Hi,
I am trying to authenticate an Oracle db user against OpenLDAP.
Porting of schema information is ok, ssl-handshake ok, sasl-bind seems ok, SASL works:
ldapwhoami -U testuser -R us.oracle.com -H ldap:/// -Y DIGEST-MD5 SASL/DIGEST-MD5 authentication started Please enter your password: SASL username: testuser SASL SSF: 128 SASL data security layer installed. dn:cn=testuser,cn=users,dc=its
Trying to authenticate the oracle-client throws a 'bad digest-uri'-error assuming digest-uri="ldap:/us.oracle.com":
ber_dump: buf=60b898 ptr=60b8c7 end=60b9e3 len=284 0000: 00 82 01 18 04 0a 44 49 47 45 53 54 2d 4d 44 35 ......DIGEST-MD5 0010: 04 82 01 08 64 69 67 65 73 74 2d 75 72 69 3d 22 ....digest-uri=" 0020: 6c 64 61 70 3a 2f 75 73 2e 6f 72 61 63 6c 65 2e ldap:/us.oracle. 0030: 63 6f 6d 22 2c 6d 61 78 62 75 66 3d 36 35 35 33 com",maxbuf=6553 0040: 36 2c 63 68 61 72 73 65 74 3d 75 74 66 2d 38 2c 6,charset=utf-8, 0050: 71 6f 70 3d 61 75 74 68 2c 75 73 65 72 6e 61 6d qop=auth,usernam 0060: 65 3d 22 63 6e 3d 6c 64 61 70 74 65 73 74 2c 63 e="cn=ldaptest,c 0070: 6e 3d 6f 72 61 63 6c 65 63 6f 6e 74 65 78 74 2c n=oraclecontext, 0080: 64 63 3d 69 74 73 22 2c 6e 6f 6e 63 65 3d 22 30 dc=its",nonce="0 0090: 2f 41 41 52 37 47 39 48 39 2f 44 72 34 56 36 32 /AAR7G9H9/Dr4V62 00a0: 6f 50 54 6c 45 48 75 36 56 72 6b 41 46 6f 33 52 oPTlEHu6VrkAFo3R 00b0: 66 31 56 30 6b 73 35 47 71 6f 3d 22 2c 63 6e 6f f1V0ks5Gqo=",cno 00c0: 6e 63 65 3d 22 38 35 33 32 33 35 45 30 44 39 38 nce="853235E0D98 00d0: 41 32 37 39 43 43 30 36 30 34 45 45 39 31 36 31 A279CC0604EE9161 00e0: 34 42 39 30 38 22 2c 6e 63 3d 30 30 30 30 30 30 4B908",nc=000000 00f0: 30 31 2c 72 65 73 70 6f 6e 73 65 3d 37 33 61 64 01,response=73ad 0100: 37 38 31 33 64 31 39 38 34 37 38 63 34 39 37 65 7813d198478c497e 0110: 64 66 30 63 31 36 61 36 61 32 34 36 df0c16a6a246 ber_scanf fmt (m) ber: ber_dump: buf=60b898 ptr=60b8d7 end=60b9e3 len=268 0000: 00 82 01 08 64 69 67 65 73 74 2d 75 72 69 3d 22 ....digest-uri=" 0010: 6c 64 61 70 3a 2f 75 73 2e 6f 72 61 63 6c 65 2e ldap:/us.oracle. 0020: 63 6f 6d 22 2c 6d 61 78 62 75 66 3d 36 35 35 33 com",maxbuf=6553 0030: 36 2c 63 68 61 72 73 65 74 3d 75 74 66 2d 38 2c 6,charset=utf-8, 0040: 71 6f 70 3d 61 75 74 68 2c 75 73 65 72 6e 61 6d qop=auth,usernam 0050: 65 3d 22 63 6e 3d 6c 64 61 70 74 65 73 74 2c 63 e="cn=ldaptest,c 0060: 6e 3d 6f 72 61 63 6c 65 63 6f 6e 74 65 78 74 2c n=oraclecontext, 0070: 64 63 3d 69 74 73 22 2c 6e 6f 6e 63 65 3d 22 30 dc=its",nonce="0 0080: 2f 41 41 52 37 47 39 48 39 2f 44 72 34 56 36 32 /AAR7G9H9/Dr4V62 0090: 6f 50 54 6c 45 48 75 36 56 72 6b 41 46 6f 33 52 oPTlEHu6VrkAFo3R 00a0: 66 31 56 30 6b 73 35 47 71 6f 3d 22 2c 63 6e 6f f1V0ks5Gqo=",cno 00b0: 6e 63 65 