On 06/10/11 09:24 +0000, Juergen.Sprenger@swisscom.com wrote:
Hi,
I am trying to authenticate an Oracle db user against OpenLDAP.
Porting of schema information is ok, ssl-handshake ok, sasl-bind seems ok, SASL works:
ldapwhoami -U testuser -R us.oracle.com -H ldap:/// -Y DIGEST-MD5 SASL/DIGEST-MD5 authentication started Please enter your password: SASL username: testuser SASL SSF: 128 SASL data security layer installed. dn:cn=testuser,cn=users,dc=its
Trying to authenticate the oracle-client throws a 'bad digest-uri'-error assuming digest-uri="ldap:/us.oracle.com":
conn=1014 op=1 RESULT tag=97 err=49 text=SASL(-13): authentication failure: bad digest-uri: doesn't match service
On the Oracle client: SQL> connect testuser Enter password: ERROR: ORA-28043: invalid bind credentials for DB-OID connection
Warning: You are no longer connected to ORACLE. SQL>
Any suggestions how to make digest-uri match service?
You could try configuring sasl-host/olcSaslHost and sasl-realm/olcSaslRealm to influence how libsasl2 initializes the DIGEST-MD5 plugin.
Another option is to use a different mechanism (DIGEST-MD5 has been obsoleted by the IETF in RFC 6331). If you do not have a way to specify the mechanism within your Oracle client, you can restrict which mechanisms are offered by the server, by configuring a libsasl2 slapd.conf (e.g. /usr/lib/sasl2/slapd.conf) with:
mech_list: <space separated mechanism list>
Use pluginviewer (or saslpluginviewer) to list the available mechanisms on the server.