jmckinne Absent Member.
Absent Member.
414 views

SASL DIGEST-MD5 -1632 error

First, I've never configured a SASL login Method, they were all installed when eDirectory was installed. I know the UA uses SASL login method, but that came pre-configured with IDM/UA. Now, I have an LDAP application that is attempting a SASL DIGEST-MD5 login and this is the first LDAP application I've encountered that has not just done a simple bind.

The new LDAP application cannot authenticate using their LDAP Test built into the LDAP configuration gui.

Upon tracing their connection, I get an NMAS -1632 error.

17:46:17 AED0700 LDAP: Monitor 0xaed0700 initiating TLS handshake on connection 0x12fd500
17:46:17 12125700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0000:0x00) DoTLSHandshake on connection 0x12fd500
17:46:17 12125700 LDAP: BIO ctrl called with unknown cmd 7
17:46:17 12125700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0000:0x00) Completed TLS handshake on connection 0x12fd500
17:46:17 CB85700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0041:0x63) Implied anonymous bind by operation 0x41:0x63 on connection 0x12fd500
17:46:17 CB85700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0041:0x63) DoSearch on connection 0x12fd500
17:46:17 CB85700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0041:0x63) Search request:
base: ""
scope:0 dereference:0 sizelimit:0 timelimit:120 attrsonly:0
filter: "(objectclass=*)"
attribute: "supportedCapabilities"
17:46:17 CB85700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0041:0x63) Unsupported or duplicate attribute: "supportedCapabilities"
17:46:17 CB85700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0041:0x63) Sending search result entry "" to connection 0x12fd500
17:46:17 CB85700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0041:0x63) Sending operation result 0:"":"" to connection 0x12fd500
17:46:17 34C8B700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0042:0x63) DoSearch on connection 0x12fd500
17:46:17 34C8B700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0042:0x63) Search request:
base: ""
scope:0 dereference:0 sizelimit:0 timelimit:120 attrsonly:0
filter: "(objectclass=*)"
attribute: "supportedSASLMechanisms"
17:46:17 34C8B700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0042:0x63) Sending search result entry "" to connection 0x12fd500
17:46:17 34C8B700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0042:0x63) Sending operation result 0:"":"" to connection 0x12fd500
17:46:17 12125700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0043:0x63) DoSearch on connection 0x12fd500
03/21/2019
17:46:17 12125700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0043:0x63) Search request:
base: ""
scope:0 dereference:0 sizelimit:0 timelimit:120 attrsonly:0
filter: "(objectclass=*)"
attribute: "supportedCapabilities"
17:46:17 12125700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0043:0x63) Unsupported or duplicate attribute: "supportedCapabilities"
17:46:17 12125700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0043:0x63) Sending search result entry "" to connection 0x12fd500
17:46:17 12125700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0043:0x63) Sending operation result 0:"":"" to connection 0x12fd500
17:46:17 34584700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0044:0x63) DoSearch on connection 0x12fd500
17:46:17 34584700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0044:0x63) Search request:
base: ""
scope:0 dereference:0 sizelimit:0 timelimit:120 attrsonly:0
filter: "(objectclass=*)"
attribute: "supportedSASLMechanisms"
17:46:17 34584700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0044:0x63) Sending search result entry "" to connection 0x12fd500
17:46:17 34584700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0044:0x63) Sending operation result 0:"":"" to connection 0x12fd500
17:46:18 35594700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0045:0x60) DoBind on connection 0x12fd500
17:46:18 35594700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0045:0x60) Bind name:NULL, version:3, authentication:DIGEST-MD5
17:46:18 35594700 NMAS: 262217: Create NMAS Session
17:46:18 35594700 NMAS: 262217: SASL DIGEST-MD5 started
17:46:18 35594700 NMAS: 262217: NMAS Audit with Audit PA not installed
17:46:18 35594700 NMAS: 262217: NMAS Audit with XDAS not installed
17:46:18 35594700 NMAS: 262217: Proxy client address XXX.XXX.XXX.XXX:57213
17:46:18 35594700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0045:0x60) Sending operation result 14:"":"" to connection 0x12fd500
17:46:18 ABCD700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0046:0x60) DoBind on connection 0x12fd500
17:46:18 ABCD700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0046:0x60) Bind (cont) name:NULL, version:3, authentication:DIGEST-MD5
17:46:18 ABCD700 NMAS: 262217: NMAS Audit with Audit PA not installed
17:46:18 ABCD700 NMAS: 262217: NMAS Audit with XDAS not installed
17:46:18 ABCD700 NMAS: 262217: ERROR: -1632 SASL_DoMechanism: NMAS_InvokeMechanism
17:46:18 ABCD700 NMAS: 262217: Client Session Destroy Request
17:46:18 ABCD700 NMAS: 262217: Destroy NMAS Session
17:46:18 ABCD700 NMAS: 262217: Aborted Session Destroyed (with MAF)
17:46:18 ABCD700 LDAP: Environment variable is set to not put NMAS NetworkAddress:
17:46:18 ABCD700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0046:0x60) Failed to authenticate full context on connection 0x12fd500, err = -1632 (0xfffff9a0)
17:46:18 ABCD700 LDAP: (XXX.XXX.XXX.XXX:57213)(0x0046:0x60) Sending operation result 49:"":"" to connection 0x12fd500

