I am trying to get Jive working with our AD/LDAP infrastructure for authentication and shared contact list(s).
However, our AD structure is a bit more complicated than most - we have a forest with multiple domains (one per office). So:
nighthawkrad.net - top level domain, no users/groups/computers/etc
xxx.nighthawkrad.net - child domains - one per office - actual user accounts, groups, etc are in these.
What I want to do - and have successfully tested in the past with nssldap - is to point Jive at the top-level DCs (for the nighthawkrad.net domain) to authenticate users that are actually in the child domains (xxx.nighthawkrad.net) by following the LDAP referrals.
The reason I want to do this is so that people’‘s Jabber IDs can be identical to their email addresses and thus easier to remember/figure out (users get a user@nighthawkrad.net email address, the xxx subdomains are “behind the scenes” and they shouldn’'t have to worry about them).
However, while Jive appears to find the referrals, it doesn’'t appear to follow them. I have the following config:
Which gives the following output in the debug log when I try to login with a JID of csmith@nighthawkrad.net:
2005.12.01 12:24:56 Loading plugin search
2005.12.01 12:24:58 Connect Socket[addr=/172.25.253.244,port=2287,localport=5222]
2005.12.01 12:24:58 Trying to find a user’'s DN based on their username. sAMAccountName: csmith, Base DN: dc=nighthawkrad,dc=net…
2005.12.01 12:24:58 Creating a DirContext in LdapManager.getContext()…
2005.12.01 12:24:58 Created hashtable with context values, attempting to create context…
2005.12.01 12:24:58 … context created successfully, returning.
2005.12.01 12:24:58 Starting LDAP search…
2005.12.01 12:24:58 … search finished
2005.12.01 12:25:01 In LdapManager.checkAuthentication(userDN, password), userDN is: ldap://syd.nighthawkrad.net:389/CN=Christopher%20Smith,OU=IT,OU=Domain%20Users, DC=syd,DC=nighthawkrad,DC=net…
2005.12.01 12:25:01 Created context values, attempting to create context…
2005.12.01 12:25:01 Created context values, attempting to create context…
2005.12.01 12:25:01 Caught a naming exception when creating InitialContext
javax.naming.AuthenticationException: LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.
It works perfectly - I can login as csmith@syd.nighthawkrad.net. So “generally” LDAP authentication works - it’'s the referrals aspect that is broken.
I assume this is a bug, however, if it’'s expected behaviour, can anyone advise if my overall objective (allowing users that are actually in child domains in AD to be in a single Jabber domain, and still auth to AD) is achievable ?
CS