cram-md5 as mech returns sasl error

["Chapman, Kyle" <Kyle_Chapman@G1.com>]

env:

solaris 8

openldap 2.1.12

sasl 2.1.12

openssl 0.9.6i

 

NOTE:

i know cram-md5 is deprecated in favor of digest-md5, i have a use for it for some mail applications.

 

PROBLEM:

CRAM-MD5 is listed as a sasl mech but fails quite fast when used during a sasl bind.  i thank you for any help in advance

 

 

when i try to use cram-md5 as a sasl mech in ldapsearch, i receive this error:

ldapsearch -Y CRAM-MD5 -U test5678@g1.com -ZZ -H ldap://suntest3.g1.com -s base -b "" "+"
SASL/CRAM-MD5 authentication started
ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80)
        additional info: SASL(-5): bad protocol / cancel: Remote sent first but mech does not allow it.

 

the sample client/server for sasl2 allows me to auth:

./client -p 4444 -m CRAM-MD5 suntest3
receiving capability list... recv: {46}
OTP CRAM-MD5 ANONYMOUS PLAIN GSSAPI DIGEST-MD5
OTP CRAM-MD5 ANONYMOUS PLAIN GSSAPI DIGEST-MD5
send: {8}
CRAM-MD5
send: {1}
N
recv: {29}
<1652518915.6724388@suntest3>
please enter an authentication id: test5678@g1.com
Password:
send: {48}
test5678@g1.com 613ee9eebff7fd2d0102a41c025d6dd0
successful authentication
closing connection

 

the following sasl mechs work without problem using openldap client tools: OTP, DIGEST-MD5, GSSAPI, EXTERNAL

here is the supported sasl mech list for the server:

ldapsearch -Y GSSAPI -ZZ -H ldap://suntest3.g1.com -s base -b "" supportedSASLMechanisms
SASL/GSSAPI authentication started
SASL username: sand4444@G1.COM
SASL SSF: 56
SASL installing layers
# extended LDIF
#
# LDAPv3
# base <> with scope base
# filter: (objectclass=*)
# requesting: supportedSASLMechanisms
#

 

#
dn:
supportedSASLMechanisms: OTP
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: EXTERNAL

 

debug output from ldapsearch as posted above (-d 1, cut a bit short):

ldap_interactive_sasl_bind_s: user selected: CRAM-MD5
ldap_int_sasl_bind: CRAM-MD5
SASL/CRAM-MD5 authentication started
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_flush: 26 bytes to sd 4
ldap_result msgid 2
ldap_chkResponseList for msgid=2, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 2
wait4msg continue, msgid 2, all 1
** Connections:
* host: suntest3.g1.com  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Wed Mar  5 20:09:09 2003

 

** Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
** Response Queue:
   Empty
ldap_chkResponseList for msgid=2, all=1
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid 2, all 1
ber_get_next
ber_get_next: tag 0x30 len 90 contents:
ldap_read: message type bind msgid 2, original id 2
ber_scanf fmt ({iaa) ber:
read1msg:  0 new referrals
read1msg:  mark request completed, id = 2
request 2 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_sasl_bind_result
ber_scanf fmt ({iaa) ber:
ldap_msgfree
ldap_perror
ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80)
        additional info: SASL(-5): bad protocol / cancel: Remote sent first but mech does not allow it.

 

the error seems to be thrown in server.c (sasl_server_start)

 

KSC

Network/Systems Engineer

www.g1.com

 

 

Here is a really great OS

www.freebsd.org

 

NOTICE: This E-mail may contain confidential information. If you are not the addressee or the intended recipient please do not read this E-mail and please immediately delete this e-mail message and any attachments from your workstation or network mail system. If you are the addressee or the intended recipient and you save or print a copy of this E-mail, please place it in an appropriate file, depending on whether confidential information is contained in the message.