From a5020045ac2483ebf7a1b599ef67aa9ca05bd703 Mon Sep 17 00:00:00 2001
From: abobrov <abobrov@localhost>
Date: Tue, 12 Feb 2008 12:20:28 +0000
Subject: [PATCH] - [Issue 2925] SASL DigestMD5 Handler denies authentication from Solaris ldapclient:   lax required status of digest-uri directive to maintain compatibility/interoperability with legacy/broken client implementations. 

---
 opends/src/server/org/opends/server/extensions/DigestMD5SASLMechanismHandler.java |   22 +++++++++++++---------
 1 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/opends/src/server/org/opends/server/extensions/DigestMD5SASLMechanismHandler.java b/opends/src/server/org/opends/server/extensions/DigestMD5SASLMechanismHandler.java
index e748dce..ddcf83a 100644
--- a/opends/src/server/org/opends/server/extensions/DigestMD5SASLMechanismHandler.java
+++ b/opends/src/server/org/opends/server/extensions/DigestMD5SASLMechanismHandler.java
@@ -22,7 +22,7 @@
  * CDDL HEADER END
  *
  *
- *      Portions Copyright 2006-2007 Sun Microsystems, Inc.
+ *      Portions Copyright 2006-2008 Sun Microsystems, Inc.
  */
 package org.opends.server.extensions;
 
@@ -672,14 +672,6 @@
       bindOperation.setAuthFailureReason(message);
       return;
     }
-    else if (responseDigestURI == null)
-    {
-      bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
-
-      Message message = ERR_SASLDIGESTMD5_NO_DIGEST_URI_IN_RESPONSE.get();
-      bindOperation.setAuthFailureReason(message);
-      return;
-    }
     else if (responseDigest == null)
     {
       bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
@@ -690,6 +682,18 @@
     }
 
 
+    // Slight departure from draft-ietf-sasl-rfc2831bis-06 in order to
+    // support legacy/broken client implementations, such as Solaris
+    // Native LDAP Client, which omit digest-uri directive. the presence
+    // of digest-uri directive erroneously read "may" in the RFC and has
+    // been fixed later in the DRAFT to read "must". if the client does
+    // not include digest-uri directive use the empty string instead.
+    if (responseDigestURI == null)
+    {
+      responseDigestURI = "";
+    }
+
+
     // If a realm has not been specified, then use the empty string.
     // FIXME -- Should we reject this if a specific realm is defined?
     if (responseRealm == null)

--
Gitblit v1.10.0