Search code examples
javaunboundid-ldap-sdk

UnboundID LDAP DIGEST-MD5 binding cause NPE

I'm getting the following error when I try to bind using DIGEST-MD5 against ApacheDS using UnboundID LDAP SDK. I already tested the connection using simple bind with UnboundID and Apache Shiro so the ApacheDS is working.

LDAPException(resultCode=82 (local error), errorMessage='Unable to create a subsequent DIGEST-MD5 SASL request:  NullPointerException(trace='processChallenge(DigestMD5Client.java:339) / evaluateChallenge(DigestMD5Client.java:207) / processSASLBind(SASLHelper.java:149) / process(DIGESTMD5BindRequest.java:406) / bind(LDAPConnection.java:1837) / main(UnboundDemo.java:38)', revision=15579)')
    at com.unboundid.ldap.sdk.SASLHelper.processSASLBind(SASLHelper.java:154)
    at com.unboundid.ldap.sdk.DIGESTMD5BindRequest.process(DIGESTMD5BindRequest.java:406)
    at com.unboundid.ldap.sdk.LDAPConnection.bind(LDAPConnection.java:1837)
    at com.mizar.ldap.UnboundDemo.main(UnboundDemo.java:38)
Caused by: java.lang.NullPointerException
    at com.sun.security.sasl.digest.DigestMD5Client.processChallenge(DigestMD5Client.java:339)
    at com.sun.security.sasl.digest.DigestMD5Client.evaluateChallenge(DigestMD5Client.java:207)
    at com.unboundid.ldap.sdk.SASLHelper.processSASLBind(SASLHelper.java:149)
    ... 3 more

I followed the example in the JavaDoc and my sample test code look like this:

LDAPConnection conn;
BindResult bindResult;
DIGESTMD5BindRequest mdBind;  
try {
  conn = new LDAPConnection("1.1.1.1",389);
  mdBind = new DIGESTMD5BindRequest("dn:uid=someuser,ou=dev,dc=blah,dc=com", "test");
  bindResult = conn.bind(mdBind);
  System.out.println("MD5 bind success!");
}
catch (Exception e) {
  e.printStackTrace();
}
Solution

  • It looks like this exception is originating in the JDK's code for handling SASL processing rather than in the LDAP SDK itself. Based on a version of the source for the com.sun.security.sasl.digest.DigestMD5Client class that I was able to find (http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/6-b14/com/sun/security/sasl/digest/DigestMD5Client.java), it looks like this is a problem in which a realm was required to complete the bind processing but none was made available. If you switch to using one of the DIGESTMD5BindRequest constructors that takes a realm, and provide an appropriate value for the realm (which you may need to find from your directory administrator), then you should be able to make the bind succeed.

    I have just committed a change to the LDAP SDK support for the CRAM-MD5, DIGEST-MD5, and GSSAPI SASL mechanisms so that it will hopefully provide a more useful message if this kind of problem should arise in the future.