Full_Name: Giovanni Almeida Santos Version: 2.3.34 OS: Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (200.199.204.60) According to RFC2831 (Using Digest Authentication as a SASL Mechanism), the rules for a "digest-response" is defined as follows: digest-response = 1#( username | realm | nonce | cnonce | nonce-count | qop | digest-uri | response | maxbuf | charset | cipher | authzid | auth-param ) username = "username" "=" <"> username-value <"> username-value = qdstr-val ... authzid = "authzid" "=" <"> authzid-value <"> authzid-value = qdstr-val com.novell.sasl.client.DigestMD5SaslClient class does not implement that RFC at all because it does not use authzid as described above. To correct this, it is necessary modify two methods on DigestMD5SaslClient: DigestCalcHA1 and createDigestResponse. In the DigestCalcHA1 method it is necessary include the code delimited by // -->> as follows: char[] DigestCalcHA1( String algorithm, String userName, String realm, String password, String nonce, String clientNonce) throws SaslException { ... if ("md5-sess".equals(algorithm)) { md.update(hash); md.update(":".getBytes("UTF-8")); md.update(nonce.getBytes("UTF-8")); md.update(":".getBytes("UTF-8")); md.update(clientNonce.getBytes("UTF-8")); // -->> It is necessary to allow Proxy Authorization if(m_authorizationId != null && !"".equals(m_authorizationId)) { md.update(":".getBytes("UTF-8")); md.update(m_authorizationId.getBytes("UTF-8")); } // -->> End hash = md.digest(); } ... } In the createDigestResponse method it is necessary remove <code>digestResponse.append(m_authorizationId)<code> (commented below) and insert the code delimited by // -->> private String createDigestResponse( byte[] challenge) throws SaslException { ... digestResponse.append("username=\""); //digestResponse.append(m_authorizationId); // -->> It is necessary to allow Proxy Authorization digestResponse.append(m_name); if(m_authorizationId != null && !"".equals(m_authorizationId)) { digestResponse.append("\",authzid=\""); digestResponse.append(m_authorizationId); } // -->> End ... } Without these modifications, proxy authorization is not possible.
changed notes
moved from Incoming to Contrib
Hi, In the above code in the comments portion I am not clear what you do in the proxy authorization. I tried without the above code changes for the proxy user authorization yet I was able to bind to it. Are you doing anything else? Can you make the proxy authorization a bit more clear ? What exactly does that mean ?
changed state Open to Feedback
JLDAP