First, I've never configured a SASL login Method, they were all installed when eDirectory was installed. I know the UA uses SASL login method, but that came pre-configured with IDM/UA. Now, I have an LDAP application that is attempting a SASL DIGEST-MD5 login and this is the first LDAP application I've encountered that has not just done a simple bind.

The new LDAP application cannot authenticate using their LDAP Test built into the LDAP configuration gui.

Upon tracing their connection, I get an NMAS -1632 error.

17:46:17 AED0700 LDAP: Monitor 0xaed0700 initiating TLS handshake on connection 0x12fd500
17:46:17 12125700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0000:0x00) DoTLSHandshake on connection 0x12fd500
17:46:17 12125700 LDAP: BIO ctrl called with unknown cmd 7
17:46:17 12125700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0000:0x00) Completed TLS handshake on connection 0x12fd500
17:46:17 CB85700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0041:0x63) Implied anonymous bind by operation 0x41:0x63 on connection 0x12fd500
17:46:17 CB85700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0041:0x63) DoSearch on connection 0x12fd500
17:46:17 CB85700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0041:0x63) Search request:
base: ""
scope:0 dereference:0 sizelimit:0 timelimit:120 attrsonly:0
filter: "(objectclass=*)"
attribute: "supportedCapabilities"
17:46:17 CB85700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0041:0x63) Unsupported or duplicate attribute: "supportedCapabilities"
17:46:17 CB85700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0041:0x63) Sending search result entry "" to connection 0x12fd500
17:46:17 CB85700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0041:0x63) Sending operation result 0:"":"" to connection 0x12fd500
17:46:17 34C8B700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0042:0x63) DoSearch on connection 0x12fd500
17:46:17 34C8B700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0042:0x63) Search request:
base: ""
scope:0 dereference:0 sizelimit:0 timelimit:120 attrsonly:0
filter: "(objectclass=*)"
attribute: "supportedSASLMechanisms"
17:46:17 34C8B700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0042:0x63) Sending search result entry "" to connection 0x12fd500
17:46:17 34C8B700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0042:0x63) Sending operation result 0:"":"" to connection 0x12fd500
17:46:17 12125700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0043:0x63) DoSearch on connection 0x12fd500
03/21/2019
17:46:17 12125700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0043:0x63) Search request:
base: ""
scope:0 dereference:0 sizelimit:0 timelimit:120 attrsonly:0
filter: "(objectclass=*)"
attribute: "supportedCapabilities"
17:46:17 12125700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0043:0x63) Unsupported or duplicate attribute: "supportedCapabilities"
17:46:17 12125700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0043:0x63) Sending search result entry "" to connection 0x12fd500
17:46:17 12125700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0043:0x63) Sending operation result 0:"":"" to connection 0x12fd500
17:46:17 34584700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0044:0x63) DoSearch on connection 0x12fd500
17:46:17 34584700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0044:0x63) Search request:
base: ""
scope:0 dereference:0 sizelimit:0 timelimit:120 attrsonly:0
filter: "(objectclass=*)"
attribute: "supportedSASLMechanisms"
17:46:17 34584700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0044:0x63) Sending search result entry "" to connection 0x12fd500
17:46:17 34584700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0044:0x63) Sending operation result 0:"":"" to connection 0x12fd500
17:46:18 35594700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0045:0x60) DoBind on connection 0x12fd500
17:46:18 35594700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0045:0x60) Bind name:NULL, version:3, authenticationIGEST-MD5
17:46:18 35594700 NMAS: 262217: Create NMAS Session
17:46:18 35594700 NMAS: 262217: SASL DIGEST-MD5 started
17:46:18 35594700 NMAS: 262217: NMAS Audit with Audit PA not installed
17:46:18 35594700 NMAS: 262217: NMAS Audit with XDAS not installed
17:46:18 35594700 NMAS: 262217: Proxy client address XXX.XXX.XXX.XXX:57213
17:46:18 35594700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0045:0x60) Sending operation result 14:"":"" to connection 0x12fd500
17:46:18 ABCD700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0046:0x60) DoBind on connection 0x12fd500
17:46:18 ABCD700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0046:0x60) Bind (cont) name:NULL, version:3, authenticationIGEST-MD5
17:46:18 ABCD700 NMAS: 262217: NMAS Audit with Audit PA not installed
17:46:18 ABCD700 NMAS: 262217: NMAS Audit with XDAS not installed
17:46:18 ABCD700 NMAS: 262217: ERROR: -1632 SASL_DoMechanism: NMAS_InvokeMechanism
17:46:18 ABCD700 NMAS: 262217: Client Session Destroy Request
17:46:18 ABCD700 NMAS: 262217: Destroy NMAS Session
17:46:18 ABCD700 NMAS: 262217: Aborted Session Destroyed (with MAF)
17:46:18 ABCD700 LDAP: Environment variable is set to not put NMAS NetworkAddress:
17:46:18 ABCD700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0046:0x60) Failed to authenticate full context on connection 0x12fd500, err = -1632 (0xfffff9a0)
17:46:18 ABCD700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0046:0x60) Sending operation result 49:"":"" to connection 0x12fd500

I have confirmed that the RootDSE does have DIGEST-MD5 listed as a supportedSASLMechanism. Which makes sense because it appears from the trace that is what is negotiated. I have also confirmed that cn=DIGEST-MD5,cn=Authorized Login Methods,cn=Security exists in the tree and, in iManager it is Authorized, but it's listed in my user's NMAS Login Sequence.

Can anyone guide me in the right direction here? I'm wondering if the line: Bind (cont) name:NULL, version:3, authenticationIGEST-MD5 is wrong because it looks as though the LDAP application is sending NULL rather than the full DN of the user to authenticate?

Any help would be appreciated.

Thanks!

Joe