Hello everyone,
I hope someone could point me to the right direction regarding an issue with clients using SASL Digest-MD5 failing to connect to Openfire with LDAP integration.
The client can successfully connect using Digest-MD5 when we use the Default option but we require LDAP.
We setup Openfire 3.8.2 to use OpenLDAP integration. We have a client that connects using Digest-MD5 only. Below is the output of the login process and the debug log. As you can see the server only offers the client PLAIN and ANOYMOUS but client is requesting for DIGEST.
STDOUT:
C2S - RECV (2974425): <?xml version="1.0"?>, <stream:stream xmlns:stream="http://etherx.jabber.org/streams" version="1.0" xmlns="jabber:client" to= "xmpp-1.pllca.com" xml:lang="en" xmlns:xml="http://www.w3.org/XML/1998/namespace">
C2S - SENT (2974425): <?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="xmpp-1.pllca.com" id="a9926f61" xml:lang="en" version="1.0">
C2S - SENT (2974425): <stream:features><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"></starttls><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>PLAIN</mechanism><mechanism >ANONYMOUS</mechanism></mechanisms><compression xmlns="http://jabber.org/features/compress"><method>zlib</method></compression><auth xmlns="http://jabber.org/features/iq-auth"/></stream:features>
C2S - RECV (2974425): <auth xmlns="urn:ietf:params:xml:ns:xmpp-sasl" mechanism="DIGEST-MD5" />
C2S - SENT (2974425): <challenge xmlns="urn:ietf:params:xml:ns:xmpp-sasl">cmVhbG09InhtcHAtMS5wbGxjYS5jb20iLG5vbm NlPSJYeFh5TmEvTGM0WXJnYWpWYS9NZjdqZ1NzQk9ra2FXQjkzd2FMdWsxIixxb3A9ImF1dGgiLGNoYX JzZXQ9dXRmLTgsYWxnb3JpdGhtPW1kNS1zZXNz</challenge>
C2S - RECV (2974425): <response xmlns="urn:ietf:params:xml:ns:xmpp-sasl">dXNlcm5hbWU9IjAwMWZmZjMyMDVlZiIscmVhbG 09InhtcHAtMS5wbGxjYS5jb20iLG5vbmNlPSJYeFh5TmEvTGM0WXJnYWpWYS9NZjdqZ1NzQk9ra2FXQj kzd2FMdWsxIixjbm9uY2U9IjAxOWE2MTE0MzE5MjZiMzczY2FmMjc5MDNmZWJiMDI1IixuYz0wMDAwMD AwMSxxb3A9YXV0aCxkaWdlc3QtdXJpPSJ4bXBwL3htcHAtMS5wbGxjYS5jb20iLHJlc3BvbnNlPTVhOG IwYmI0ZTEwZmNkYmJiMTdhY2JhMmZkZGZiYTU5LGNoYXJzZXQ9dXRmLTg=</response>
C2S - SENT (2974425): <failure xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><not-authorized/></failure>
Debug:
org.jivesoftware.openfire.net.SASLAuthentication - SASLAuthentication: SaslException
javax.security.sasl.SaslException: DIGEST-MD5: IO error acquiring password [Caused by java.io.IOException: java.lang.UnsupportedOperationException]
at com.sun.security.sasl.digest.DigestMD5Server.validateClientResponse(Unknown Source)
at com.sun.security.sasl.digest.DigestMD5Server.evaluateResponse(Unknown Source)
at org.jivesoftware.openfire.net.SASLAuthentication.handle(SASLAuthentication.java :325)
However when we use the Default option, Openfire offers DIGEST-MD5 to the client and the client can login.
C2S - RECV (33357483): <stream:stream to="llc-wrk-tst-999" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams" version="1.0">
C2S - SENT (33357483): <?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="llc-wrk-tst-999" id="1d6e2ad5" xml:lang="en" version="1.0">
C2S - SENT (33357483): <stream:features><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"></starttls><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>DIGEST-MD5</mechanism><mech anism>PLAIN</mechanism><mechanism>ANONYMOUS</mechanism><mechanism>CRAM-MD5</mech anism></mechanisms><compression xmlns="http://jabber.org/features/compress"><method>zlib</method></compression><auth xmlns="http://jabber.org/features/iq-auth"/><register xmlns="http://jabber.org/features/iq-register"/></stream:features>
C2S - RECV (33357483): <starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>
C2S - RECV (33357483): <stream:stream to="llc-wrk-tst-999" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams" version="1.0">
C2S - SENT (33357483): <?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="llc-wrk-tst-999" id="1d6e2ad5" xml:lang="en" version="1.0"><stream:features><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>DIGEST-MD5</mechanism><mech anism>PLAIN</mechanism><mechanism>ANONYMOUS</mechanism><mechanism>CRAM-MD5</mech anism></mechanisms><compression xmlns="http://jabber.org/features/compress"><method>zlib</method></compression><auth xmlns="http://jabber.org/features/iq-auth"/><register xmlns="http://jabber.org/features/iq-register"/></stream:features>
C2S - RECV (33357483): <auth mechanism="DIGEST-MD5" xmlns="urn:ietf:params:xml:ns:xmpp-sasl"></auth>
C2S - SENT (33357483): <challenge xmlns="urn:ietf:params:xml:ns:xmpp-sasl">cmVhbG09ImxsYy13cmstdHN0LTk5OSIsbm9uY2 U9Ik91QzA4UDVyK1JWKzdMY2V2T3JZV3k4N1UrNEpKcnVDVWVzRnllT2oiLHFvcD0iYXV0aCIsY2hhcn NldD11dGYtOCxhbGdvcml0aG09bWQ1LXNlc3M=</challenge>
C2S - RECV (33357483): <response xmlns="urn:ietf:params:xml:ns:xmpp-sasl">Y2hhcnNldD11dGYtOCx1c2VybmFtZT0iYWRtaW 4iLHJlYWxtPSJsbGMtd3JrLXRzdC05OTkiLG5vbmNlPSJPdUMwOFA1citSVis3TGNldk9yWVd5ODdVKz RKSnJ1Q1Vlc0Z5ZU9qIixuYz0wMDAwMDAwMSxjbm9uY2U9IncvZCsxVlFEbFhhWWhaSjhpdy9HSG50Nl gwRlIxS0RRbTNRWVRlbDIiLGRpZ2VzdC11cmk9InhtcHAvbGxjLXdyay10c3QtOTk5IixtYXhidWY9Nj U1MzYscmVzcG9uc2U9NjhlZDUzYzU2ZGNiNjU0NmRiZGExZDdmNWNmZTBiZjIscW9wPWF1dGgsYXV0aH ppZD0iYWRtaW4i</response>
C2S - SENT (33357483): <success xmlns="urn:ietf:params:xml:ns:xmpp-sasl">cnNwYXV0aD1iOGIwZTA5ZTQ1ZTA4NjlkM2IzNT FiOTRkNTA1ZDlmMg==</success>
We even tried setting the sasl.mechs property to force DIGEST-MD5. We confirmed that SASL DIGEST-MD5 is enabled on the OpenLDAP server. This also happens when we use Active Directory.
We appreciate any insights that community has.
Thank you,