AD integrated users cannot login randomly

Rock1 · November 28, 2012, 6:43pm

Randomly users are unable to login. They receive a “invalid username/password” when they try but others are logged in just fine. The problem starts after the majority of the users are already on for the day. The following are some of our stats

Windows 2008 R2 server running Openfire 3.7.1

Embedded DB

LDAP integrated using the following

ldap.groupSearchFilter (objectClass=group)(CN=PitSparkUsers)

ldap.searchFilter (&(objectClass=organizationalPerson)(|(memberOf:1.2.840.113556.1.4.1941:=CN=Pit SparkUsers,OU=…)

Also, does Openfire auth to the LDAP server everytime a user logs in or is information cached in the DB?

David29 · November 29, 2012, 12:26pm

Authentication credentials are not cached.

What is logged in error.log or warn.log (or even debug.log if you have debug enabled) at the time of the failure? At minimum you’ll see a authentication failure in info.log.

Rock1 · November 29, 2012, 2:14pm

All that we are seeing is the authentication failure.

David29 · November 29, 2012, 2:16pm

Can you enable debug and reproduce it?

Is it always for the same users? 100% sure users are not entering incorrect credentials?

Rock1 · November 29, 2012, 2:21pm

I verified with 3 users that they are typing it in correctly and even had them log off their workstations and back on with the same password. There is nothing regarding the failed login in the debug log.

26 of our 60 users logged on this morning with no problem including myself.

David29 · November 29, 2012, 2:27pm

The debug log doesn’t even include anything LDAP related?

Rock1 · November 29, 2012, 2:30pm

Correct

Rock1 · November 29, 2012, 2:31pm

ldap.ldapDebugEnabled true

ldap.debugEnabled true

David29 · November 29, 2012, 2:47pm

Do Server -> Server Manager -> Logs -> Debug -> Enabled.

Rock1 · November 29, 2012, 3:04pm

That has been enabled already for most of the day. As previously stated no LDAP errors or auth errors.

David29 · November 30, 2012, 3:16pm

Every single LDAP lookup should be logged in debug.log when you have ldap debug enabled, along with regular debug logging. Is it not?

speedy · December 1, 2012, 1:50pm

is it the same users that can’t log in? Are they all members of the PitSparkUsers Group? Are you nesting other groups within PitSparkUsers, and if so, are the user that can’t sign in, in a nested group?

M_Tejera · December 3, 2012, 8:47am

I don’t think nested groups is the problem. I have nested groups and everything works fine in my side.

It might be related to using special characters in the names of the accounts.

Rock1 · December 3, 2012, 2:22pm

No special characters in user names or nested groups.