Re: SASL DIGEST-MD5 Authentication

[Emmanuel Lécharny]

Le 07/08/14 00:40, Ike Ikonne a écrit :
> Hi,
>
> I use JNDI API  on JRE 1.7  to establish connection to APACHE DS.
> I am able to establish SIMPLE authentication to APACHE DS, I am 
> just trying to get DIGEST-MD5 to work.  Here are my enironment:
>
>          Hashtable env = new Hashtable();
>         env.put(Context.INITIAL_CONTEXT_FACTORY, ldapCtxFactory);
>  
>         if (authMethod != null)
>             env.put(Context.SECURITY_AUTHENTICATION, authMethod);
>         if (principal != null)
>             env.put(Context.SECURITY_PRINCIPAL, principal);
>         if (credentials != null)
>             env.put(Context.SECURITY_CREDENTIALS, credentials);
>         if (referral != null)
>             env.put(Context.REFERRAL, referral);
>         if (ldapVer != null)
>             env.put("java.naming.ldap.version", ldapVer);
>        env.put("java.naming.security.sasl.realm", "example.com");
>
> Tell me, do I need to configure the example.com realm or is it
> configured as a default by APACHE DS?

It's not configured by default. The configuration file should contain
the elements required for SASL to work :
http://directory.apache.org/apacheds/configuration/ads-2.0-configuration.html

ou=config
 |
 +--ads-directoryServiceId=default
     |
     +--ou=servers
         |
         +--ads-serverId=ldapServer   <-- here, declare the saslHost 
(localhost, or your server name), saslQop set to auth, saslRealms
             |
             +--ou=saslMechHandlers
                 |
                 +--ads-saslMechName=DIGEST-MD5



Here are the entries to add :

dn:
ads-serverId=ldapServer,ou=servers,ads-directoryServiceId=default,ou=config
objectclass: ads-server
objectclass: ads-ldapServer
objectclass: ads-dsBasedServer
objectclass: ads-base
objectclass: top
ads-serverId: ldapServer
ads-confidentialityRequired: FALSE
ads-maxSizeLimit: 1000
ads-maxTimeLimit: 15000
ads-maxpdusize: 2000000
ads-saslHost: ldap.example.com        <----------- Set this to your
server's host
ads-saslPrincipal: ldap/ldap.example....@example.com
ads-saslRealms: example.com           
ads-saslRealms: apache.org
ads-searchBaseDN: ou=users,ou=system  <----------- Be sure to store the
users you want to authent here, or change this value
ads-replEnabled: true
ads-replPingerSleep: 5
ads-enabled: TRUE

dn:
ou=saslMechHandlers,ads-serverId=ldapServer,ou=servers,ads-directoryServiceId=default,ou=config
ou: saslMechHandlers
objectclass: organizationalUnit
objectclass: top

dn:
ads-saslMechName=DIGEST-MD5,ou=saslMechHandlers,ads-serverId=ldapServer,ou=servers,ads-directoryServiceId=default,ou=config
ads-saslMechClassName:
org.apache.directory.server.ldap.handlers.sasl.digestMD5.DigestMd5MechanismHandler
objectclass: ads-saslMechHandler
objectclass: ads-base
objectclass: top
ads-saslMechName: DIGEST-MD5
ads-enabled: TRUE


I think the trouble you have is with the missing twoi entries, which are
used to enable the SASL DIGEST-MD5 mechanism.

I'm going to crash, so I won't be able to provide direction for the next
few hours. Just keep me informed.

Note : I think we will need to update the doco at some point... Sorry
for that !