LDAP / Active Directory

I am trying to get Jive Messenger to authenticate against our W2k3 server / Active Directory. The config file is below, as well as the problem.[/b]

Here is the error I am getting: Login failed on web page, errors below from debug.log:[/b]

2005.09.12 11:02:55 Loading plugin admin

2005.09.12 11:11:27 Trying to find a user’'s DN based on their username. sAMAaccountName: eilerj, Base DN: CN=Users;DC=finishmaster;DC=com…

2005.09.12 11:11:27 Creating a DirContext in LdapManager.getContext()…

2005.09.12 11:11:27 Created hashtable with context values, attempting to create context…

2005.09.12 11:11:27 … context created successfully, returning.

2005.09.12 11:11:27 Starting LDAP search…

2005.09.12 11:11:27 … search finished

2005.09.12 11:11:27 User DN based on username ‘‘eilerj’’ not found.

2005.09.12 11:11:27 Exception thrown when searching for userDN based on username ‘‘eilerj’’

org.jivesoftware.messenger.user.UserNotFoundException: Username eilerj not found

at org.jivesoftware.messenger.ldap.LdapManager.findUserDN(LdapManager.java:465)

at org.jivesoftware.messenger.ldap.LdapManager.findUserDN(LdapManager.java:400)

at org.jivesoftware.messenger.ldap.LdapAuthProvider.authenticate(LdapAuthProvider. java:88)

at org.jivesoftware.messenger.auth.AuthFactory.authenticate(AuthFactory.java:97)

at org.jivesoftware.messenger.admin.login_jsp._jspService(login_jsp.java:136)

at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:94)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:688)

at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:427)

at org.mortbay.jetty.servlet.WebApplicationHandler$CachedChain.doFilter(WebApplica tionHandler.java:822)

at org.jivesoftware.util.LocaleFilter.doFilter(LocaleFilter.java:43)

at org.mortbay.jetty.servlet.WebApplicationHandler$CachedChain.doFilter(WebApplica tionHandler.java:813)

at org.jivesoftware.util.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingF ilter.java:41)

at org.mortbay.jetty.servlet.WebApplicationHandler$CachedChain.doFilter(WebApplica tionHandler.java:813)

at org.jivesoftware.admin.AuthCheckFilter.doFilter(AuthCheckFilter.java:98)

at org.mortbay.jetty.servlet.WebApplicationHandler$CachedChain.doFilter(WebApplica tionHandler.java:813)

at org.mortbay.jetty.servlet.WebApplicationHandler.dispatch(WebApplicationHandler. java:494)

at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:569)

at org.mortbay.http.HttpContext.handle(HttpContext.java:1482)

at org.mortbay.jetty.servlet.WebApplicationContext.handle(WebApplicationContext.ja va:624)

at org.mortbay.http.HttpContext.handle(HttpContext.java:1434)

at org.mortbay.http.HttpServer.service(HttpServer.java:896)

at org.mortbay.http.HttpConnection.service(HttpConnection.java:814)

at org.mortbay.http.HttpConnection.handleNext(HttpConnection.java:981)

at org.mortbay.http.HttpConnection.handle(HttpConnection.java:831)

at org.mortbay.http.SocketListener.handleConnection(SocketListener.java:244)

at org.mortbay.util.ThreadedServer.handle(ThreadedServer.java:366)

at org.mortbay.util.ThreadPool$PoolThread.run(ThreadPool.java:534)

WHAT THE HECK?[/b]

I have 2 servers working with 2K3 AD. I’'m using AD for user authentication and prepopulated “Shared Rosters”. There are a couple of things the stand out in you conf file. Element nameField should be set to cn. Also, the adminDN field may require the user id to be specified like this DOMAIN\UserID. See my config file below and see if it helps you. In my example users that are JM enabled must reside in the OU “Jive” as should the groups for the shared roster, but it can point to any DN that makes sense for your organization.

Message was edited by:

rdale

This doesn’'t fix the problem - I am still getting the error.

Thanks,

J

Could you post your updated config file as well as a new trace?

You might also try changing this line:

It looks to me like you are connecting via LDAP successfully, but the base DN is preventing you from finding any accounts.

Message was edited by:

rdale

Try this:

Here is the new setup:[/b]

And new errors:[/b]

2005.09.12 17:28:11 Created new LdapManager() instance, fields:

2005.09.12 17:28:11 host: 10.1.1.24

2005.09.12 17:28:11 port: 389

2005.09.12 17:28:11 usernamefield: sAMAaccountName

2005.09.12 17:28:11 baseDN: DC=finishmaster;DC=com

2005.09.12 17:28:11 alternateBaseDN: null

2005.09.12 17:28:11 nameField: cn

2005.09.12 17:28:11 emailField: mail

2005.09.12 17:28:11 adminDN: CN=eilerj,CN=Users,DC=finishmaster,DC=com

2005.09.12 17:28:11 adminPassword: *****

2005.09.12 17:28:11 searchFilter: (sAMAaccountName=)
2005.09.12 17:28:11 ldapDebugEnabled: true
2005.09.12 17:28:11 sslEnabled: false
2005.09.12 17:28:11 initialContextFactory: com.sun.jndi.ldap.LdapCtxFactory
2005.09.12 17:28:11 connectionPoolEnabled: true
2005.09.12 17:28:11 autoFollowReferrals: false
2005.09.12 17:28:11 groupNameField: cn
2005.09.12 17:28:11 groupMemberField: member
2005.09.12 17:28:11 groupDescriptionField: description
2005.09.12 17:28:11 posixMode: false
2005.09.12 17:28:11 groupSearchFilter: (member=)

