"invalid credentials" on LDAP authentication

Hi all!

I have problems with LDAP authentication to a Lotus Domino server (v7.01). The bind with the configured AdminDN (in the is working properly and the LDAP server is returning the matching entry. But the credentials seem to be wrong. Here is an extract from debug of the Domino server:

10/30/2006 11:05:23.73 AM LDAP CIServ Listen> Connection Accepted on Port 389 for Session 1A45000E

10/30/2006 11:05:23.73 AM LDAP> InitForSearch

10/30/2006 11:05:23.73 AM LDAP> InitForSearch

10/30/2006 11:05:23.73 AM LDAP> BERGetTag State

10/30/2006 11:05:23.73 AM LDAP> BERGetLeadingLengthByte State

10/30/2006 11:05:23.73 AM LDAP> BERGetNext State

10/30/2006 11:05:23.73 AM LDAP> Bind State

10/30/2006 11:05:23.73 AM LDAP> Groups for name admin:

10/30/2006 11:05:23.73 AM LDAP> *

10/30/2006 11:05:23.73 AM LDAP> Successful bind, user admin authenticated as admin

10/30/2006 11:05:23.73 AM LDAP> Return Result State (Bind operation)

10/30/2006 11:05:23.73 AM LDAP> StateReturnResult returning resultCode 0 (Success)

10/30/2006 11:05:23.73 AM LDAP> SendBufferFree

10/30/2006 11:05:23.73 AM LDAP> InitForSearch

10/30/2006 11:05:23.76 AM LDAP> BERGetTag State

10/30/2006 11:05:23.76 AM LDAP> BERGetLeadingLengthByte State

10/30/2006 11:05:23.76 AM LDAP> BERGetNext State

10/30/2006 11:05:23.76 AM LDAP> Search State

10/30/2006 11:05:23.76 AM LDAP> ***** Start search request processing *****

10/30/2006 11:05:23.76 AM LDAP> Scope: SUBTREE

10/30/2006 11:05:23.76 AM LDAP> Dereference Aliases: 3

10/30/2006 11:05:23.76 AM LDAP> TimeLimit: 0

10/30/2006 11:05:23.76 AM LDAP> SizeLimit: 0

10/30/2006 11:05:23.76 AM LDAP> Attributes to return:

10/30/2006 11:05:23.76 AM LDAP> uid

10/30/2006 11:05:23.76 AM LDAP> Base:

10/30/2006 11:05:23.76 AM LDAP> Filter: (uid=admin)

10/30/2006 11:05:23.76 AM LDAP> Found entry in LDAP QR Cache.

10/30/2006 11:05:23.76 AM LDAP> ***** Count of search entries returned (total): 1 *****

10/30/2006 11:05:23.76 AM LDAP> Return Result State (Search operation)

10/30/2006 11:05:23.76 AM LDAP> StateReturnResult returning resultCode 0 (Success)

10/30/2006 11:05:23.80 AM LDAP> SendBufferFree

10/30/2006 11:05:23.80 AM LDAP> InitForSearch

10/30/2006 11:05:23.80 AM LDAP> BERGetTag State

10/30/2006 11:05:23.80 AM LDAP> BERGetLeadingLengthByte State

10/30/2006 11:05:23.80 AM LDAP> BERGetNext State

10/30/2006 11:05:23.81 AM LDAP> UnBind State

10/30/2006 11:05:23 AM LDAP Server: 192.168.0.26 connected

10/30/2006 11:05:23.81 AM LDAP CIServ Listen> Connection Accepted on Port 389 for Session 1AD60009

10/30/2006 11:05:23.81 AM LDAP> InitForSearch

10/30/2006 11:05:23.81 AM LDAP> InitForSearch

10/30/2006 11:05:23.81 AM LDAP> BERGetTag State

10/30/2006 11:05:23.81 AM LDAP> BERGetLeadingLengthByte State

10/30/2006 11:05:23.82 AM LDAP> BERGetNext State

10/30/2006 11:05:23.82 AM LDAP> Bind State

10/30/2006 11:05:23 AM LDAP Server: 192.168.0.26 disconnected

10/30/2006 11:05:23 AM LDAP Server: 192.168.0.26 connected

10/30/2006 11:05:23.95 AM LDAP> Return Result State (Bind operation)

10/30/2006 11:05:23.95 AM LDAP> StateReturnResult returning resultCode 49 (Invalid credentials)

10/30/2006 11:05:24 AM LDAP Server: Warning: Invalid credentials specified on Bind request, DN is “admin”,

10/30/2006 11:05:24.22 AM LDAP> SendBufferFree

10/30/2006 11:05:24.22 AM LDAP> InitForSearch

10/30/2006 11:05:24 AM LDAP Server: 192.168.0.26 disconnected

Password for the user admin is correct. I can login to the Domino server with it! And the bind is also working (user admin is autheticated). But why can´t I login with the same user and password to the admin console?? Please help!

