DIGEST-MD5 Authentication not working.

  • 7003006
  • 14-Apr-2009
  • 13-Jan-2014


Novell eDirectory 8.7 for All Platforms
Novell eDirectory 8.8 for All Platforms
NetIQ eDirectory 8.8 for All Platforms
Novell Modular Authentication Service
Open Enterprise Server
Novell Open Enterprise Server 11 (OES 11) Linux Support Pack 1


When installing eDirectory 8.x everything seemed to be working fine.  However, when an LDAP bind or an NMAS login was used with MD5 as the authentication method, an error 49 or -1663 was returned.  These errors mean that the simple password has not been assigned to the user object logging in.
DIGEST-MD5 Authentication not working.
When an LDAP bind is made using MD5 authentication, error 49 is displayed.
Error: Failed to authenticate full context on connection 0x000000, err = no such attribute (-603)


Install the latest version of NMAS.  In order for MD5 authentication to be made, both the Digest-MD5 AND the Simple Password Methods must be installed and configured.  A simple password MUST assign to the user object being use to bind or authenticate with.

NOTE:  It is not required to have the simple password match the regular eDirectory user password.

As soon as both the Simple Password and the Digest-MD5 methods are added and assigned a simple password, the LDAP binds should worked fine.

NOTE:  In order to use LDAPSEARCH with MD5 authentications, you need to use an LDAPSEARCH tool that will do MD5.  The LDAPSEARCH tool bundled with eDirectory does not do MD5 authentication.  You can obtain the LDAPSDK from www.openldap.org.

Additional Information

For this situation, the customer had not configured the Simple Password Method along with the DIGEST-MD5 method. Both must be installed.   NMAS gets installed with eDirectory for UNIX platforms  but the authentication methods were not all installed and configured.  NMAS documentation can instruct you on how to install the various methods available at https://www.netiq.com/documentation/nmas33/.   For Unix platforms, you must follow the information regarding nmasinst -i in the documentation. 

You can add the login methods either from the Linux command line, ConsoleOne, or iManager.  An example of the command line usage of nmasinst is as follows:

          nmasinst -i <admin context> <treename> -h <ServerIpAddress> <port number>

E.g.  nmasinst -i admin.novell Linux_tree  -h 398

          nmasinst -addmethod <admin context> <treename> <config.txt file path>  -h <ServerIpAddress> <port number>

E.g.  nmasinst -addmethod admin.novell Linux_tree /code/nmas/md5/config.txt  -h  398

The NMAS installation has an NMASMethods directory for each of the various methods you must configure.  If you are using the UNIX command line 'nmasinst' to add methods, you must have the digestmd5 directory on the UNIX hard drive.  This contains .lmo files as well as the config.txt file.  You need that directory available for the nmasinst -addmethods function to work properly.

The NMAS snap-ins must be installed for Console One and iManager.
To find the proper SNAP-In's, you can go to the dl.netiq.com  web page, change your search to KEYWORD, and type in SNAP-IN and hit enter.  This will list all the available Snap-Ins from which you can download the FullNMAS Snap-In

Once the Snap-Ins are installed you can properly configure the NMAS Login Methods as per the NMAS 3.3 documentation.  Make sure you install the Simple Password and Digest MD5 methods for this issue.
Formerly known as TID# 10080726

Change Log

Mon Jan 13 11:55:43 MST 2014 - Rance Burker - Updated links and tid info