JNDI: ApacheDS: INVALID_CREDENTIALS: DIGEST-MD5: digest response format violation. Mismatched URI: ldap/localhost; expecting: ldap/ldap.example.com

0
votes

I am trying to authenticate user using JNDI, security level as SASL. Following is my sample code.

import java.util.Hashtable;

import javax.naming.Context;
import javax.naming.NamingException;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;

public class Test {
    private static final String CONTEXT_FACTORY = "com.sun.jndi.ldap.LdapCtxFactory";
    private static final String PROVIDER_URL = "ldap://localhost:10389";
    private static final String SECURITY_AUTHENTICATION = "DIGEST-MD5";

    public static void main(String[] args) throws NamingException {
        Hashtable<String, String> env = new Hashtable<String, String>(11);

        env.put(Context.INITIAL_CONTEXT_FACTORY, CONTEXT_FACTORY);
        env.put(Context.PROVIDER_URL, PROVIDER_URL);
        env.put(Context.SECURITY_AUTHENTICATION, SECURITY_AUTHENTICATION);
        env.put(Context.SECURITY_PRINCIPAL,
                "cn=Krishna,ou=people,dc=example,dc=com");
        env.put(Context.SECURITY_CREDENTIALS, "password123");

        try {
            DirContext ctx = new InitialDirContext(env);
            System.out.println("Authentication Successful");
            ctx.close();
        } catch (NamingException e) {
            System.out.println("Authentication Failed");
            e.printStackTrace();
        }

    }
}

I encrypted the password using MD5 algorithm in directory. When I tried to run above program, I am getting following error.

Authentication Failed

javax.naming.AuthenticationException: [LDAP: error code 49 - INVALID_CREDENTIALS: DIGEST-MD5: digest response format violation. Mismatched URI: ldap/localhost; expecting: ldap/ldap.example.com]
    at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3135)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3081)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2883)
    at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2797)
    at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
    at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
    at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
    at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
    at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
    at javax.naming.InitialContext.init(InitialContext.java:244)
    at javax.naming.InitialContext.<init>(InitialContext.java:216)
    at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101)
    at jndi_tutorial.Test.main(Test.java:26)

But when i tried to authenticate using simple mechanism (SECURITY_AUTHENTICATION = "simple"), My authentication is success. Is there any configurations I am missing?

1
jndiapacheds

1 Answers

0
votes

  1. Check if your LDAP server supports DIGEST-MD5 SASL mechanism.

    DirContext ctx = new InitialDirContext();
Attributes attrs = ctx.getAttributes("ldap://<HSOT>:<PORT>", new  String[]{"supportedSASLMechanisms"});

  2. Check if the passwords are in fact stored as MD5 digest/hash in the LDAP server.

    Connect to the LDAP sever with an LDPAP browser like Apache Dir Studio and check the password attribute. It will be prefixed with hash mechanism used.