3d 22 38 35 33 32 33 35 45 30 44 39 38 nce="853235E0D98 00c0: 41 32 37 39 43 43 30 36 30 34 45 45 39 31 36 31 A279CC0604EE9161 00d0: 34 42 39 30 38 22 2c 6e 63 3d 30 30 30 30 30 30 4B908",nc=000000 00e0: 30 31 2c 72 65 73 70 6f 6e 73 65 3d 37 33 61 64 01,response=73ad 00f0: 37 38 31 33 64 31 39 38 34 37 38 63 34 39 37 65 7813d198478c497e 0100: 64 66 30 63 31 36 61 36 61 32 34 36 df0c16a6a246 ber_scanf fmt (}}) ber: ber_dump: buf=60b898 ptr=60b9e3 end=60b9e3 len=0
dnPrettyNormal: <cn=ldaptest,cn=oraclecontext,dc=its>
=> ldap_bv2dn(cn=ldaptest,cn=oraclecontext,dc=its,0) <= ldap_bv2dn(cn=ldaptest,cn=oraclecontext,dc=its)=0 => ldap_dn2bv(272) <= ldap_dn2bv(cn=ldaptest,cn=oraclecontext,dc=its)=0 => ldap_dn2bv(272) <= ldap_dn2bv(cn=ldaptest,cn=oraclecontext,dc=its)=0 <<< dnPrettyNormal: <cn=ldaptest,cn=oraclecontext,dc=its>, <cn=ldaptest,cn=oraclecontext,dc=its> conn=1014 op=1 BIND dn="cn=ldaptest,cn=oraclecontext,dc=its" method=163 do_bind: dn (cn=ldaptest,cn=oraclecontext,dc=its) SASL mech DIGEST-MD5 ==> sasl_bind: dn="cn=ldaptest,cn=oraclecontext,dc=its" mech=<continuing> datalen=264 SASL [conn=1014] Debug: DIGEST-MD5 server step 2 SASL [conn=1014] Failure: bad digest-uri: doesn't match service send_ldap_result: conn=1014 op=1 p=3 send_ldap_result: err=49 matched="" text="SASL(-13): authentication failure: bad digest-uri: doesn't match service" send_ldap_response: msgid=2 tag=97 err=49 ber_flush2: 86 bytes to sd 16 0000: 30 54 02 01 02 61 4f 0a 01 31 04 00 04 48 53 41 0T...aO..1...HSA 0010: 53 4c 28 2d 31 33 29 3a 20 61 75 74 68 65 6e 74 SL(-13): authent 0020: 69 63 61 74 69 6f 6e 20 66 61 69 6c 75 72 65 3a ication failure: 0030: 20 62 61 64 20 64 69 67 65 73 74 2d 75 72 69 3a bad digest-uri: 0040: 20 64 6f 65 73 6e 27 74 20 6d 61 74 63 68 20 73 doesn't match s 0050: 65 72 76 69 63 65 ervice tls_write: want=146, written=146 0000: 17 03 00 00 18 c7 75 ac 06 20 dd 58 b7 38 55 82 ......u.. .X.8U. 0010: ab f0 ea 72 79 d0 22 ad 95 dc ab 26 d3 17 03 00 ...ry."....&.... 0020: 00 70 64 23 8e ce fc 05 73 d5 16 a2 cc 62 e4 ae .pd#....s....b.. 0030: ee 02 96 ff 16 3d 42 15 54 25 54 7b 60 6d 25 ef .....=B.T%T{`m%. 0040: e3 82 84 1f 42 ec 38 96 82 78 8c 09 b4 be 96 e5 ....B.8..x...... 0050: b9 95 01 e0 58 f3 a4 49 a0 58 53 6d 24 8e 0a 9b ....X..I.XSm$... 0060: 8b cd 4b fd cd 0e cd 51 0b e0 89 73 c6 b6 88 2f ..K....Q...s.../ 0070: 66 05 49 4a 89 0e 29 0e 53 5a 0c 0d ce 1d 8e 40 f.IJ..).SZ.....@ 0080: 90 dd 9f b2 4d b4 6e 7d 2b cf a1 ed 13 96 df 1a ....M.n}+....... 