Created attachment 571109 [details] Broker's log file. Description of problem: According to the documentation (MIG and MUG), broker should support CRAM-MD5 authentication method. I was unable to connect to the broker using qpid-stat: [root@lzhaldyb-rhel62i ~]# cat /etc/sasl2/qpidd.conf ... mech_list: CRAM-MD5 DIGEST-MD5 ... [root@lzhaldyb-rhel62i ~]# sasldblistusers2 -f /var/lib/qpidd/qpidd.sasldb john@QPID: userPassword user@QPID: userPassword [root@lzhaldyb-rhel62i ~]# qpid-stat -q --sasl-mechanism=DIGEST-MD5 john/secret@localhost:5672 Queues queue dur autoDel excl msg msgIn msgOut bytes bytesIn bytesOut cons bind ==================================================================================================================== qmfc-v2-hb-lzhaldyb-rhel62i.30399.1 Y Y 0 0 0 0 0 0 1 2 qmfc-v2-lzhaldyb-rhel62i.30399.1 Y Y 0 11 11 0 8.16k 8.16k 1 2 qmfc-v2-ui-lzhaldyb-rhel62i.30399.1 Y Y 0 0 0 0 0 0 1 1 reply-lzhaldyb-rhel62i.30399.1 Y Y 0 71 71 0 32.6k 32.6k 1 2 topic-lzhaldyb-rhel62i.30399.1 Y Y 0 0 0 0 0 0 1 4 [root@lzhaldyb-rhel62i ~]# echo $? 0 [root@lzhaldyb-rhel62i ~]# qpid-stat -q --sasl-mechanism=CRAM-MD5 john/secret@localhost:5672 Failed: ConnectionFailed - (None, 'connection-forced: Authentication failed') [root@lzhaldyb-rhel62i ~]# echo $? 1 [root@lzhaldyb-rhel62i ~]# qpid-stat -q --sasl-mechanism=DIGEST-MD5 user/password@localhost:5672 Queues queue dur autoDel excl msg msgIn msgOut bytes bytesIn bytesOut cons bind ==================================================================================================================== qmfc-v2-lzhaldyb-rhel62i.30423.1 Y Y 0 11 11 0 8.16k 8.16k 1 2 qmfc-v2-ui-lzhaldyb-rhel62i.30423.1 Y Y 0 0 0 0 0 0 1 1 qmfc-v2-hb-lzhaldyb-rhel62i.30423.1 Y Y 0 0 0 0 0 0 1 2 topic-lzhaldyb-rhel62i.30423.1 Y Y 0 0 0 0 0 0 1 4 reply-lzhaldyb-rhel62i.30423.1 Y Y 0 71 71 0 32.6k 32.6k 1 2 [root@lzhaldyb-rhel62i ~]# echo $? 0 [root@lzhaldyb-rhel62i ~]# qpid-stat -q --sasl-mechanism=CRAM-MD5 user/password@localhost:5672 Failed: ConnectionFailed - (None, 'connection-forced: Authentication failed') [root@lzhaldyb-rhel62i ~]# echo $? 1 Version-Release number of selected component (if applicable): RHEL5: python-qpid-0.14-3.el5 python-qpid-qmf-0.14-3.el5 qpid-cpp-client-0.14-10.el5 qpid-cpp-client-devel-0.14-10.el5 qpid-cpp-client-devel-docs-0.14-10.el5 qpid-cpp-client-ssl-0.14-10.el5 qpid-cpp-server-0.14-10.el5 qpid-cpp-server-cluster-0.14-10.el5 qpid-cpp-server-devel-0.14-10.el5 qpid-cpp-server-ssl-0.14-10.el5 