Authentication Failure - LDAP - Ensure PLAIN SASL mechanism is exclusively used

Hi,

We have a new cluster (on-premise) 7.6.1 build 3200. We created users in LDAP and added them in Security section.
Encryption : None
Contact LDAP Host: Credentials

Test User Authentication is fine.

However, application is throwing following error:

Authentication Failure - Potential causes: invalid credentials or if LDAP is enabled ensure PLAIN SASL mechanism is exclusively used on the PasswordAuthenticator (insecure) or TLS is used (recommended)

How to ensure that PLAIN SASL mechanism is enabled? Where it will be enabled in application/WAS or this is enabled in Couchbase server/LDAP?

Regards,
Fahim

Please show the client code you are using - including the connection string. And the complete exception including the stack trace.

Hi mreiche,

Thanks for your response, we discovered that the users are LDAP. When LDAP authentication is enabled in Couchbase, it requires the PLAIN SASL mechanism for security reasons. while application was trying to use a different mechanism (SCRAM-SHA).

Changing users to local (couchbase) solved the problem.
To enable LDAP users in cluster code level changes are also required while connecting.

Thanks,
Fahim

For anyone who stumbles across this thread in the future, there are two ways to ensure SASL PLAIN is used:

A. Use a secure connection. Enable TLS by prefixing the connection string with couchbases:// – note the final ‘s’.

OR

B. Use an LDAP-compatible authenticator. Here’s what that looks like with the Couchbase Java SDK:

Cluster cluster = Cluster.connect(
  connectionString,
  ClusterOptions.clusterOptions(
    PasswordAuthenticator.ldapCompatible(username, password)
  )
);

Caution: An LDAP-compatible authenticator sends the password in cleartext (that’s what SASL PLAIN means) even if the connection is insecure.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.