Hi,
I am trying to authenticate an Oracle db user against OpenLDAP.
Porting of schema information is ok, ssl-handshake ok, sasl-bind seems ok, SASL works:
ldapwhoami -U testuser -R us.oracle.com -H ldap:/// -Y DIGEST-MD5 SASL/DIGEST-MD5 authentication started Please enter your password: SASL username: testuser SASL SSF: 128 SASL data security layer installed. dn:cn=testuser,cn=users,dc=its
Trying to authenticate the oracle-client throws a 'bad digest-uri'-error assuming digest-uri="ldap:/us.oracle.com":
ber_dump: buf=60b898 ptr=60b8c7 end=60b9e3 len=284 0000: 00 82 01 18 04 0a 44 49 47 45 53 54 2d 4d 44 35 ......DIGEST-MD5 0010: 04 82 01 08 64 69 67 65 73 74 2d 75 72 69 3d 22 ....digest-uri=" 0020: 6c 64 61 70 3a 2f 75 73 2e 6f 72 61 63 6c 65 2e ldap:/us.oracle. 0030: 63 6f 6d 22 2c 6d 61 78 62 75 66 3d 36 35 35 33 com",maxbuf=6553 0040: 36 2c 63 68 61 72 73 65 74 3d 75 74 66 2d 38 2c 6,charset=utf-8, 0050: 71 6f 70 3d 61 75 74 68 2c 75 73 65 72 6e 61 6d qop=auth,usernam 0060: 65 3d 22 63 6e 3d 6c 64 61 70 74 65 73 74 2c 63 e="cn=ldaptest,c 0070: 6e 3d 6f 72 61 63 6c 65 63 6f 6e 74 65 78 74 2c n=oraclecontext, 0080: 64 63 3d 69 74 73 22 2c 6e 6f 6e 63 65 3d 22 30 dc=its",nonce="0 0090: 2f 41 41 52 37 47 39 48 39 2f 44 72 34 56 36 32 /AAR7G9H9/Dr4V62 00a0: 6f 50 54 6c 45 48 75 36 56 72 6b 41 46 6f 33 52 oPTlEHu6VrkAFo3R 00b0: 66 31 56 30 6b 73 35 47 71 6f 3d 22 2c 63 6e 6f f1V0ks5Gqo=",cno 00c0: 6e 63 65 3d 22 38 35 33 32 33 35 45 30 44 39 38 nce="853235E0D98 00d0: 41 32 37 39 43 43 30 36 30 34 45 45 39 31 36 31 A279CC0604EE9161 00e0: 34 42 39 30 38 22 2c 6e 63 3d 30 30 30 30 30 30 4B908",nc=000000 00f0: 30 31 2c 72 65 73 70 6f 6e 73 65 3d 37 33 61 64 01,response=73ad 0100: 37 38 31 33 64 31 39 38 34 37 38 63 34 39 37 65 7813d198478c497e 0110: 64 66 30 63 31 36 61 36 61 32 34 36 df0c16a6a246 ber_scanf fmt (m) ber: ber_dump: buf=60b898 ptr=60b8d7 end=60b9e3 len=268 0000: 00 82 01 08 64 69 67 65 73 74 2d 75 72 69 3d 22 ....digest-uri=" 0010: 6c 64 61 70 3a 2f 75 73 2e 6f 72 61 63 6c 65 2e ldap:/us.oracle. 0020: 63 6f 6d 22 2c 6d 61 78 62 75 66 3d 36 35 35 33 com",maxbuf=6553 0030: 36 2c 63 68 61 72 73 65 74 3d 75 74 66 2d 38 2c 6,charset=utf-8, 0040: 71 6f 70 3d 61 75 74 68 2c 75 73 65 72 6e 61 6d qop=auth,usernam 0050: 65 3d 22 63 6e 3d 6c 64 61 70 74 65 73 74 2c 63 e="cn=ldaptest,c 0060: 6e 3d 6f 72 61 63 6c 65 63 6f 6e 74 65 78 74 2c n=oraclecontext, 0070: 64 63 3d 69 74 73 22 2c 6e 6f 6e 63 65 3d 22 30 dc=its",nonce="0 0080: 2f 41 41 52 37 47 39 48 39 2f 44 72 34 56 36 32 /AAR7G9H9/Dr4V62 0090: 6f 50 54 6c 45 48 75 36 56 72 6b 41 46 6f 33 52 oPTlEHu6VrkAFo3R 00a0: 66 31 56 30 6b 73 35 47 71 6f 3d 22 