Re: Authen:SASL::Perl::DIGEST-MD5 Problem

Sat, 06 Aug 2005 08:08:06 -0700 

Hi Steve,

On Thursday 04 August 2005 11:52, SteveC wrote:
> I have been trying to authenticate to an Active Directory LDAP server using
> Authen::SASL::Perl::DIGEST_MD5 and am failing.  Using OpenLDAP's ldapsearch
> and the -Y DIGEST-MD5 command line option, I can authenticate with no
> problem -- so the credentials I am using are certainly correct.  However,
> with the script below I get an error code 49 -- invalid credentials.
>
>
> use Net::LDAP;
> use Authen::SASL qw/Perl/;
>
> my $host = "fqdn.of.domain.controller";    # one of our AD domain
> controllers
>
> my $user =  '[EMAIL PROTECTED]';                 # my UserPrincipalName in AD
> my $passwd =      'myPassword';
>
> my $sasl = Authen::SASL->new(
>             mechanism => 'DIGEST-MD5',
>             callback => {
>                 user => $user,
>                 pass => $passwd,
>             }
>           );
> my $ldap = Net::LDAP->new($host,  debug=>12, version => 3);
> my $msg = $ldap->bind("", sasl => $sasl);
> if($msg->code) {
>     print $msg->error . "\n";
> }
> else {
>     print "IT WORKED!!!\n";
>     exit(0);
> }
>
>
> The only thing of note in the AD environment is that we have multiple
> domain controllers.  This lead me to look at the 'serv' callback parameter,
> as that appears to be used when there is a replicated service. One thing I
> have noticed while investigating this, is that there appears to be a bug in
> the 'serv' parameter handling of the DIGEST_MD5 module.  When this
> parameter is present, the module appends the value to digest_uri (note the
> underscore), it should do so to digest-uri.  However, even when I change
> the module and try to use this parameter I still get the same
> authentication problem. [In my testing with ther 'serv' parameter, the
> $host is the fqdn of a domain controller, and the serv value was the name
> of the domain I am trying to authenticate to.]

I guess you are right with digest-uri vs. digest_uri

A few questions / requests:
- Did you replace both occurrences of 'digest_uri' with 'digest-uri' ?
- Did you try the script with Authen::SASL::Cyrus as Backend ?
- Did you check the communication for the different implementations
   on the wire ?

If not, would you mind to do so ?

Thank you for your help
Peter


-- 
Peter Marschall
eMail: [EMAIL PROTECTED]

Reply via email to