[Date Prev][Date Next] [Chronological] [Thread] [Top]
authentication failure: bad digest-uri: doesn't match service

To: <openldap-technical@openldap.org>
Subject: authentication failure: bad digest-uri: doesn't match service
From: <Juergen.Sprenger@swisscom.com>
Date: Thu, 6 Oct 2011 09:24:05 +0000
Accept-language: en-US, de-CH
Content-language: en-US
Thread-index: AcyECa+JepuHOusYTLGHf92Np8s0Lw==
Thread-topic: authentication failure: bad digest-uri: doesn't match service
Hi,

I am trying to authenticate an Oracle db user against OpenLDAP.

Porting of schema information is ok, ssl-handshake ok, sasl-bind seems ok, SASL works:

ldapwhoami -U testuser -R us.oracle.com -H ldap:/// -Y DIGEST-MD5
SASL/DIGEST-MD5 authentication started
Please enter your password:
SASL username: testuser
SASL SSF: 128
SASL data security layer installed.
dn:cn=testuser,cn=users,dc=its

Trying to authenticate the oracle-client throws a 'bad digest-uri'-error assuming
digest-uri="ldap:/us.oracle.com":

ber_dump: buf=60b898 ptr=60b8c7 end=60b9e3 len=284
  0000:  00 82 01 18 04 0a 44 49  47 45 53 54 2d 4d 44 35   ......DIGEST-MD5
  0010:  04 82 01 08 64 69 67 65  73 74 2d 75 72 69 3d 22   ....digest-uri="
  0020:  6c 64 61 70 3a 2f 75 73  2e 6f 72 61 63 6c 65 2e   ldap:/us.oracle.
  0030:  63 6f 6d 22 2c 6d 61 78  62 75 66 3d 36 35 35 33   com",maxbuf=6553
  0040:  36 2c 63 68 61 72 73 65  74 3d 75 74 66 2d 38 2c   6,charset=utf-8,
  0050:  71 6f 70 3d 61 75 74 68  2c 75 73 65 72 6e 61 6d   qop=auth,usernam
  0060:  65 3d 22 63 6e 3d 6c 64  61 70 74 65 73 74 2c 63   e="cn=ldaptest,c
  0070:  6e 3d 6f 72 61 63 6c 65  63 6f 6e 74 65 78 74 2c   n=oraclecontext,
  0080:  64 63 3d 69 74 73 22 2c  6e 6f 6e 63 65 3d 22 30   dc=its",nonce="0
  0090:  2f 41 41 52 37 47 39 48  39 2f 44 72 34 56 36 32   /AAR7G9H9/Dr4V62
  00a0:  6f 50 54 6c 45 48 75 36  56 72 6b 41 46 6f 33 52   oPTlEHu6VrkAFo3R
  00b0:  66 31 56 30 6b 73 35 47  71 6f 3d 22 2c 63 6e 6f   f1V0ks5Gqo=",cno
  00c0:  6e 63 65 3d 22 38 35 33  32 33 35 45 30 44 39 38   nce="853235E0D98
  00d0:  41 32 37 39 43 43 30 36  30 34 45 45 39 31 36 31   A279CC0604EE9161
  00e0:  34 42 39 30 38 22 2c 6e  63 3d 30 30 30 30 30 30   4B908",nc=000000
  00f0:  30 31 2c 72 65 73 70 6f  6e 73 65 3d 37 33 61 64   01,response=73ad
  0100:  37 38 31 33 64 31 39 38  34 37 38 63 34 39 37 65   7813d198478c497e
  0110:  64 66 30 63 31 36 61 36  61 32 34 36               df0c16a6a246
ber_scanf fmt (m) ber:
ber_dump: buf=60b898 ptr=60b8d7 end=60b9e3 len=268
  0000:  00 82 01 08 64 69 67 65  73 74 2d 75 72 69 3d 22   ....digest-uri="
  0010:  6c 64 61 70 3a 2f 75 73  2e 6f 72 61 63 6c 65 2e   ldap:/us.oracle.
  0020:  63 6f 6d 22 2c 6d 61 78  62 75 66 3d 36 35 35 33   com",maxbuf=6553
  0030:  36 2c 63 68 61 72 73 65  74 3d 75 74 66 2d 38 2c   6,charset=utf-8,
  0040:  71 6f 70 3d 61 75 74 68  2c 75 73 65 72 6e 61 6d   qop=auth,usernam
  0050:  65 3d 22 63 6e 3d 6c 64  61 70 74 65 73 74 2c 63   e="cn=ldaptest,c
  0060:  6e 3d 6f 72 61 63 6c 65  63 6f 6e 74 65 78 74 2c   n=oraclecontext,
  0070:  64 63 3d 69 74 73 22 2c  6e 6f 6e 63 65 3d 22 30   dc=its",nonce="0
  0080:  2f 41 41 52 37 47 39 48  39 2f 44 72 34 56 36 32   /AAR7G9H9/Dr4V62
  0090:  6f 50 54 6c 45 48 75 36  56 72 6b 41 46 6f 33 52   oPTlEHu6VrkAFo3R
  00a0:  66 31 56 30 6b 73 35 47  71 6f 3d 22 2c 63 6e 6f   f1V0ks5Gqo=",cno
  00b0:  6e 63 65 3d 22 38 35 33  32 33 35 45 30 44 39 38   nce="853235E0D98
  00c0:  41 32 37 39 43 43 30 36  30 34 45 45 39 31 36 31   A279CC0604EE9161
  00d0:  34 42 39 30 38 22 2c 6e  63 3d 30 30 30 30 30 30   4B908",nc=000000
  00e0:  30 31 2c 72 65 73 70 6f  6e 73 65 3d 37 33 61 64   01,response=73ad
  00f0:  37 38 31 33 64 31 39 38  34 37 38 63 34 39 37 65   7813d198478c497e
  0100:  64 66 30 63 31 36 61 36  61 32 34 36               df0c16a6a246
ber_scanf fmt (}}) ber:
ber_dump: buf=60b898 ptr=60b9e3 end=60b9e3 len=0

