powered by Jive Software

AD integrated users cannot login randomly

Randomly users are unable to login. They receive a “invalid username/password” when they try but others are logged in just fine. The problem starts after the majority of the users are already on for the day. The following are some of our stats

Windows 2008 R2 server running Openfire 3.7.1

Embedded DB

LDAP integrated using the following

ldap.groupSearchFilter (objectClass=group)(CN=PitSparkUsers)

ldap.searchFilter (&(objectClass=organizationalPerson)(|(memberOf:1.2.840.113556.1.4.1941:=CN=Pit SparkUsers,OU=…)

Also, does Openfire auth to the LDAP server everytime a user logs in or is information cached in the DB?

Authentication credentials are not cached.

What is logged in error.log or warn.log (or even debug.log if you have debug enabled) at the time of the failure? At minimum you’ll see a authentication failure in info.log.

All that we are seeing is the authentication failure.

Can you enable debug and reproduce it?

Is it always for the same users? 100% sure users are not entering incorrect credentials?

I verified with 3 users that they are typing it in correctly and even had them log off their workstations and back on with the same password. There is nothing regarding the failed login in the debug log.

26 of our 60 users logged on this morning with no problem including myself.

The debug log doesn’t even include anything LDAP related?

Correct

ldap.ldapDebugEnabled true

ldap.debugEnabled true

Do Server -> Server Manager -> Logs -> Debug -> Enabled.

That has been enabled already for most of the day. As previously stated no LDAP errors or auth errors.

Every single LDAP lookup should be logged in debug.log when you have ldap debug enabled, along with regular debug logging. Is it not?

is it the same users that can’t log in? Are they all members of the PitSparkUsers Group? Are you nesting other groups within PitSparkUsers, and if so, are the user that can’t sign in, in a nested group?

I don’t think nested groups is the problem. I have nested groups and everything works fine in my side.

It might be related to using special characters in the names of the accounts.

No special characters in user names or nested groups.