Thanks in advance!

could you include your wildfire conf file so we can better see whats going on.

Thanks

My conf file

<?xml version="1.0" encoding="UTF-8"?>

9090

9091

admin,jabber

en

<!-- Network settings. By default, Wildfire will bind to all network interfaces.

Alternatively, you can specify a specific network interfaces that the server

will listen on. For example, 127.0.0.1. This setting is generally only useful

on multi-homed servers. -->

<!--

–>

org.jivesoftware.database.EmbeddedConnectionProvider

notes1.schuemann.net

389

admin

XXXX

true

false

true

false

uid

<![CDATA[

]]>

cn

mail

cn

member

description

false

org.jivesoftware.wildfire.ldap.LdapVCardProvider

org.jivesoftware.wildfire.ldap.LdapUserProvider

org.jivesoftware.wildfire.ldap.LdapAuthProvider

org.jivesoftware.wildfire.ldap.LdapGroupProvider

true

ok great, could you also include the debug log.

To enable place this toward the end of your config:

The log lives in the log directory off the wildfire root.

Sure! Output from the debug:

2006.10.30 16:11:55 Created new LdapManager() instance, fields:

host: notes1.schuemann.net

port: 389

usernamefield: uid

baseDN:

alternateBaseDN: null

nameField: cn

emailField: mail

adminDN: admin

adminPassword: XXX

searchFilter: null

subTreeSearch:true

ldapDebugEnabled: false

sslEnabled: false

initialContextFactory: com.sun.jndi.ldap.LdapCtxFactory

connectionPoolEnabled: true

autoFollowReferrals: false

groupNameField: cn

groupMemberField: member

groupDescriptionField: description

posixMode: false

groupSearchFilter: null

2006.10.30 16:11:57 Found vcard mapping: ‘’

2006.10.30 16:11:57 VCardTemplate: found attribute

2006.10.30 16:11:57 VCardTemplate: found attribute cn

2006.10.30 16:11:57 VCardTemplate: found attribute

2006.10.30 16:11:57 VCardTemplate: found attribute

2006.10.30 16:11:57 VCardTemplate: found attribute mail

2006.10.30 16:11:57 VCardTemplate: found attribute displayName

2006.10.30 16:11:57 VCardTemplate: found attribute uid

2006.10.30 16:11:57 VCardTemplate: found attribute

2006.10.30 16:11:57 VCardTemplate: found attribute

2006.10.30 16:11:57 VCardTemplate: found attribute homePostalAddress

2006.10.30 16:11:57 VCardTemplate: found attribute

2006.10.30 16:11:57 VCardTemplate: found attribute

2006.10.30 16:11:57 VCardTemplate: found attribute postalAddress

2006.10.30 16:11:57 VCardTemplate: found attribute l

2006.10.30 16:11:57 VCardTemplate: found attribute st

2006.10.30 16:11:57 VCardTemplate: found attribute postalCode

2006.10.30 16:11:57 VCardTemplate: found attribute

2006.10.30 16:11:57 VCardTemplate: found attribute

2006.10.30 16:11:57 VCardTemplate: found attribute

2006.10.30 16:11:57 VCardTemplate: found attribute homePhone

2006.10.30 16:11:57 VCardTemplate: found attribute

2006.10.30 16:11:57 VCardTemplate: found attribute

2006.10.30 16:11:57 VCardTemplate: found attribute

2006.10.30 16:11:57 VCardTemplate: found attribute telephoneNumber

2006.10.30 16:11:57 VCardTemplate: found attribute

2006.10.30 16:11:57 VCardTemplate: found attribute

2006.10.30 16:11:57 VCardTemplate: found attribute

2006.10.30 16:11:57 VCardTemplate: found attribute mobile

2006.10.30 16:11:57 VCardTemplate: found attribute

2006.10.30 16:11:57 VCardTemplate: found attribute

2006.10.30 16:11:57 VCardTemplate: found attribute

2006.10.30 16:11:57 VCardTemplate: found attribute pager

2006.10.30 16:11:57 VCardTemplate: found attribute title

2006.10.30 16:11:57 VCardTemplate: found attribute

2006.10.30 16:11:57 VCardTemplate: found attribute departmentNumber

2006.10.30 16:11:57 attributes size==16

2006.10.30 16:12:02 Loading plugin admin

2006.10.30 16:12:13 Loading plugin registration

2006.10.30 16:12:14 Loading plugin search

2006.10.30 16:13:14 Trying to find a user’'s DN based on their username. uid: admin, Base DN: …

