0

Relating to my other question: UnboundID LDAP DIGEST-MD5 binding cause NPE

I'm using ApacheDS as the server and UnboundID as the API.

I followed the suggested answer and the NPE is gone. However, now I'm getting this error.

LDAPException(resultCode=49 (invalid credentials), errorMessage='INVALID_CREDENTIALS: DIGEST-MD5: cannot acquire password for 'dn:uid=blah,ou=dev,dc=blah,dc=com in realm : mizar.com', diagnosticMessage='INVALID_CREDENTIALS: DIGEST-MD5: cannot acquire password for dn:uid=blah,ou=dev,dc=blah,dc=com in realm : blah.com')
at com.unboundid.ldap.sdk.LDAPConnection.bind(LDAPConnection.java:1881)
at UnboundDemo.main(UnboundDemo.java:40)

Code as follows:

  conn = new LDAPConnection("1.1.1.1",389);
  mdBind = new DIGESTMD5BindRequest("dn:uid=blah,ou=dev,dc=blah,dc=com", null, "test", "blah.com",null);
  bindResult = conn.bind(mdBind);
  System.out.println("MD5 bind success!");

Here's the ApacheDS SASL configuration from the Directory Studio config page:

SASL Host: 1.1.1.1
SASL Principal: ldap/ldap.example.com@EXAMPLE.COM 
Search Base Dn: ou=dev,dc=blah,dc=com

The ApacheDS doc didn't explain what the SASL Principal is so I'm starting to think that it may be a mis-config on my part. The main idea here is to test UnboundID against a number of SASL mechanism.

Community
  • 1
  • 1
MooCow
  • 367
  • 2
  • 6
  • 24

1 Answers1

2

It is likely the case that the ApacheDS server isn't configured to store passwords in a format that allows it to determine the clear-text value for the password.

The primary attractive property of the DIGEST-MD5 and CRAM-MD5 SASL mechanisms is that the password is combined with other information and encoded with a one-way digest before being sent to the server. This ensures that the password is not transmitted in the clear, so that it is protected against anyone who can observe the communication without the need to secure the rest of the communication. However, the ability to authenticate with one of these mechanisms requires that the server be able to determine the clear-text version of the password so that it can perform the same cryptographic processing as the client.

If you're just looking to test the UnboundID LDAP SDK's ability to perform SASL authentication, then I'd recommend using the PLAIN mechanism, since it shouldn't impose any special requirements on the user entry. If you really want to use DIGEST-MD5, then you'll need to ensure that the server has access to the clear-text representations of the passwords for the users that need to authenticate with that mechanism.

Neil

Neil Wilson
  • 1,706
  • 8
  • 4