I have confirmed that the RootDSE does have DIGEST-MD5 listed as a supportedSASLMechanism. Which makes sense because it appears from the trace that is what is negotiated. I have also confirmed that cn=DIGEST-MD5,cn=Authorized Login Methods,cn=Security exists in the tree and, in iManager it is Authorized, but it's listed in my user's NMAS Login Sequence.

Can anyone guide me in the right direction here? I'm wondering if the line: Bind (cont) name:NULL, version:3, authentication:DIGEST-MD5 is wrong because it looks as though the LDAP application is sending NULL rather than the full DN of the user to authenticate?

Any help would be appreciated.

Thanks!

Joe
Labels (1)
0 Likes
3 Replies
AutomaticReply Absent Member.
Absent Member.

Re: SASL DIGEST-MD5 -1632 error

jmckinne,

It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

These forums are peer-to-peer, best effort, volunteer run and that if your issue
is urgent or not getting a response, you might try one of the following options:

- Visit https://www.microfocus.com/support-and-services and search the knowledgebase and/or check
all the other self support options and support programs available.
- Open a service request: https://www.microfocus.com/support
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.microfocus.com)
- You might consider hiring a local partner to assist you.
https://www.partnernetprogram.com/partnerfinder/find.html

Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.microfocus.com/faq.php

Sometimes this automatic posting will alert someone that can respond.

If this is a reply to a duplicate posting or otherwise posted in error, please
ignore and accept our apologies and rest assured we will issue a stern reprimand
to our posting bot.

Good luck!

Your Micro Focus Forums Team
http://forums.microfocus.com



0 Likes
jmckinne Absent Member.
Absent Member.

Re: SASL DIGEST-MD5 -1632 error

UPDATE: As far as the application goes, it does appear that it was sending the bind information as an AD domain UPN login. ie: username@domainname. I'm still not clear if they were actually trying to perform a SASL DIGESt-MD5 authentication or not. I was told they were just performing a simple bind, bat as you can see from the LDAP/NMAS trace, it was interpreted by eDirectory LDAP as a SASL DIGEST-MD5 authentication. I was unable to obtain Network traces. I do suspect the NMAS -1632 error is the correct response - NMAS E BAD Request Syntax - if the application was sending username@domainname as the username in the SASL DIGEST-MD5 authentication transaction.

While troubleshooting, I was able to recreate this same error using Apache Directory Studio by just selecting DIGEST-MD5 (SASL) in the Authentication tab - Authentication Method. I still got the -1632 error even with a correct bind user with full DN and correct password. So, I still don't know why it's not working when it looks like it should work. If anyone has any suggestions on where to look for any configuration settings or perhaps my client settings, that would be appreciated.

Thanks,

Joe
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: SASL DIGEST-MD5 -1632 error

On 03/27/2019 01:26 PM, jmckinne wrote:
>
> While troubleshooting, I was able to recreate this same error using
> Apache Directory Studio by just selecting DIGEST-MD5 (SASL) in the
> Authentication tab - Authentication Method. I still got the -1632 error
> even with a correct bind user with full DN and correct password. So, I


That's definitely interesting; considering the common use of simple binds
without SASL it may be worth troubleshooting that side, especially since
you indicated the bind was successful despite the error (how odd that is).
Does this happen on all servers (assuming a multi-server environment) and
all users? I haven't noticed a -1632 on a regular simple bind when the
login actually worked ever (at least in my memory), which makes me really
curious how that can happen considering what the error is supposed to mean.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.