0090: 44 1c D. ldap_write: want=86, written=86 0000: 30 54 02 01 02 61 4f 0a 01 31 04 00 04 48 53 41 0T...aO..1...HSA 0010: 53 4c 28 2d 31 33 29 3a 20 61 75 74 68 65 6e 74 SL(-13): authent 0020: 69 63 61 74 69 6f 6e 20 66 61 69 6c 75 72 65 3a ication failure: 0030: 20 62 61 64 20 64 69 67 65 73 74 2d 75 72 69 3a bad digest-uri: 0040: 20 64 6f 65 73 6e 27 74 20 6d 61 74 63 68 20 73 doesn't match s 0050: 65 72 76 69 63 65 ervice conn=1014 op=1 RESULT tag=97 err=49 text=SASL(-13): authentication failure: bad digest-uri: doesn't match service <== slap_sasl_bind: rc=49 daemon: activity on 1 descriptor daemon: activity on: 16r daemon: read activity on 16 daemon: select: listen=7 active_threads=0 tvp=NULL connection_get(16) daemon: select: listen=8 active_threads=0 tvp=NULL connection_get(16): got connid=1014 daemon: select: listen=9 active_threads=0 tvp=NULL connection_read(16): checking for input on id=1014 ber_get_next daemon: select: listen=10 active_threads=0 tvp=NULL tls_read: want=5, got=5 0000: 17 03 00 00 20 .... tls_read: want=32, got=32 0000: 93 5b 37 05 07 4b dd 2b a9 1c 7e 70 db b4 8f c7 .[7..K.+..~p.... 0010: a5 f7 d7 d0 b8 e0 17 cf b9 08 dd a2 c9 df 28 7b ..............({ ldap_read: want=8, got=7 0000: 30 05 02 01 03 42 00 0....B. ber_get_next: tag 0x30 len 5 contents: ber_dump: buf=5f7de0 ptr=5f7de0 end=5f7de5 len=5 0000: 02 01 03 42 00 ...B. op tag 0x42, time 1317892029 ber_get_next tls_read: want=5, got=5 0000: 15 03 00 00 18 ..... tls_read: want=24, got=24 0000: d7 de f4 58 8a 4e fc 6b d5 6f 93 55 ee 5e 72 cd ...X.N.k.o.U.^r. 0010: 3c 8b a2 e1 ba 87 94 5a <......Z TLS trace: SSL3 alert read:warning:close notify ldap_read: want=8, got=0
ber_get_next on fd 16 failed errno=0 (Error 0) connection_read(16): input error=-2 id=1014, closing. connection_closing: readying conn=1014 sd=16 for close connection_close: deferring conn=1014 sd=16 daemon: activity on 1 descriptor conn=1014 op=2 do_unbind daemon: waked conn=1014 op=2 UNBIND daemon: select: listen=7 active_threads=0 tvp=NULL daemon: select: listen=8 active_threads=0 tvp=NULL connection_resched: attempting closing conn=1014 sd=16 connection_close: conn=1014 sd=16 daemon: select: listen=9 active_threads=0 tvp=NULL daemon: select: listen=10 active_threads=0 tvp=NULL daemon: removing 16 tls_write: want=29, written=29 0000: 15 03 00 00 18 1c 8a dd b1 bb 30 32 1b ca c2 a1 ..........02.... 0010: 2d e8 33 fc 9e 7b 6b e4 49 cf ce f2 fb -.3..{k.I.... TLS trace: SSL3 alert write:warning:close notify conn=1014 fd=16 closed
On the Oracle client: SQL> connect testuser Enter password: ERROR: ORA-28043: invalid bind credentials for DB-OID connection
Warning: You are no longer connected to ORACLE. SQL>
Any suggestions how to make digest-uri match service?
Regards
Juergen
On 06/10/11 09:24 +0000, Juergen.Sprenger@swisscom.com wrote:
Hi,
I am trying to authenticate an Oracle db user against OpenLDAP.