>>> dnPrettyNormal: <cn=ldaptest,cn=oraclecontext,dc=its>
=> ldap_bv2dn(cn=ldaptest,cn=oraclecontext,dc=its,0)
<= ldap_bv2dn(cn=ldaptest,cn=oraclecontext,dc=its)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=ldaptest,cn=oraclecontext,dc=its)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=ldaptest,cn=oraclecontext,dc=its)=0
<<< dnPrettyNormal: <cn=ldaptest,cn=oraclecontext,dc=its>, <cn=ldaptest,cn=oraclecontext,dc=its>
conn=1014 op=1 BIND dn="cn=ldaptest,cn=oraclecontext,dc=its" method=163
do_bind: dn (cn=ldaptest,cn=oraclecontext,dc=its) SASL mech DIGEST-MD5
==> sasl_bind: dn="cn=ldaptest,cn=oraclecontext,dc=its" mech=<continuing> datalen=264
SASL [conn=1014] Debug: DIGEST-MD5 server step 2
SASL [conn=1014] Failure: bad digest-uri: doesn't match service
send_ldap_result: conn=1014 op=1 p=3
send_ldap_result: err=49 matched="" text="SASL(-13): authentication failure: bad digest-uri: doesn't match service"
send_ldap_response: msgid=2 tag=97 err=49
ber_flush2: 86 bytes to sd 16
  0000:  30 54 02 01 02 61 4f 0a  01 31 04 00 04 48 53 41   0T...aO..1...HSA
  0010:  53 4c 28 2d 31 33 29 3a  20 61 75 74 68 65 6e 74   SL(-13): authent
  0020:  69 63 61 74 69 6f 6e 20  66 61 69 6c 75 72 65 3a   ication failure:
  0030:  20 62 61 64 20 64 69 67  65 73 74 2d 75 72 69 3a    bad digest-uri:
  0040:  20 64 6f 65 73 6e 27 74  20 6d 61 74 63 68 20 73    doesn't match s
  0050:  65 72 76 69 63 65                                  ervice
tls_write: want=146, written=146
  0000:  17 03 00 00 18 c7 75 ac  06 20 dd 58 b7 38 55 82   ......u.. .X.8U.
  0010:  ab f0 ea 72 79 d0 22 ad  95 dc ab 26 d3 17 03 00   ...ry."....&....
  0020:  00 70 64 23 8e ce fc 05  73 d5 16 a2 cc 62 e4 ae   .pd#....s....b..
  0030:  ee 02 96 ff 16 3d 42 15  54 25 54 7b 60 6d 25 ef   .....=B.T%T{`m%.
  0040:  e3 82 84 1f 42 ec 38 96  82 78 8c 09 b4 be 96 e5   ....B.8..x......
  0050:  b9 95 01 e0 58 f3 a4 49  a0 58 53 6d 24 8e 0a 9b   ....X..I.XSm$...
  0060:  8b cd 4b fd cd 0e cd 51  0b e0 89 73 c6 b6 88 2f   ..K....Q...s.../
  0070:  66 05 49 4a 89 0e 29 0e  53 5a 0c 0d ce 1d 8e 40   f.IJ..).SZ.....@
  0080:  90 dd 9f b2 4d b4 6e 7d  2b cf a1 ed 13 96 df 1a   ....M.n}+.......
  0090:  44 1c                                              D.
ldap_write: want=86, written=86
  0000:  30 54 02 01 02 61 4f 0a  01 31 04 00 04 48 53 41   0T...aO..1...HSA
  0010:  53 4c 28 2d 31 33 29 3a  20 61 75 74 68 65 6e 74   SL(-13): authent
  0020:  69 63 61 74 69 6f 6e 20  66 61 69 6c 75 72 65 3a   ication failure:
  0030:  20 62 61 64 20 64 69 67  65 73 74 2d 75 72 69 3a    bad digest-uri:
  0040:  20 64 6f 65 73 6e 27 74  20 6d 61 74 63 68 20 73    doesn't match s
  0050:  65 72 76 69 63 65                                  ervice
conn=1014 op=1 RESULT tag=97 err=49 text=SASL(-13): authentication failure: bad digest-uri: doesn't match service
<== slap_sasl_bind: rc=49
daemon: activity on 1 descriptor
daemon: activity on: 16r
daemon: read activity on 16
daemon: select: listen=7 active_threads=0 tvp=NULL
connection_get(16)
daemon: select: listen=8 active_threads=0 tvp=NULL
connection_get(16): got connid=1014
daemon: select: listen=9 active_threads=0 tvp=NULL
connection_read(16): checking for input on id=1014
ber_get_next
daemon: select: listen=10 active_threads=0 tvp=NULL
tls_read: want=5, got=5
  0000:  17 03 00 00 20                                     ....
tls_read: want=32, got=32
  0000:  93 5b 37 05 07 4b dd 2b  a9 1c 7e 70 db b4 8f c7   .[7..K.+..~p....
  0010:  a5 f7 d7 d0 b8 e0 17 cf  b9 08 dd a2 c9 df 28 7b   ..............({
ldap_read: want=8, got=7
  0000:  30 05 02 01 03 42 00                               0....B.
ber_get_next: tag 0x30 len 5 contents:
ber_dump: buf=5f7de0 ptr=5f7de0 end=5f7de5 len=5
  0000:  02 01 03 42 00                                     ...B.
op tag 0x42, time 1317892029
ber_get_next
tls_read: want=5, got=5
  0000:  15 03 00 00 18                                     .....
tls_read: want=24, got=24
  0000:  d7 de f4 58 8a 4e fc 6b  d5 6f 93 55 ee 5e 72 cd   ...X.N.k.o.U.^r.
  0010:  3c 8b a2 e1 ba 87 94 5a                            <......Z
TLS trace: SSL3 alert read:warning:close notify
ldap_read: want=8, got=0

