Changed LDAP attribute in Web Config and now cannot log in

Openfire Openfire Support
1

Hello,

I recently was trying to get my already working LDAP configuration to use “userPrincipalName” as the username field rather than the already set “sAMAccountName” attribute. After I set this attribute and restarted OpenFire, I was unable to log in any longer as any user OR as admin.

I would really like to fix this without reconfiguring everything from scratch…is there a way to modify the setting to use the “sAMAccountName” attribute in LDAP rather than the new “userPrincipleName” ? Basically, I need to hack my way into admin console somehow so that I can either change the LDAP settings to be correct again.

My config is:

Server: Windows 2008 R2

Openfire Version: 3.10.2

I have looked at previous posts relating to this issue, and I have seen suggestions to modify attributes in “conf/openfire.xml” but these attributes do not exist, in fact there are no attributes that are unique in this file at all. When I initially set things up before I changed the config to LDAP, I chose to use the integrated database setup and not MySQL or any other database.

Is there any thing I can do to restore this configuration?

Please help, thank you!

2

OK I fixed this myself using the same way that everyone in the forums has done:

  • modify /conf/openfire.xml

  • change setup=true to setup=false

  • re-run LDAP setup ** Note: When you click TEST, after it succeeds, the fields are cleared, so you must populate them again (base dn and admin cn).

  • Ensure that username is set to sAMAccountName

  • Add additional admins and click TEST to make sure that LDAP auth works

  • Save config and re-login – ALL SETTINGS ARE PRESERVED, EXCEPT if you added a signed cert (which I did), setup adds and binds a SELF-SIGNED-CERT … but does not remove the SIGNED CERT. I simply deleted the (2) self signed certs (RSA & DSA), restarted the web server, and everything was back.

If anyone knows how I could have repaired this WITHOUT re-running setup, that would be great … it seems that a lot of people have had this issue, and it’s a little frustrating to have to repair this way, but at least the settings were preserved.

Also, my main reason for changing this was to try to enable the username field to be ‘userPrincipleName’ from LDAP (which we always have set to the user’s email address). If anyone knows of a way to set LDAP to use this, it would be helpful.

I hope this helps anyone else that breaks LDAP!