The digest-uri does not match any LDAP SPN's registered for this server

Question

My goal is to authenticate an "Active Directory's User" using SASL with the DIGEST-MD5 mechanism from a Ubuntu's terminal.

I typed the following command:

ldapsearch -H ldap://test.my.company:389 -b "DC=test,DC=my,DC=company" -D "CN=Aron Herrera,CN=Users,DC=test,DC=my,DC=company" -U aron -w "my-password" -Y DIGEST-MD5

And I got:

SASL/DIGEST-MD5 authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
    additional info: 80090303: LdapErr: DSID-0C0904B2, comment: The digest-uri does not match any LDAP SPN's registered for this server., data 0, v1db0

Could you give me any information (links, tutorials, docs) to get my goal ?

Thanks in advance.

Answer 1

I have recently stumbled into the same problem. After torturing my brain for some hours I went and captured some packets using Wireshark. The problem you, and I, are having is related to the way ldapsearch handles the digest-uri.

First it does a DNS lookup on test.my.company (obviously) and uses the IP obtained to build the digest-uri. It ends like this: ldap/10.10.10.10 (for example). This is not what your AD server expects.

If you use ldp.exe to examine the machine holding the Active Directory role you will see an LDAP attribute called serviceProviderName. It does look like ldap/test.my.company (plus other variations), but none of these have the IP in it.

Some have suggested adding a PTR to your DNS server to the test.my.company server. It did not work for me. Other tried adding a new SPN (serviceProviderName) to the AD machine LDAP attribute (I would not do this if my life depended on it).

I think this has something to do with how ldapsearch is implemented. The same test performed with Apache's Directory Studio went fine.