Robbie,

Thanks for your response! PN_TRACE_FRM did the trick for logging – I had tried 
various other env vars I found which had no effect. And installing 
cyrus-sasl-devel (CentOS 7) then reinstalling python-qpid-proton via pip has 
fixed the auth issue (that package wasn’t required for python-qpid+saslwrapper, 
so I hadn’t installed it).

Regards,
Ryan M. Pessa

    
    -----Original Message-----
    From: Robbie Gemmell [mailto:robbie.gemm...@gmail.com] 
    Sent: Wednesday, October 12, 2016 1:35 PM
    To: users@qpid.apache.org
    Subject: Re: Proton Python: SASL SCRAM-SHA-1 doesn't work
    
    I'm no expert with the Python bits, or the cyrus SASL bits, but I believe I 
have used SCRAM-SHA-1 with them in the past.
    
    Do you have the cyrus '-devel' package(s) installed? That might come into 
play as to whether it can actually use the mechanisms once built.
    
    You should be able to get a protocol trace log by setting PN_TRACE_FRM=1
    
    It would likely help others answer if you could elaborate on things like 
what OS you are using and how you are installing the various bits, perhaps even 
the output while doing so.
    
    Robbie
    
    On 12 October 2016 at 18:55, Ryan Pessa <ryan.pe...@ijettechnologies.com> 
wrote:
    > I cannot get Proton Python 0.14.0 to work with SASL SCRAM-SHA-1. The 
server is set up properly – there are other clients connecting just fine, 
including one application using the older python-qpid library, which have no 
issues using this mech. Proton itself refuses to provide any real logging, 
unlike python-qpid where enabling logging was trivial, so all I have from that 
side is:
    > [D 161012 17:31:41 reactor:545] connecting to 
amqp://**:**@172.17.42.1:5672/INCOMING...
    > [E 161012 17:31:41 handlers:404] amqp:unauthorized-access: 
    > Authentication failed [mech=(null)]
    >
    > We’re using a MessagingHandler inside a Container with the following:
    >     def on_start(self, event: Any) -> None:
    >         conn = event.container.connect(self.url, sasl_enabled=True, 
allowed_mechs='SCRAM-SHA-1')
    >         event.container.create_receiver(conn)
    >
    > On the server (Qpid C++ broker) I see the following log (info+, 
trace+:Security, trace+:Protocol):
    > 2016-10-12 17:31:41 [Network] info Set TCP_NODELAY on connection to 
    > 172.17.42.1:37772
    > 2016-10-12 17:31:41 [Broker] info Using AMQP 1.0 (with SASL layer)
    > 2016-10-12 17:31:41 [Security] debug External ssf=0 and auth=
    > 2016-10-12 17:31:41 [Security] debug min_ssf: 0, max_ssf: 256, 
    > external_ssf: 0
    > 2016-10-12 17:31:41 [Security] trace ACL ConnectionCounter new 
    > connection: qpid.172.17.42.2:5672-172.17.42.1:37772
    > 2016-10-12 17:31:41 [Security] info SASL: Mechanism list: SCRAM-SHA-1
    > 2016-10-12 17:31:41 [Security] trace Completed encoding of frame of 33 
    > bytes
    > 2016-10-12 17:31:41 [Protocol] debug 
    > qpid.172.17.42.2:5672-172.17.42.1:37772 Sent 
    > SASL-MECHANISMS(SCRAM-SHA-1) 33
    > 2016-10-12 17:31:41 [Protocol] debug 
    > qpid.172.17.42.2:5672-172.17.42.1:37772 writing protocol header: 1-0
    > 2016-10-12 17:31:41 [Security] trace 
    > qpid.172.17.42.2:5672-172.17.42.1:37772 Sasl::encode(65536): 41
    > 2016-10-12 17:31:41 [Security] info 
    > qpid.172.17.42.2:5672-172.17.42.1:37772 Connection closed prior to 
    > authentication completing
    > 2016-10-12 17:31:41 [Security] info 
    > qpid.172.17.42.2:5672-172.17.42.1:37772 Connection closed prior to 
    > authentication completing
    > 2016-10-12 17:31:41 [Security] trace ACL ConnectionCounter closed: 
qpid.172.17.42.2:5672-172.17.42.1:37772, userId:
    >
    > On the client side, the appropriate plugin exists:
    > Plugin "scram" [loaded],      API version: 4
    >       SASL mechanism: SCRAM-SHA-1, best SSF: 0
    >       security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|MUTUAL_AUTH
    >       features: PROXY_AUTHENTICATION|CHANNEL_BINDING
    >
    > And just to be sure, after making sure the plugin was installed, I 
removed and reinstalled Proton, which didn’t help.
    >
    > This message and its attachments are the property of iJet Technologies, 
Inc. and are intended solely for the use of the designated recipient(s) and 
their appointed delegates. This email may contain information that is 
confidential. If you are not the intended recipient, you are prohibited from 
printing, copying, forwarding or saving any portion of the message or 
attachments. Please delete the message and attachments and notify the sender 
immediately. Thank you for your cooperation.
    
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org For additional 
commands, e-mail: users-h...@qpid.apache.org
    
    

Reply via email to