2006.10.30 16:13:14 Creating a DirContext in LdapManager.getContext()…

2006.10.30 16:13:14 Created hashtable with context values, attempting to create context…

2006.10.30 16:13:15 … context created successfully, returning.

2006.10.30 16:13:15 Starting LDAP search…

2006.10.30 16:13:15 … search finished

2006.10.30 16:13:15 In LdapManager.checkAuthentication(userDN, password), userDN is: CN=“admin”…

2006.10.30 16:13:15 Created context values, attempting to create context…

2006.10.30 16:13:15 Caught a naming exception when creating InitialContext

javax.naming.AuthenticationException: [LDAP: error code 49 - Failed, invalid credentials for “admin”,]

at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)

at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)

at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)

at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)

at com.sun.jndi.ldap.LdapCtx.(Unknown Source)

at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)

at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)

at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)

at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)

at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)

at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)

at javax.naming.InitialContext.init(Unknown Source)

at javax.naming.InitialContext.(Unknown Source)

at javax.naming.directory.InitialDirContext.(Unknown Source)

at org.jivesoftware.wildfire.ldap.LdapManager.checkAuthentication(LdapManager.java :443)

at org.jivesoftware.wildfire.ldap.LdapAuthProvider.authenticate(LdapAuthProvider.j ava:98)

at org.jivesoftware.wildfire.auth.AuthFactory.authenticate(AuthFactory.java:156)

at org.jivesoftware.wildfire.admin.login_jsp._jspService(login_jsp.java:137)

at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:94)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:689)

at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:428)

at org.mortbay.jetty.servlet.WebApplicationHandler$CachedChain.doFilter(WebApplica tionHandler.java:830)

at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:39)

at org.mortbay.jetty.servlet.WebApplicationHandler$CachedChain.doFilter(WebApplica tionHandler.java:821)

at org.jivesoftware.util.LocaleFilter.doFilter(LocaleFilter.java:65)

at org.mortbay.jetty.servlet.WebApplicationHandler$CachedChain.doFilter(WebApplica tionHandler.java:821)

at org.jivesoftware.util.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingF ilter.java:41)

at org.mortbay.jetty.servlet.WebApplicationHandler$CachedChain.doFilter(WebApplica tionHandler.java:821)

at org.jivesoftware.admin.PluginFilter.doFilter(PluginFilter.java:69)

at org.mortbay.jetty.servlet.WebApplicationHandler$CachedChain.doFilter(WebApplica tionHandler.java:821)

at org.jivesoftware.admin.AuthCheckFilter.doFilter(AuthCheckFilter.java:98)

at org.mortbay.jetty.servlet.WebApplicationHandler$CachedChain.doFilter(WebApplica tionHandler.java:821)

at org.mortbay.jetty.servlet.WebApplicationHandler.dispatch(WebApplicationHandler. java:471)

at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:568)

at org.mortbay.http.HttpContext.handle(HttpContext.java:1530)

at org.mortbay.jetty.servlet.WebApplicationContext.handle(WebApplicationContext.ja va:633)

at org.mortbay.http.HttpContext.handle(HttpContext.java:1482)

at org.mortbay.http.HttpServer.service(HttpServer.java:909)

at org.mortbay.http.HttpConnection.service(HttpConnection.java:816)

at org.mortbay.http.HttpConnection.handleNext(HttpConnection.java:982)

at org.mortbay.http.HttpConnection.handle(HttpConnection.java:833)

at org.mortbay.http.SocketListener.handleConnection(SocketListener.java:244)

at org.mortbay.util.ThreadedServer.handle(ThreadedServer.java:357)

at org.mortbay.util.ThreadPool$PoolThread.run(ThreadPool.java:534)

