[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: authentication failure: bad digest-uri: doesn't match service

On 06/10/11 09:24 +0000, Juergen.Sprenger@swisscom.com wrote:

I am trying to authenticate an Oracle db user against OpenLDAP.

Porting of schema information is ok, ssl-handshake ok, sasl-bind seems ok, SASL works:

ldapwhoami -U testuser -R us.oracle.com -H ldap:/// -Y DIGEST-MD5
SASL/DIGEST-MD5 authentication started
Please enter your password:
SASL username: testuser
SASL data security layer installed.

Trying to authenticate the oracle-client throws a 'bad digest-uri'-error assuming

conn=1014 op=1 RESULT tag=97 err=49 text=SASL(-13): authentication
failure: bad digest-uri: doesn't match service

On the Oracle client:
SQL> connect testuser
Enter password:
ORA-28043: invalid bind credentials for DB-OID connection

Warning: You are no longer connected to ORACLE.

Any suggestions how to make digest-uri match service?

You could try configuring sasl-host/olcSaslHost and sasl-realm/olcSaslRealm
to influence how libsasl2 initializes the DIGEST-MD5 plugin.

Another option is to use a different mechanism (DIGEST-MD5 has been
obsoleted by the IETF in RFC 6331). If you do not have a way to specify the
mechanism within your Oracle client, you can restrict which mechanisms are
offered by the server, by configuring a libsasl2 slapd.conf (e.g.
/usr/lib/sasl2/slapd.conf) with:

mech_list: <space separated mechanism list>

Use pluginviewer (or saslpluginviewer) to list the available mechanisms on
the server.

Dan White