I have some problems performing a SASL bind with Digest MD5 against an AD realm.
Say this is the realm: realm.company.net
If I try to connect against: ldap://realm.company.net:3268
I get a javax.naming.AuthenticationException: [LDAP: error code 49 - 80090303: LdapErr: DSID-0C090420, comment: The digest-uri does not match any LDAP SPN's registered for this server., data 0, vece
This canonical host is running dozens of replicating DCs in round-robin. I asked our AD experts and they said that is erroneous with Digest MD5. This would require to set a 'ldap/realm.company.net' SPN to each and every DC which would violate the SPN uniqueness forest-wide.
So, is this a bug in Sun's SaslClient which does not resolve the hostname's SRV records first?
The same works flawlessly with GSS-API.
I have made some investigation. The RFC for Digest-MD5 says this about the host:
The DNS host name or IP address for the service requested. The
DNS host name must be the fully-qualified canonical name of the
host. The DNS host name is the preferred form; see notes on server
processing of the digest-uri.
It stays unclear who has to do it but someone has to. Sun's DigestMd5SaslClient does not canonicalize the hostname. Therefore the auth fails. If I use GSS-API, the manager canonicalizes the GSSName for me. That's why it works. So folks, beware.