powered by Jive Software

Inconsistent Authentication Errors

All,

I am experiencing some odd errors when trying to authenticate with Active Directory. When I use a fat client such as Spark, I am able to authenticate any user I throw in it. A successful login looks like this:

2009.09.15 23:08:13 LdapManager: Trying to find a user’s DN based on their username. sAMAccountName: john.doe, Base DN: dc=domain-inc,dc=net…
2009.09.15 23:08:13 LdapManager: Creating a DirContext in LdapManager.getContext()…
2009.09.15 23:08:13 LdapManager: Created hashtable with context values, attempting to create context…
2009.09.15 23:08:13 LdapManager: … context created successfully, returning.
2009.09.15 23:08:13 LdapManager: Starting LDAP search…
2009.09.15 23:08:13 LdapManager: … search finished
2009.09.15 23:08:13 LdapManager: In LdapManager.checkAuthentication(userDN, password), userDN is: CN=“John Doe”,OU=“Employees”,OU=“Domain Users”…
2009.09.15 23:08:13 LdapManager: Created context values, attempting to create context…
2009.09.15 23:08:13 LdapManager: … context created successfully, returning.
2009.09.15 23:08:13 AuthorizationManager: Trying Default Mapping.map(john.doe)
2009.09.15 23:08:13 DefaultAuthorizationMapping: No realm found
2009.09.15 23:08:13 AuthorizationManager: Trying Default Policy.authorize(john.doe , john.doe)
2009.09.15 23:08:13 DefaultAuthorizationPolicy: Checking authenID realm
2009.09.15 23:08:13 LdapManager: Trying to find a user’s DN based on their username. sAMAccountName: john.doe, Base DN: dc=domain-inc,dc=net…
2009.09.15 23:08:13 LdapManager: Creating a DirContext in LdapManager.getContext()…
2009.09.15 23:08:13 LdapManager: Created hashtable with context values, attempting to create context…
2009.09.15 23:08:13 LdapManager: … context created successfully, returning.
2009.09.15 23:08:13 LdapManager: Starting LDAP search…
2009.09.15 23:08:13 LdapManager: … search finished
2009.09.15 23:08:13 LdapManager: Trying to find a user’s DN based on their username. sAMAccountName: john.doe, Base DN: dc=domain-inc,dc=net…
2009.09.15 23:08:13 LdapManager: Creating a DirContext in LdapManager.getContext()…
2009.09.15 23:08:13 LdapManager: Created hashtable with context values, attempting to create context…
2009.09.15 23:08:13 LdapManager: … context created successfully, returning.
2009.09.15 23:08:13 LdapManager: Starting LDAP search…
2009.09.15 23:08:13 LdapManager: … search finished
2009.09.15 23:08:13 LdapManager: Creating a DirContext in LdapManager.getContext()…
2009.09.15 23:08:13 LdapManager: Created hashtable with context values, attempting to create context…
2009.09.15 23:08:13 LdapManager: … context created successfully, returning.

Now I also have installed a module within Drupal to connect to the server. I have tested this with the administrator account for the Openfire installation and it works (using AD like the john.doe name). When I try to login with the john.doe account (or any other account aside from the admin) it throws an error saying passwords are mismatched and to sync with the server. The Openfire logs show this:

2009.09.15 23:04:23 LdapManager: Trying to find a user’s DN based on their username. sAMAccountName: john.doe, Base DN: dc=domain-inc,dc=net…
2009.09.15 23:04:23 LdapManager: Creating a DirContext in LdapManager.getContext()…
2009.09.15 23:04:23 LdapManager: Created hashtable with context values, attempting to create context…
2009.09.15 23:04:23 LdapManager: … context created successfully, returning.
2009.09.15 23:04:23 LdapManager: Starting LDAP search…
2009.09.15 23:04:23 LdapManager: … search finished
2009.09.15 23:04:23 LdapManager: In LdapManager.checkAuthentication(userDN, password), userDN is: CN=“John Doe”,OU=“Employees”,OU=“Domain Users”…
2009.09.15 23:04:23 LdapManager: Created context values, attempting to create context…
2009.09.15 23:04:23 LdapManager: Caught a naming exception when creating InitialContext
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3041)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2789)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2703)
at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:293)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.InitialContext.(InitialContext.java:197)
at javax.naming.directory.InitialDirContext.(InitialDirContext.java:82)
at org.jivesoftware.openfire.ldap.LdapManager.checkAuthentication(LdapManager.java :536)
at org.jivesoftware.openfire.ldap.LdapAuthProvider.authenticate(LdapAuthProvider.j ava:115)
at org.jivesoftware.openfire.auth.AuthFactory.authenticate(AuthFactory.java:158)
at org.jivesoftware.openfire.handler.IQAuthHandler.login(IQAuthHandler.java:245)
at org.jivesoftware.openfire.handler.IQAuthHandler.handleIQ(IQAuthHandler.java:168 )
at org.jivesoftware.openfire.handler.IQHandler.process(IQHandler.java:49)
at org.jivesoftware.openfire.IQRouter.handle(IQRouter.java:351)
at org.jivesoftware.openfire.IQRouter.route(IQRouter.java:101)
at org.jivesoftware.openfire.spi.PacketRouterImpl.route(PacketRouterImpl.java:68)
at org.jivesoftware.openfire.SessionPacketRouter.route(SessionPacketRouter.java:10 0)
at org.jivesoftware.openfire.SessionPacketRouter.route(SessionPacketRouter.java:61 )
at org.jivesoftware.openfire.http.HttpSession.sendPendingPackets(HttpSession.java: 611)
at org.jivesoftware.openfire.http.HttpSessionManager$HttpPacketSender.run(HttpSess ionManager.java:373)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java: 886)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:619)

Like the successful login I can see that the search in LDAP was successful, but it failed to create any context for the user and through a LDAP 49 error code. Again, I must reiterate that this account works fine on a fat client, but not within the thin client. I took a look at this thread (http://www.igniterealtime.org/community/message/119944) but my account does not have a comma in it. It does have a “.”, but I am curious to know why that would be an issue on the thin client when the fat client can log in without trouble. Anyone have any ideas of what it could be?

Just an update to this issue. I switched from LDAP to just using the standard database authentication and I still have no luck. One account can sign on (mine), but no one else can for whatever reason. I am not an admin, so that rules out a few issues there. Other users seem to get a not authorized when in some cases I have made them admins just for testing. None of this makes sense at all to me.

I have found what may be the problem…

Looking at the thin client (XWchat) I can see that my name that works passes my password in the clear to the chat server. However, if I use a test name I can see that the password seems to be encoded in some sort of way and that looks like it is causing the authentication error. I am not certain why one name in particular will pass the password correctly while the other will encode or change it in some fashion.