2c 63 6e 6f f1V0ks5Gqo=",cno 00b0: 6e 63 65 3d 22 38 35 33 32 33 35 45 30 44 39 38 nce="853235E0D98 00c0: 41 32 37 39 43 43 30 36 30 34 45 45 39 31 36 31 A279CC0604EE9161 00d0: 34 42 39 30 38 22 2c 6e 63 3d 30 30 30 30 30 30 4B908",nc=000000 00e0: 30 31 2c 72 65 73 70 6f 6e 73 65 3d 37 33 61 64 01,response=73ad 00f0: 37 38 31 33 64 31 39 38 34 37 38 63 34 39 37 65 7813d198478c497e 0100: 64 66 30 63 31 36 61 36 61 32 34 36 df0c16a6a246 ber_scanf fmt (}}) ber: ber_dump: buf=60b898 ptr=60b9e3 end=60b9e3 len=0
dnPrettyNormal: <cn=ldaptest,cn=oraclecontext,dc=its>
=> ldap_bv2dn(cn=ldaptest,cn=oraclecontext,dc=its,0) <= ldap_bv2dn(cn=ldaptest,cn=oraclecontext,dc=its)=0 => ldap_dn2bv(272) <= ldap_dn2bv(cn=ldaptest,cn=oraclecontext,dc=its)=0 => ldap_dn2bv(272) <= ldap_dn2bv(cn=ldaptest,cn=oraclecontext,dc=its)=0 <<< dnPrettyNormal: <cn=ldaptest,cn=oraclecontext,dc=its>, <cn=ldaptest,cn=oraclecontext,dc=its> conn=1014 op=1 BIND dn="cn=ldaptest,cn=oraclecontext,dc=its" method=163 do_bind: dn (cn=ldaptest,cn=oraclecontext,dc=its) SASL mech DIGEST-MD5 ==> sasl_bind: dn="cn=ldaptest,cn=oraclecontext,dc=its" mech=<continuing> datalen=264 SASL [conn=1014] Debug: DIGEST-MD5 server step 2 SASL [conn=1014] Failure: bad digest-uri: doesn't match service send_ldap_result: conn=1014 op=1 p=3 send_ldap_result: err=49 matched="" text="SASL(-13): authentication failure: bad digest-uri: doesn't match service" send_ldap_response: msgid=2 tag=97 err=49 ber_flush2: 86 bytes to sd 16 0000: 30 54 02 01 02 61 4f 0a 01 31 04 00 04 48 53 41 0T...aO..1...HSA 0010: 53 4c 28 2d 31 33 29 3a 20 61 75 74 68 65 6e 74 SL(-13): authent 0020: 69 63 61 74 69 6f 6e 20 66 61 69 6c 75 72 65 3a ication failure: 0030: 20 62 61 64 20 64 69 67 65 73 74 2d 75 72 69 3a bad digest-uri: 0040: 20 64 6f 65 73 6e 27 74 20 6d 61 74 63 68 20 73 doesn't match s 0050: 65 72 76 69 63 65 ervice tls_write: want=146, written=146 0000: 17 03 00 00 18 c7 75 ac 06 20 dd 58 b7 38 55 82 ......u.. .X.8U. 0010: ab f0 ea 72 79 d0 22 ad 95 dc ab 26 d3 17 03 00 ...ry."....&.... 0020: 00 70 64 23 8e ce fc 05 73 d5 16 a2 cc 62 e4 ae .pd#....s....b.. 0030: ee 02 96 ff 16 3d 42 15 54 25 54 7b 60 6d 25 ef .....=B.T%T{`m%. 0040: e3 82 84 1f 42 ec 38 96 82 78 8c 09 b4 be 96 e5 ....B.8..x...... 0050: b9 95 01 e0 58 f3 a4 49 a0 58 53 6d 24 8e 0a 9b ....X..I.XSm$... 0060: 8b cd 4b fd cd 0e cd 51 0b e0 89 73 c6 b6 88 2f ..K....Q...s.../ 0070: 66 05 49 4a 89 0e 29 0e 53 5a 0c 0d ce 1d 8e 40 f.IJ..).SZ.....@ 0080: 90 dd 9f b2 4d b4 6e 7d 2b cf a1 ed 13 96 df 1a ....M.n}+....... 