qpid-cpp-server-store-0.14-10.el5 qpid-cpp-server-xml-0.14-10.el5 qpid-java-client-0.14-3.el5 qpid-java-common-0.14-3.el5 qpid-java-example-0.14-3.el5 qpid-qmf-0.14-3.el5 qpid-qmf-devel-0.14-3.el5 qpid-tools-0.14-1.el5 RHEL6: python-qpid-0.14-6.el6.noarch python-qpid-qmf-0.14-5.el6.i686 qpid-cpp-client-0.14-12.el6.i686 qpid-cpp-client-devel-0.14-12.el6.i686 qpid-cpp-client-devel-docs-0.14-12.el6.noarch qpid-cpp-server-0.14-12.el6.i686 qpid-cpp-server-devel-0.14-12.el6.i686 qpid-cpp-server-store-0.14-12.el6.i686 qpid-cpp-server-xml-0.14-12.el6.i686 qpid-java-client-0.14-3.el6.noarch qpid-java-common-0.14-3.el6.noarch qpid-java-example-0.14-3.el6.noarch qpid-qmf-0.14-5.el6.i686 qpid-tools-0.14-1.el6.noarch How reproducible: always Steps to Reproduce: 1. Configure broker to use CRAM-MD5 authentication mechanism 2. Try to connect to broker using qpid-stat tool. 3. Actual results: authentication failure Expected results: authentication successful Additional info: Cpp clients seem to be working: [root@lzhaldyb-rhel62i qpidd]# qpid-perftest --count=100 -s --mechanism=CRAM-MD5 --username=user --password=password 2327.52 1044.24 2287.98 2.23436 [root@lzhaldyb-rhel62i qpidd]# echo $? 0
*** Bug 823802 has been marked as a duplicate of this bug. ***
The work here is to establish that it is working on 0.22/2.4.
Works on 0.22 2013-04-25 11:28:16 [Security] info qpid/broker/SaslAuthenticator.cpp:415: SASL: Starting authentication with mechanism: CRAM-MD5 ...and perftest connects & runs to completion. nihil obstat - imprimatur.
Sorry to say, I need to return to ASSIGNED as this defect looks in the same state as in time of defect filling: ... dur:16, tst_cnt:15, err_cnt:0, ecodes:(0)(0)(0)(0)(0)(0)(0)(0)(0)(0)(0)(0)(0)(0)(0) ================== tstbatch localhost guest guest CRAM-MD5 True ================== 1579 24.2455 751.736 0.734117 Failed: ConnectionError - connection-forced: Authentication failed(320) Failed: ConnectionError: connection-forced: Authentication failed(320) Failed: ConnectionFailed - (None, 'connection-forced: Authentication failed') Message(properties={'spout-id': '8e52ebba-cb30-40ac-bcc3-0b749f11ed05:0'}, content_type='t ext/plain') ===---=== SUMMARY ===---=== dur:17, tst_cnt:20, err_cnt:3, ecodes:(0)(0)(0)(0)(0)(0)(0)(0)(0)(0)(0)(0)(0)(0)(0)(0)(1)(1)(1)(0) ... Which means qpid-perftest and python spout are and were functional, however qpid-tools (here qpid-stat and qpid-config) are still failing. -> ASSIGNED
Component corrected to qpid-tools + summary tuned.
