Home

Results 1 to 4 of 4

Thread: SASL DIGEST-MD5 -1632 error

Hybrid View

  1. #1

    SASL DIGEST-MD5 -1632 error

    First, I've never configured a SASL login Method, they were all installed when eDirectory was installed. I know the UA uses SASL login method, but that came pre-configured with IDM/UA. Now, I have an LDAP application that is attempting a SASL DIGEST-MD5 login and this is the first LDAP application I've encountered that has not just done a simple bind.

    The new LDAP application cannot authenticate using their LDAP Test built into the LDAP configuration gui.

    Upon tracing their connection, I get an NMAS -1632 error.

    17:46:17 AED0700 LDAP: Monitor 0xaed0700 initiating TLS handshake on connection 0x12fd500
    17:46:17 12125700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0000:0x00) DoTLSHandshake on connection 0x12fd500
    17:46:17 12125700 LDAP: BIO ctrl called with unknown cmd 7
    17:46:17 12125700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0000:0x00) Completed TLS handshake on connection 0x12fd500
    17:46:17 CB85700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0041:0x63) Implied anonymous bind by operation 0x41:0x63 on connection 0x12fd500
    17:46:17 CB85700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0041:0x63) DoSearch on connection 0x12fd500
    17:46:17 CB85700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0041:0x63) Search request:
    base: ""
    scope:0 dereference:0 sizelimit:0 timelimit:120 attrsonly:0
    filter: "(objectclass=*)"
    attribute: "supportedCapabilities"
    17:46:17 CB85700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0041:0x63) Unsupported or duplicate attribute: "supportedCapabilities"
    17:46:17 CB85700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0041:0x63) Sending search result entry "" to connection 0x12fd500
    17:46:17 CB85700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0041:0x63) Sending operation result 0:"":"" to connection 0x12fd500
    17:46:17 34C8B700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0042:0x63) DoSearch on connection 0x12fd500
    17:46:17 34C8B700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0042:0x63) Search request:
    base: ""
    scope:0 dereference:0 sizelimit:0 timelimit:120 attrsonly:0
    filter: "(objectclass=*)"
    attribute: "supportedSASLMechanisms"
    17:46:17 34C8B700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0042:0x63) Sending search result entry "" to connection 0x12fd500
    17:46:17 34C8B700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0042:0x63) Sending operation result 0:"":"" to connection 0x12fd500
    17:46:17 12125700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0043:0x63) DoSearch on connection 0x12fd500
    03/21/2019
    17:46:17 12125700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0043:0x63) Search request:
    base: ""
    scope:0 dereference:0 sizelimit:0 timelimit:120 attrsonly:0
    filter: "(objectclass=*)"
    attribute: "supportedCapabilities"
    17:46:17 12125700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0043:0x63) Unsupported or duplicate attribute: "supportedCapabilities"
    17:46:17 12125700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0043:0x63) Sending search result entry "" to connection 0x12fd500
    17:46:17 12125700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0043:0x63) Sending operation result 0:"":"" to connection 0x12fd500
    17:46:17 34584700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0044:0x63) DoSearch on connection 0x12fd500
    17:46:17 34584700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0044:0x63) Search request:
    base: ""
    scope:0 dereference:0 sizelimit:0 timelimit:120 attrsonly:0
    filter: "(objectclass=*)"
    attribute: "supportedSASLMechanisms"
    17:46:17 34584700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0044:0x63) Sending search result entry "" to connection 0x12fd500
    17:46:17 34584700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0044:0x63) Sending operation result 0:"":"" to connection 0x12fd500
    17:46:18 35594700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0045:0x60) DoBind on connection 0x12fd500
    17:46:18 35594700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0045:0x60) Bind name:NULL, version:3, authenticationIGEST-MD5
    17:46:18 35594700 NMAS: 262217: Create NMAS Session
    17:46:18 35594700 NMAS: 262217: SASL DIGEST-MD5 started
    17:46:18 35594700 NMAS: 262217: NMAS Audit with Audit PA not installed
    17:46:18 35594700 NMAS: 262217: NMAS Audit with XDAS not installed
    17:46:18 35594700 NMAS: 262217: Proxy client address XXX.XXX.XXX.XXX:57213
    17:46:18 35594700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0045:0x60) Sending operation result 14:"":"" to connection 0x12fd500
    17:46:18 ABCD700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0046:0x60) DoBind on connection 0x12fd500
    17:46:18 ABCD700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0046:0x60) Bind (cont) name:NULL, version:3, authenticationIGEST-MD5
    17:46:18 ABCD700 NMAS: 262217: NMAS Audit with Audit PA not installed
    17:46:18 ABCD700 NMAS: 262217: NMAS Audit with XDAS not installed
    17:46:18 ABCD700 NMAS: 262217: ERROR: -1632 SASL_DoMechanism: NMAS_InvokeMechanism
    17:46:18 ABCD700 NMAS: 262217: Client Session Destroy Request
    17:46:18 ABCD700 NMAS: 262217: Destroy NMAS Session
    17:46:18 ABCD700 NMAS: 262217: Aborted Session Destroyed (with MAF)
    17:46:18 ABCD700 LDAP: Environment variable is set to not put NMAS NetworkAddress:
    17:46:18 ABCD700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0046:0x60) Failed to authenticate full context on connection 0x12fd500, err = -1632 (0xfffff9a0)
    17:46:18 ABCD700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0046:0x60) Sending operation result 49:"":"" to connection 0x12fd500