0090: 44 1c D. ldap_write: want=86, written=86 0000: 30 54 02 01 02 61 4f 0a 01 31 04 00 04 48 53 41 0T...aO..1...HSA 0010: 53 4c 28 2d 31 33 29 3a 20 61 75 74 68 65 6e 74 SL(-13): authent 0020: 69 63 61 74 69 6f 6e 20 66 61 69 6c 75 72 65 3a ication failure: 0030: 20 62 61 64 20 64 69 67 65 73 74 2d 75 72 69 3a bad digest-uri: 0040: 20 64 6f 65 73 6e 27 74 20 6d 61 74 63 68 20 73 doesn't match s 0050: 65 72 76 69 63 65 ervice conn=1014 op=1 RESULT tag=97 err=49 text=SASL(-13): authentication failure: bad digest-uri: doesn't match service <== slap_sasl_bind: rc=49 daemon: activity on 1 descriptor daemon: activity on: 16r daemon: read activity on 16 daemon: select: listen=7 active_threads=0 tvp=NULL connection_get(16) daemon: select: listen=8 active_threads=0 tvp=NULL connection_get(16): got connid=1014 daemon: select: listen=9 active_threads=0 tvp=NULL connection_read(16): checking for input on id=1014 ber_get_next daemon: select: listen=10 active_threads=0 tvp=NULL tls_read: want=5, got=5 0000: 17 03 00 00 20 .... tls_read: want=32, got=32 0000: 93 5b 37 05 07 4b dd 2b a9 1c 7e 70 db b4 8f c7 .[7..K.+..~p.... 0010: a5 f7 d7 d0 b8 e0 17 cf b9 08 dd a2 c9 df 28 7b ..............({ ldap_read: want=8, got=7 0000: 30 05 02 01 03 42 00 0....B. ber_get_next: tag 0x30 len 5 contents: ber_dump: buf=5f7de0 ptr=5f7de0 end=5f7de5 len=5 0000: 02 01 03 42 00 ...B. op tag 0x42, time 1317892029 ber_get_next tls_read: want=5, got=5 0000: 15 03 00 00 18 ..... tls_read: want=24, got=24 0000: d7 de f4 58 8a 4e fc 6b d5 6f 93 55 ee 5e 72 cd ...X.N.k.o.U.^r. 0010: 3c 8b a2 e1 ba 87 94 5a <......Z TLS trace: SSL3 alert read:warning:close notify ldap_read: want=8, got=0
ber_get_next on fd 16 failed errno=0 (Error 0) connection_read(16): input error=-2 id=1014, closing. connection_closing: readying conn=1014 sd=16 for close connection_close: deferring conn=1014 sd=16 daemon: activity on 1 descriptor conn=1014 op=2 do_unbind daemon: waked conn=1014 op=2 UNBIND daemon: select: listen=7 active_threads=0 tvp=NULL daemon: select: listen=8 active_threads=0 tvp=NULL connection_resched: attempting closing conn=1014 sd=16 connection_close: conn=1014 sd=16 daemon: select: listen=9 active_threads=0 tvp=NULL daemon: select: listen=10 active_threads=0 tvp=NULL daemon: removing 16 tls_write: want=29, written=29 0000: 15 03 00 00 18 1c 8a dd b1 bb 30 32 1b ca c2 a1 ..........02.... 0010: 2d e8 33 fc 9e 7b 6b e4 49 cf ce f2 fb -.3..{k.I.... TLS trace: SSL3 alert write:warning:close notify conn=1014 fd=16 closed
On the Oracle client: SQL> connect testuser Enter password: ERROR: ORA-28043: invalid bind credentials for DB-OID connection
Warning: You are no longer connected to ORACLE. SQL>
Any suggestions how to make digest-uri match service?
Regards
Juergen