2006.10.30 16:13:15

org.jivesoftware.wildfire.auth.UnauthorizedException: org.jivesoftware.wildfire.auth.UnauthorizedException: Username and password don’'t match

at org.jivesoftware.wildfire.ldap.LdapAuthProvider.authenticate(LdapAuthProvider.j ava:109)

at org.jivesoftware.wildfire.auth.AuthFactory.authenticate(AuthFactory.java:156)

at org.jivesoftware.wildfire.admin.login_jsp._jspService(login_jsp.java:137)

at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:94)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:689)

at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:428)

at org.mortbay.jetty.servlet.WebApplicationHandler$CachedChain.doFilter(WebApplica tionHandler.java:830)

at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:39)

at org.mortbay.jetty.servlet.WebApplicationHandler$CachedChain.doFilter(WebApplica tionHandler.java:821)

at org.jivesoftware.util.LocaleFilter.doFilter(LocaleFilter.java:65)

at org.mortbay.jetty.servlet.WebApplicationHandler$CachedChain.doFilter(WebApplica tionHandler.java:821)

at org.jivesoftware.util.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingF ilter.java:41)

at org.mortbay.jetty.servlet.WebApplicationHandler$CachedChain.doFilter(WebApplica tionHandler.java:821)

at org.jivesoftware.admin.PluginFilter.doFilter(PluginFilter.java:69)

at org.mortbay.jetty.servlet.WebApplicationHandler$CachedChain.doFilter(WebApplica tionHandler.java:821)

at org.jivesoftware.admin.AuthCheckFilter.doFilter(AuthCheckFilter.java:98)

at org.mortbay.jetty.servlet.WebApplicationHandler$CachedChain.doFilter(WebApplica tionHandler.java:821)

at org.mortbay.jetty.servlet.WebApplicationHandler.dispatch(WebApplicationHandler. java:471)

at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:568)

at org.mortbay.http.HttpContext.handle(HttpContext.java:1530)

at org.mortbay.jetty.servlet.WebApplicationContext.handle(WebApplicationContext.ja va:633)

at org.mortbay.http.HttpContext.handle(HttpContext.java:1482)

at org.mortbay.http.HttpServer.service(HttpServer.java:909)

at org.mortbay.http.HttpConnection.service(HttpConnection.java:816)

at org.mortbay.http.HttpConnection.handleNext(HttpConnection.java:982)

at org.mortbay.http.HttpConnection.handle(HttpConnection.java:833)

at org.mortbay.http.SocketListener.handleConnection(SocketListener.java:244)

at org.mortbay.util.ThreadedServer.handle(ThreadedServer.java:357)

at org.mortbay.util.ThreadPool$PoolThread.run(ThreadPool.java:534)

Caused by: org.jivesoftware.wildfire.auth.UnauthorizedException: Username and password don’'t match

at org.jivesoftware.wildfire.ldap.LdapAuthProvider.authenticate(LdapAuthProvider.j ava:99)

… 28 more

I am unfamiliar with your flavor of LDAP, but try this…

<baseDN>dc=example;dc=com</baseDN> <-- put in the base of your LDAP

<adminDN>cn=Directory Administrator;dc=example;dc=com</adminDN> <-- full path works better for me, seems to be quicker.

Let us know if it doesnt work.

Thank you for your help! But as you can see in my first posting the admin is authenticated from the LDAP server so I believe there is no need to change the adminDN. The BaseDN also doesn´t need to be changed because every user is found in the directory. The problem is that the LDAP complains about wrong credentials. But they are correct!

Detlev

Looks like you are having the same issue as described here: http://www.jivesoftware.org/community/thread.jspa?messageID=126286

Yes, I have already read this posting. But I thought there maybe is a solution in the meantime. I also tested with 2.5.1 but for me it wasn´t working.

Try my config. It’'s working with Lotus Domino 7.0.2 and Wilfire 3.0.0.

true

127.0.0.1

390

uid

cn

mail

O=Company,C=COM cn=admin password true <![CDATA[
<vCard xmlns=’‘vcard-temp’’>















        <URL>http://www.company.com</URL>

]]>

org.jivesoftware.wildfire.ldap.LdapUserProvider

org.jivesoftware.wildfire.ldap.LdapAuthProvider

org.jivesoftware.wildfire.ldap.LdapVCardProvider

org.jivesoftware.database.DefaultConnectionProvider

com.mysql.jdbc.Driver

jdbc:mysql://localhost:3306/jive?characterEncoding=utf-8

login

password

5

100

1.0

true

Message was edited by: Serg. M.

Hi Detlev,

you should specify a (full) DN as adminDN and not only “admin” as your adminDN will likely not work and if it does work sometimes than this is more good luck than the expected behavior.

LG