This discussion is archived
1 Reply Latest reply: Feb 2, 2012 2:22 AM by Michael-O RSS

Digest MD5 auth with JNDI with round round robin

Michael-O Newbie
Currently Being Moderated
Hi folks,

I have some problems performing a SASL bind with Digest MD5 against an AD realm.
Say this is the realm: realm.company.net

If I try to connect against: ldap://realm.company.net:3268
I get a javax.naming.AuthenticationException: [LDAP: error code 49 - 80090303: LdapErr: DSID-0C090420, comment: The digest-uri does not match any LDAP SPN's registered for this server., data 0, vece

This canonical host is running dozens of replicating DCs in round-robin. I asked our AD experts and they said that is erroneous with Digest MD5. This would require to set a 'ldap/realm.company.net' SPN to each and every DC which would violate the SPN uniqueness forest-wide.

So, is this a bug in Sun's SaslClient which does not resolve the hostname's SRV records first?
The same works flawlessly with GSS-API.

Thanks,

Mike                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   
  • 1. Re: Digest MD5 auth with JNDI with round round robin
    Michael-O Newbie
    Currently Being Moderated
    I have made some investigation. The RFC for Digest-MD5 says this about the host:

    The DNS host name or IP address for the service requested. The
    DNS host name must be the fully-qualified canonical name of the
    host. The DNS host name is the preferred form; see notes on server
    processing of the digest-uri.

    It stays unclear who has to do it but someone has to. Sun's DigestMd5SaslClient does not canonicalize the hostname. Therefore the auth fails. If I use GSS-API, the manager canonicalizes the GSSName for me. That's why it works. So folks, beware.

    Edited by: 910983 on 02.02.2012 02:22

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points