Interface Login Failed after Active Directory LDAP config

motiv8d · July 19, 2007, 12:58pm

I have installed openfire 3.3.2 onto a Windows 2003 64bit server (It is also an AD server but not the main AD pointed to eg: AD1.companyname…). The web console worked for setup however, after finally finishing the guided setup (tests were positive at each section including AD admin user test) I am unable to log onto the console with the relevantly created AD user “OpenfireAdmin”.

Error is “Login failed: make sure your username and password are correct and that you’'re an admin or moderator.”

I have included the config (albeit with pw and company information removed).

Could someone please give me a hand in fixing this?

Thanks

Motiv8d

Message was edited by: motiv8d

NO_MESSAGES_OR_FRIEN · July 19, 2007, 1:39pm

Is that user a newly created AD user? If so try changing the user to a previously existing account such as your own. The user may not have synced down to the openfire server yet. The other option is to point to your PDC.

motiv8d · July 20, 2007, 3:51am

Thanks mtstravel.

Yes, newly created user, tried with a long term user also with same failure.

There is main AD and a secondary AD, both 2003 server. Have tried pointing to both of these with the same failure.

I wonder if it is something to do with NT domain name vs 2000/2003 type domain name vs DNS.

NT domain: COGS (hence ldap login name is COGS\ldapqueryuser)

2000/2003 domain: COMPANYNAME.COGS

DNS has 3 zones: COGS, companyname.COGS and companyname.com.au)

internal server IPs: 192.168.20.4 (rdns = COGSS1.companyname.com.au) & 192.168.20.6 (rdns = COGSS2.companyname.com.au)

dns entries resolving to 192.168.20.4

COGSS1.companyname.com.au

COGSS1.companyname.cogs

AD1.companyname.com.au

AD1.companyname.cogs

and similar structure for 192.168.20.6

Have also tried using 3268 for the ldap port.

Anything else that you think I could try?

Thanks

Motiv8d

Rob_Ansaldo · July 20, 2007, 10:39am

Try using the complete DN of the user for adminDN. Have you looked in the error log?

motiv8d · July 20, 2007, 12:17pm

Thanks but “2007.07.20 01:19:39 Admin console: Using RSA certificates but they are not valid for the hosted domain” is the only error that could seem related.

However it is now working.

I dont know what is coincidence but I performed the following:

changed the setup in the xml to false
rerun the setup (used same parameters)
moved the open fire admin users to another OU, then moved them back
changed the setup in the xml to false again
rerun the setup again (used same parameters)

Makes no sense to me why it is now working though

Ta for the help.

Motiv8d

NO_MESSAGES_OR_FRIEN · July 20, 2007, 3:28pm

The certificates error is important. You should regenerate those certificates.

motiv8d · July 23, 2007, 5:15am

Hi mtstravel. Thanks for the certs info. Web interface is working. However, I am only able to connect from a jabber client (psi) when “plain text authentication” is selected. SSL will not work, a certificate is presented at connection which says that the cert is in valid date range but it says also “This cert is not valid”.

I have removed the certs and gone through the setup procedure twice again with the same result.

The log from openfire shows:

2007.07.22 23:58:25 User tried to authenticate with this server using an unknown receipient:

2007.07.22 23:58:55 HTTP binding: Using RSA certificates but they are not valid for the hosted domain

2007.07.22 23:58:57 HTTP binding: Using RSA certificates but they are not valid for the hosted domain

The AD domain name is: COMPANYNAME.COGS

Old NT domain name is: COGS

Jabber is installed on an AD server for which:

The servername is: COGSS2

Listed in DNS for this server is:

COGSS2.companyname.com.au, jabber1.companyname.com.au,

COGSS2.companyname.cogs, jabber1.companyname.cogs,

The name of the jabber server when trying to connect from client is eg: ldapqueryuser@jabber1.companyname.com.au

for which plain text authentication works and SSL does not.

Any ideas of what I could try?

Thanks again.

NO_MESSAGES_OR_FRIEN · July 23, 2007, 12:26pm

Can you login to the adim interface to see your settings?

Please verify the following:

Server Settings: Server Name: jabber1.companyname.com.au or jabber1.companyname.cogs

Server Certificates:

*.jabber1.companyname.com.au (jabber1.companyname.com.au_rsa)

*.jabber1.companyname.com.au (jabber1.companyname.com.au_dsa) or

*.jabber1.companyname.cogs (jabber1.companyname.cogs_rsa)

*.jabber1.companyname.cogs (jabber1.companyname.cogs_dsa)

The server FQDN should be the same domain as the certificates. Delete the certificates if they do not match and regenerate them. If you are not using self signed certs then make sure the server name matches the certificates.

Then fill out all relevent info in the Signing Request.