[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: authentication failure: bad digest-uri: doesn't match service

>>Any suggestions how to make digest-uri match service?

>You could try configuring sasl-host/olcSaslHost and sasl-realm/olcSaslRealm
>to influence how libsasl2 initializes the DIGEST-MD5 plugin.

>Another option is to use a different mechanism (DIGEST-MD5 has been
>obsoleted by the IETF in RFC 6331). If you do not have a way to specify the
>mechanism within your Oracle client, you can restrict which mechanisms are
>offered by the server, by configuring a libsasl2 slapd.conf (e.g.
>/usr/lib/sasl2/slapd.conf) with:

>mech_list: <space separated mechanism list>

>Use pluginviewer (or saslpluginviewer) to list the available mechanisms on
>the server.
>Dan White

Looks like Oracle client and Oracle OID only use DIGEST-MD5 without additional configuration:

Current OpenLDAP configuration:
/usr/local/bin/ldapsearch -xH ldap:// -b "" -s base -LLL supportedSASLMechanisms
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: OTP
supportedSASLMechanisms: CRAM-MD5

Oracle-OID installation:
/usr/local/bin/ldapsearch -xH ldap://:3060 -b "" -s base -LLL supportedSASLMechanisms
supportedsaslmechanisms: DIGEST-MD5

Will dig deeper to check if other mechanisms can be used or if there is an option to ignore the digest-uri.