Porting of schema information is ok, ssl-handshake ok, sasl-bind seems ok, SASL works:
ldapwhoami -U testuser -R us.oracle.com -H ldap:/// -Y DIGEST-MD5 SASL/DIGEST-MD5 authentication started Please enter your password: SASL username: testuser SASL SSF: 128 SASL data security layer installed. dn:cn=testuser,cn=users,dc=its
Trying to authenticate the oracle-client throws a 'bad digest-uri'-error assuming digest-uri="ldap:/us.oracle.com":
conn=1014 op=1 RESULT tag=97 err=49 text=SASL(-13): authentication failure: bad digest-uri: doesn't match service
On the Oracle client: SQL> connect testuser Enter password: ERROR: ORA-28043: invalid bind credentials for DB-OID connection
Warning: You are no longer connected to ORACLE. SQL>
Any suggestions how to make digest-uri match service?
You could try configuring sasl-host/olcSaslHost and sasl-realm/olcSaslRealm to influence how libsasl2 initializes the DIGEST-MD5 plugin.
Another option is to use a different mechanism (DIGEST-MD5 has been obsoleted by the IETF in RFC 6331). If you do not have a way to specify the mechanism within your Oracle client, you can restrict which mechanisms are offered by the server, by configuring a libsasl2 slapd.conf (e.g. /usr/lib/sasl2/slapd.conf) with:
mech_list: <space separated mechanism list>
Use pluginviewer (or saslpluginviewer) to list the available mechanisms on the server.
Dan White wrote:
On 06/10/11 09:24 +0000, Juergen.Sprenger@swisscom.com wrote:
Hi,
I am trying to authenticate an Oracle db user against OpenLDAP.
Porting of schema information is ok, ssl-handshake ok, sasl-bind seems ok, SASL works:
ldapwhoami -U testuser -R us.oracle.com -H ldap:/// -Y DIGEST-MD5 SASL/DIGEST-MD5 authentication started Please enter your password: SASL username: testuser SASL SSF: 128 SASL data security layer installed. dn:cn=testuser,cn=users,dc=its
Run the above ldapwhoami command with "-d7" and see what digest-uri was used in the working request.
Trying to authenticate the oracle-client throws a 'bad digest-uri'-error assuming digest-uri="ldap:/us.oracle.com":
This is not valid URL syntax. If it's a configured item then fix your config. If it's generated automatically by Oracle then file a bug report with Oracle.
conn=1014 op=1 RESULT tag=97 err=49 text=SASL(-13): authentication failure: bad digest-uri: doesn't match service
On the Oracle client: SQL> connect testuser Enter password: ERROR: ORA-28043: invalid bind credentials for DB-OID connection
Warning: You are no longer connected to ORACLE. SQL>
Any suggestions how to make digest-uri match service?
You could try configuring sasl-host/olcSaslHost and sasl-realm/olcSaslRealm to influence how libsasl2 initializes the DIGEST-MD5 plugin.
Another option is to use a different mechanism (DIGEST-MD5 has been obsoleted by the IETF in RFC 6331). If you do not have a way to specify the mechanism within your Oracle client, you can restrict which mechanisms are offered by the server, by configuring a libsasl2 slapd.conf (e.g. /usr/lib/sasl2/slapd.conf) with:
mech_list: <space separated mechanism list>
Use pluginviewer (or saslpluginviewer) to list the available mechanisms on the server.
-- Dan White
Looks like Oracle client and Oracle OID only use DIGEST-MD5 without additional configuration:
Current OpenLDAP configuration: /usr/local/bin/ldapsearch -xH ldap:// -b "" -s base -LLL supportedSASLMechanisms dn: supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: OTP supportedSASLMechanisms: CRAM-MD5
Oracle-OID installation: /usr/local/bin/ldapsearch -xH ldap://:3060 -b "" -s base -LLL supportedSASLMechanisms dn: supportedsaslmechanisms: DIGEST-MD5
Will dig deeper to check if other mechanisms can be used or if there is an option to ignore the digest-uri.
Juergen
Hi,
Trying to authenticate the oracle-client throws a 'bad digest-uri'-error assuming digest-uri="ldap:/us.oracle.com":
This is not valid URL syntax. If it's a configured item then fix your config. If it's generated automatically by Oracle then file a bug report with Oracle.
Been there, done that. Result:
Oracle Enterprise User Security (EUS) only supports Oracle Internet Directory and Oracle Virtual Directory. EUS does not support 3rd party directory servers such as OpenLDAP. EUS does not specify RFC 2831 compliance for its directory servers.
Will try to get rid of error message by patching cyrus-sasl-2.1.23/plugins/digestmd5.c
Regards
Juergen
openldap-technical@openldap.org
-
Dan White -
Howard Chu -
Juergen.Sprenger@swisscom.com