Mick, please look at this one again. (In reply to Frantisek Reznicek from comment #6) > Sorry to say, I need to return to ASSIGNED as this defect looks in the same > state as in time of defect filling: > ... > dur:16, tst_cnt:15, err_cnt:0, > ecodes:(0)(0)(0)(0)(0)(0)(0)(0)(0)(0)(0)(0)(0)(0)(0) > ================== tstbatch localhost guest guest CRAM-MD5 True > ================== > 1579 24.2455 751.736 0.734117 > Failed: ConnectionError - connection-forced: Authentication failed(320) > Failed: ConnectionError: connection-forced: Authentication failed(320) > Failed: ConnectionFailed - (None, 'connection-forced: Authentication failed') > Message(properties={'spout-id': '8e52ebba-cb30-40ac-bcc3-0b749f11ed05:0'}, > content_type='t > ext/plain') > ===---=== SUMMARY ===---=== > dur:17, tst_cnt:20, err_cnt:3, > ecodes:(0)(0)(0)(0)(0)(0)(0)(0)(0)(0)(0)(0)(0)(0)(0)(0)(1)(1)(1)(0) > ... > > Which means qpid-perftest and python spout are and were functional, however > qpid-tools (here qpid-stat and qpid-config) are still failing. > > > -> ASSIGNED
Yes, sorry -- I tested with wrong tools before. I see the problem now, with latest packages (see list below ) on both qpid-tool and qpid-config Both of them succeed when using DIGEST-MD5, and both fail when using CRAM-MD5 This was on RHEL 6.4 packages { cyrus-sasl-2.1.23-13.el6_3.1.x86_64 cyrus-sasl-devel-2.1.23-13.el6_3.1.x86_64 cyrus-sasl-gssapi-2.1.23-13.el6_3.1.x86_64 cyrus-sasl-lib-2.1.23-13.el6_3.1.x86_64 cyrus-sasl-md5-2.1.23-13.el6_3.1.x86_64 cyrus-sasl-plain-2.1.23-13.el6_3.1.x86_64 python-qpid-0.22-4.el6.noarch python-qpid-qmf-0.22-7.el6.x86_64 python-saslwrapper-0.22-3.el6.x86_64 qpid-cpp-client-0.22-8.el6.x86_64 qpid-cpp-client-devel-0.22-8.el6.x86_64 qpid-cpp-client-devel-docs-0.22-8.el6.noarch qpid-cpp-client-rdma-0.22-8.el6.x86_64 qpid-cpp-client-ssl-0.22-8.el6.x86_64 qpid-cpp-debuginfo-0.22-8.el6.x86_64 qpid-cpp-server-0.22-8.el6.x86_64 qpid-cpp-server-devel-0.22-8.el6.x86_64 qpid-cpp-server-ha-0.22-8.el6.x86_64 qpid-cpp-server-rdma-0.22-8.el6.x86_64 qpid-cpp-server-ssl-0.22-8.el6.x86_64 qpid-cpp-server-store-0.22-8.el6.x86_64 qpid-cpp-server-xml-0.22-8.el6.x86_64 qpid-cpp-tar-0.22-8.el6.noarch qpid-java-client-0.22-5.el6.noarch qpid-java-common-0.22-5.el6.noarch qpid-java-example-0.22-5.el6.noarch qpid-proton-c-0.4-2.2.el6.x86_64 qpid-proton-c-devel-0.4-2.2.el6.x86_64 qpid-proton-debuginfo-0.4-2.2.el6.x86_64 qpid-qmf-0.22-7.el6.x86_64 qpid-qmf-debuginfo-0.22-7.el6.x86_64 qpid-qmf-devel-0.22-7.el6.x86_64 qpid-snmpd-1.0.0-12.el6.x86_64 qpid-snmpd-debuginfo-1.0.0-12.el6.x86_64 qpid-tests-0.22-4.el6.noarch qpid-tools-0.22-3.el6.noarch saslwrapper-0.22-3.el6.x86_64 saslwrapper-devel-0.22-3.el6.x86_64 }
Whole python client does not support CRAM-MD5 authentication mechanism; try to run the attached client example to reproduce the issue, please.
Created attachment 823997 [details] Python client CRAM-MD5 issue reproducer
Try to run the qmf2_qpid_ctrl.py client, please: # ./qmf2_qpid_ctrl.py --broker guest/guest@<hostname>:5672 --sasl-mechanisms CRAM-MD5 query type=queue name=q The example works with PLAIN, ANONYMOUS and DIGEST-MD5 mechanisms well, but does not work with CRAM-MD5 mechanism.
This product has been discontinued or is no longer tracked in Red Hat Bugzilla.