ber_get_next on fd 16 failed errno=0 (Error 0)
connection_read(16): input error=-2 id=1014, closing.
connection_closing: readying conn=1014 sd=16 for close
connection_close: deferring conn=1014 sd=16
daemon: activity on 1 descriptor
conn=1014 op=2 do_unbind
daemon: waked
conn=1014 op=2 UNBIND
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: select: listen=8 active_threads=0 tvp=NULL
connection_resched: attempting closing conn=1014 sd=16
connection_close: conn=1014 sd=16
daemon: select: listen=9 active_threads=0 tvp=NULL
daemon: select: listen=10 active_threads=0 tvp=NULL
daemon: removing 16
tls_write: want=29, written=29
  0000:  15 03 00 00 18 1c 8a dd  b1 bb 30 32 1b ca c2 a1   ..........02....
  0010:  2d e8 33 fc 9e 7b 6b e4  49 cf ce f2 fb            -.3..{k.I....
TLS trace: SSL3 alert write:warning:close notify
conn=1014 fd=16 closed

On the Oracle client:
SQL> connect testuser
Enter password:
ERROR:
ORA-28043: invalid bind credentials for DB-OID connection


Warning: You are no longer connected to ORACLE.
SQL>



Any suggestions how to make digest-uri match service?

Regards

Juergen
Follow-Ups:
- Re: authentication failure: bad digest-uri: doesn't match service
  - From: Dan White <dwhite@olp.net>
Prev by Date: Re: Unable to create home directory (LDAP Authentication)
Next by Date: Re: Ldap logs accounting
Index(es):
- Chronological
- Thread