powered by Jive Software

AD/LDAP - Jive not following referrals?

I am trying to get Jive working with our AD/LDAP infrastructure for authentication and shared contact list(s).

However, our AD structure is a bit more complicated than most - we have a forest with multiple domains (one per office). So:

nighthawkrad.net - top level domain, no users/groups/computers/etc

xxx.nighthawkrad.net - child domains - one per office - actual user accounts, groups, etc are in these.

What I want to do - and have successfully tested in the past with nssldap - is to point Jive at the top-level DCs (for the nighthawkrad.net domain) to authenticate users that are actually in the child domains (xxx.nighthawkrad.net) by following the LDAP referrals.

The reason I want to do this is so that people’‘s Jabber IDs can be identical to their email addresses and thus easier to remember/figure out (users get a user@nighthawkrad.net email address, the xxx subdomains are “behind the scenes” and they shouldn’'t have to worry about them).

However, while Jive appears to find the referrals, it doesn’'t appear to follow them. I have the following config:

Which gives the following output in the debug log when I try to login with a JID of csmith@nighthawkrad.net:

2005.12.01 12:24:56 Loading plugin search

2005.12.01 12:24:58 Connect Socket[addr=/,port=2287,localport=5222]

2005.12.01 12:24:58 Trying to find a user’'s DN based on their username. sAMAccountName: csmith, Base DN: dc=nighthawkrad,dc=net…

2005.12.01 12:24:58 Creating a DirContext in LdapManager.getContext()…

2005.12.01 12:24:58 Created hashtable with context values, attempting to create context…

2005.12.01 12:24:58 … context created successfully, returning.

2005.12.01 12:24:58 Starting LDAP search…

2005.12.01 12:24:58 … search finished

2005.12.01 12:25:01 In LdapManager.checkAuthentication(userDN, password), userDN is: ldap://syd.nighthawkrad.net:389/CN=Christopher%20Smith,OU=IT,OU=Domain%20Users, DC=syd,DC=nighthawkrad,DC=net…

2005.12.01 12:25:01 Created context values, attempting to create context…

2005.12.01 12:25:01 Created context values, attempting to create context…

2005.12.01 12:25:01 Caught a naming exception when creating InitialContext

javax.naming.AuthenticationException: LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece

at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)

at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)

at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)

at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)

at com.sun.jndi.ldap.LdapCtx.

It works perfectly - I can login as csmith@syd.nighthawkrad.net. So “generally” LDAP authentication works - it’'s the referrals aspect that is broken.

I assume this is a bug, however, if it’'s expected behaviour, can anyone advise if my overall objective (allowing users that are actually in child domains in AD to be in a single Jabber domain, and still auth to AD) is achievable ?


I have found a workaround, based on the info in this post:


If I set the port as suggested, to the GC port:

I can now login with usernames in the xxx.nighthawkrad.net subdomains.

(Now for some LDAP rosters !)

Jive developers:

I would still consider the previosly observed and explained behaviour, when using port 389, of Jive apparently not following LDAP referrals to be a bug. If you would like my assistance to debug and fix it, since I have a multi-domain environment and the Jabber environment is still in develpment, I’'d be happy to help in any way I can.