google-Sender-Auth: JQmdn9q--0hAXn1m7GXq5ibA83A
Message-ID: 
 <CABzFU-fDtqqjjcPAyb91EOzfx+X-SMxR1g2=pUU+NyrBWfZoHA@mail.gmail.com>
Subject: Re: [LDAP API] SASL Ream name format when binding against Microsoft
 AD
From: Kiran Ayyagari <kayyagari@apache.org>
To: api@directory.apache.org,
	"users@directory.apache.org" <users@directory.apache.org>
Content-Type: multipart/alternative; boundary=047d7bf0cf4afb749b04f4543fa2
X-Virus-Checked: Checked by ClamAV on apache.org

--047d7bf0cf4afb749b04f4543fa2
Content-Type: text/plain; charset=ISO-8859-1

On Tue, Mar 11, 2014 at 4:38 PM, Andrew Hastie <andrew@ahastie.net> wrote:

> Hi all.
>
> I am looking for some advice on the following topic and hoping someone out
> there may have hit the same problem before:
>
> I'm experimenting with the API in an attempt to authenticate a
> User+Password combination against an instance of MS Active Directory. My
> problem occurs when I use the SASL Mechanism "DIGEST-MD5", and relates to
> how I set the value for the SASL Realm. Here's an example of what I see:
>
> 1. I have a standard user account in the MS Active Directory.
> 2. Say the Windows "Realm" is COMPANY1 and my userID is "somebody"
>
> If I set the UserID to "somebody" and the Realm to "COMPANY1", this works
> OK.
> If I set the UserID to "somebody" and the Realm to "company1", this works
> OK.
> But if set the UserID to "somebody" and the Realm to "Company1", the bind
> request is rejected.
>
> looks like AD is rejecting the last realm name, check the server settings,
LDAP API doesn't modify or make
use of this value other than passing it to the server

> I have read in several places that the Realm name when using
> GSSAPI/Kerberos should be supplied in upper case, so I guess there must be
> something connected with case sensitivity somewhere.
>
> realm names are case-sensitive (they need not be in upper case, but that
is a general convention to distinguish from the DNS host names)

> Is anyone able to shed any light as to where I am going wrong here?
>
> Thanks
> Andrew
>
>


-- 
Kiran Ayyagari
http://keydap.com

--047d7bf0cf4afb749b04f4543fa2--