    I have confirmed that the RootDSE does have DIGEST-MD5 listed as a supportedSASLMechanism. Which makes sense because it appears from the trace that is what is negotiated. I have also confirmed that cn=DIGEST-MD5,cn=Authorized Login Methods,cn=Security exists in the tree and, in iManager it is Authorized, but it's listed in my user's NMAS Login Sequence.

    Can anyone guide me in the right direction here? I'm wondering if the line: Bind (cont) name:NULL, version:3, authenticationIGEST-MD5 is wrong because it looks as though the LDAP application is sending NULL rather than the full DN of the user to authenticate?

    Any help would be appreciated.

    Thanks!

    Joe

  2. #2
    Join Date
    May 2016
    Posts
    1,716

    Re: SASL DIGEST-MD5 -1632 error

    jmckinne,

    It appears that in the past few days you have not received a response to your
    posting. That concerns us, and has triggered this automated reply.

    These forums are peer-to-peer, best effort, volunteer run and that if your issue
    is urgent or not getting a response, you might try one of the following options:

    - Visit https://www.microfocus.com/support-and-services and search the knowledgebase and/or check
    all the other self support options and support programs available.
    - Open a service request: https://www.microfocus.com/support
    - You could also try posting your message again. Make sure it is posted in the
    correct newsgroup. (http://forums.microfocus.com)
    - You might consider hiring a local partner to assist you.
    https://www.partnernetprogram.com/pa...nder/find.html

    Be sure to read the forum FAQ about what to expect in the way of responses:
    http://forums.microfocus.com/faq.php

    Sometimes this automatic posting will alert someone that can respond.

    If this is a reply to a duplicate posting or otherwise posted in error, please
    ignore and accept our apologies and rest assured we will issue a stern reprimand
    to our posting bot.

    Good luck!

    Your Micro Focus Forums Team
    http://forums.microfocus.com



  3. #3

    Re: SASL DIGEST-MD5 -1632 error

    UPDATE: As far as the application goes, it does appear that it was sending the bind information as an AD domain UPN login. ie: username@domainname. I'm still not clear if they were actually trying to perform a SASL DIGESt-MD5 authentication or not. I was told they were just performing a simple bind, bat as you can see from the LDAP/NMAS trace, it was interpreted by eDirectory LDAP as a SASL DIGEST-MD5 authentication. I was unable to obtain Network traces. I do suspect the NMAS -1632 error is the correct response - NMAS E BAD Request Syntax - if the application was sending username@domainname as the username in the SASL DIGEST-MD5 authentication transaction.

    While troubleshooting, I was able to recreate this same error using Apache Directory Studio by just selecting DIGEST-MD5 (SASL) in the Authentication tab - Authentication Method. I still got the -1632 error even with a correct bind user with full DN and correct password. So, I still don't know why it's not working when it looks like it should work. If anyone has any suggestions on where to look for any configuration settings or perhaps my client settings, that would be appreciated.

    Thanks,

    Joe

  4. #4

    Re: SASL DIGEST-MD5 -1632 error

    On 03/27/2019 01:26 PM, jmckinne wrote:
    >
    > While troubleshooting, I was able to recreate this same error using
    > Apache Directory Studio by just selecting DIGEST-MD5 (SASL) in the
    > Authentication tab - Authentication Method. I still got the -1632 error
    > even with a correct bind user with full DN and correct password. So, I


    That's definitely interesting; considering the common use of simple binds
    without SASL it may be worth troubleshooting that side, especially since
    you indicated the bind was successful despite the error (how odd that is).
    Does this happen on all servers (assuming a multi-server environment) and
    all users? I haven't noticed a -1632 on a regular simple bind when the
    login actually worked ever (at least in my memory), which makes me really
    curious how that can happen considering what the error is supposed to mean.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below.

    If you want to send me a private message, please let me know in the
    forum as I do not use the web interface often.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •