On 12/08/16 04:39, Jeff Donner wrote:
Hi -- the only way I can get the tools qpid-config and qpid-stat to talk to
qpidd (the broker) is to turn off SASL, which I do with
qpidd --auth=no (.. other flags)
Is it advisable / ok to do that, if you otherwise have a good, SSL
dual-authentication certificate exchange working?
I've tried with SASL on, and using both --sasl-mechanism=PLAIN and
--sasl-mechanism=EXTERNAL, with no success.
I can leave SASL on and get the same cross-authentication going from a simple
C++ client (which uses EXTERNAL).
Is this known about the tools - or is there something I'm missing? I've tried
the tools both with the fully-(SASL)qualified url, eg:
--broker=amqps://admin/morpho@localhost:5671 and without, and variations. And
had the database set up I believe properly, too:
# passwords both 'morpho'
qpidd$ sudo sasldblistusers2 -f /var/lib/qpidd/qpidd.sasldb
qpid-admin@QPID: userPassword
admin@QPID: userPassword
# system SASL + qpidd points to the above db
sasl2$ less /etc/sasl2/qpidd.conf
pwcheck_method: auxprop
auxprop_plugin: sasldb
sasldb_path: /var/lib/qpidd/qpidd.sasldb
mech_list: ANONYMOUS DIGEST-MD5 EXTERNAL PLAIN
I'm happy not to use SASL, I just wonder whether I've missed something.
If you allow ANONYMOUS, that allows someone to connect without
authenticating, so I would remove that mech from the mech_list.
For EXTERNAL, you need to have the swigged wrapper for cyrus-sasl[1]. If
you don't have that, that could explain why EXTERNAL doesn't work. What
error do you get if you try to use EXTERNAL?
For PLAIN, have you verified that the username and password works when
connecting over plain tcp (i.e. non ssl)? Does it work from the c++ client?
Try turning on protocol tracing on the broker (e.g. --log-enable notice+
--log-enable trace+:Protocol) and see what mechanisms the broker is
offering.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
