mirror of https://github.com/OpenIdentityPlatform/OpenDJ.git
parent: 2a7242b3 | patch | commit | ignore whitespace
abobrov
12.20.2008 a5020045ac2483ebf7a1b599ef67aa9ca05bd703 
- [Issue 2925] SASL DigestMD5 Handler denies authentication from Solaris ldapclient:
  lax required status of digest-uri directive to maintain compatibility/interoperability with legacy/broken client implementations.
2 files modified
25 ■■■■ changed files
opends/src/messages/messages/extension.properties 3 ●●●●● patch | view | raw | blame | history
opends/src/server/org/opends/server/extensions/DigestMD5SASLMechanismHandler.java 22 ●●●●● patch | view | raw | blame | history 
 opends/src/messages/messages/extension.properties


@@ -708,9 +708,6 @@


 provided by the client did not contain the required "cnonce" token


MILD_ERR_SASLDIGESTMD5_NO_NONCE_COUNT_IN_RESPONSE_221=The DIGEST-MD5 \


 credentials provided by the client did not contain the required "nc" token


MILD_ERR_SASLDIGESTMD5_NO_DIGEST_URI_IN_RESPONSE_222=The DIGEST-MD5 \


 credentials provided by the client did not contain the required "digest-uri" \


 token


MILD_ERR_SASLDIGESTMD5_NO_DIGEST_IN_RESPONSE_223=The DIGEST-MD5 credentials \


 provided by the client did not contain the required "response" token


MILD_ERR_SASLDIGESTMD5_CANNOT_DECODE_USERNAME_AS_DN_224=An error occurred \




 opends/src/server/org/opends/server/extensions/DigestMD5SASLMechanismHandler.java


@@ -22,7 +22,7 @@


 * CDDL HEADER END


 *


 *


 *      Portions Copyright 2006-2007 Sun Microsystems, Inc.


 *      Portions Copyright 2006-2008 Sun Microsystems, Inc.


 */


package org.opends.server.extensions;




@@ -672,14 +672,6 @@


      bindOperation.setAuthFailureReason(message);


      return;


    }


    else if (responseDigestURI == null)


    {


      bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);




      Message message = ERR_SASLDIGESTMD5_NO_DIGEST_URI_IN_RESPONSE.get();


      bindOperation.setAuthFailureReason(message);


      return;


    }


    else if (responseDigest == null)


    {


      bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);


@@ -690,6 +682,18 @@


    }






    // Slight departure from draft-ietf-sasl-rfc2831bis-06 in order to


    // support legacy/broken client implementations, such as Solaris


    // Native LDAP Client, which omit digest-uri directive. the presence


    // of digest-uri directive erroneously read "may" in the RFC and has


    // been fixed later in the DRAFT to read "must". if the client does


    // not include digest-uri directive use the empty string instead.


    if (responseDigestURI == null)


    {


      responseDigestURI = "";


    }






    // If a realm has not been specified, then use the empty string.


    // FIXME -- Should we reject this if a specific realm is defined?


    if (responseRealm == null)