Re: authentication failure: bad digest-uri: doesn't match service

[Dan White <dwhite@olp.net>]

On 06/10/11 09:24 +0000, Juergen.Sprenger@swisscom.com wrote:
> Hi,
>
> I am trying to authenticate an Oracle db user against OpenLDAP.
>
> Porting of schema information is ok, ssl-handshake ok, sasl-bind seems ok, SASL works:
>
> ldapwhoami -U testuser -R us.oracle.com -H ldap:/// -Y DIGEST-MD5
> SASL/DIGEST-MD5 authentication started
> Please enter your password:
> SASL username: testuser
> SASL SSF: 128
> SASL data security layer installed.
> dn:cn=testuser,cn=users,dc=its
>
> Trying to authenticate the oracle-client throws a 'bad digest-uri'-error assuming
> digest-uri="ldap:/us.oracle.com":

> conn=1014 op=1 RESULT tag=97 err=49 text=SASL(-13): authentication
> failure: bad digest-uri: doesn't match service

> On the Oracle client:
> SQL> connect testuser
> Enter password:
> ERROR:
> ORA-28043: invalid bind credentials for DB-OID connection
>
>
> Warning: You are no longer connected to ORACLE.
> SQL>
>
>
>
> Any suggestions how to make digest-uri match service?

You could try configuring sasl-host/olcSaslHost and sasl-realm/olcSaslRealm
to influence how libsasl2 initializes the DIGEST-MD5 plugin.

Another option is to use a different mechanism (DIGEST-MD5 has been
obsoleted by the IETF in RFC 6331). If you do not have a way to specify the
mechanism within your Oracle client, you can restrict which mechanisms are
offered by the server, by configuring a libsasl2 slapd.conf (e.g.
/usr/lib/sasl2/slapd.conf) with:

mech_list: <space separated mechanism list>

Use pluginviewer (or saslpluginviewer) to list the available mechanisms on
the server.

--
Dan White