2005.09.12 17:28:18 Loading plugin admin

2005.09.12 17:29:29 Trying to find a user’'s DN based on their username. sAMAaccountName: EilerJ, Base DN: DC=finishmaster;DC=com…

2005.09.12 17:29:29 Creating a DirContext in LdapManager.getContext()…

2005.09.12 17:29:29 Created hashtable with context values, attempting to create context…

2005.09.12 17:29:30 Exception thrown when searching for userDN based on username ‘‘EilerJ’’

javax.naming.AuthenticationException: LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece

at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)

at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)

at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)

at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)

at com.sun.jndi.ldap.LdapCtx.(Unknown Source)

at org.jivesoftware.messenger.ldap.LdapManager.getContext(LdapManager.java:271)

at org.jivesoftware.messenger.ldap.LdapManager.findUserDN(LdapManager.java:445)

at org.jivesoftware.messenger.ldap.LdapManager.findUserDN(LdapManager.java:400)

at org.jivesoftware.messenger.ldap.LdapAuthProvider.authenticate(LdapAuthProvider. java:88)

at org.jivesoftware.messenger.auth.AuthFactory.authenticate(AuthFactory.java:97)

at org.jivesoftware.messenger.admin.login_jsp._jspService(login_jsp.java:136)

at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:94)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:688)

at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:427)

at org.mortbay.jetty.servlet.WebApplicationHandler$CachedChain.doFilter(WebApplica tionHandler.java:822)

at org.jivesoftware.util.LocaleFilter.doFilter(LocaleFilter.java:43)

at org.mortbay.jetty.servlet.WebApplicationHandler$CachedChain.doFilter(WebApplica tionHandler.java:813)

at org.jivesoftware.util.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingF ilter.java:41)

at org.mortbay.jetty.servlet.WebApplicationHandler$CachedChain.doFilter(WebApplica tionHandler.java:813)

at org.jivesoftware.admin.AuthCheckFilter.doFilter(AuthCheckFilter.java:98)

at org.mortbay.jetty.servlet.WebApplicationHandler$CachedChain.doFilter(WebApplica tionHandler.java:813)

at org.mortbay.jetty.servlet.WebApplicationHandler.dispatch(WebApplicationHandler. java:494)

at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:569)

at org.mortbay.http.HttpContext.handle(HttpContext.java:1482)

at org.mortbay.jetty.servlet.WebApplicationContext.handle(WebApplicationContext.ja va:624)

at org.mortbay.http.HttpContext.handle(HttpContext.java:1434)

at org.mortbay.http.HttpServer.service(HttpServer.java:896)

at org.mortbay.http.HttpConnection.service(HttpConnection.java:814)

at org.mortbay.http.HttpConnection.handleNext(HttpConnection.java:981)

at org.mortbay.http.HttpConnection.handle(HttpConnection.java:831)

at org.mortbay.http.SocketListener.handleConnection(SocketListener.java:244)

at org.mortbay.util.ThreadedServer.handle(ThreadedServer.java:366)

at org.mortbay.util.ThreadPool$PoolThread.run(ThreadPool.java:534)

I think that something is wrong with that adminDN - it doesn’'t want to login to the domain server with anything besides eilerj@finishmaster.com - see:

Watch what happens when I just change adminDN to eilerj@finishmaster.com:[/b]

2005.09.12 17:32:18 Created new LdapManager() instance, fields:

2005.09.12 17:32:18 host: 10.1.1.24

2005.09.12 17:32:18 port: 389

2005.09.12 17:32:18 usernamefield: sAMAaccountName

2005.09.12 17:32:18 baseDN: DC=finishmaster;DC=com

2005.09.12 17:32:18 alternateBaseDN: null

2005.09.12 17:32:18 nameField: cn

2005.09.12 17:32:18 emailField: mail

2005.09.12 17:32:18 adminDN: EilerJ@finishmaster.com

2005.09.12 17:32:18 adminPassword: *****

2005.09.12 17:32:18 searchFilter: (sAMAaccountName=)
2005.09.12 17:32:18 ldapDebugEnabled: true
2005.09.12 17:32:18 sslEnabled: false
2005.09.12 17:32:18 initialContextFactory: com.sun.jndi.ldap.LdapCtxFactory
2005.09.12 17:32:18 connectionPoolEnabled: true
2005.09.12 17:32:18 autoFollowReferrals: false
2005.09.12 17:32:18 groupNameField: cn
2005.09.12 17:32:18 groupMemberField: member
2005.09.12 17:32:18 groupDescriptionField: description
2005.09.12 17:32:18 posixMode: false
2005.09.12 17:32:18 groupSearchFilter: (member=)

2005.09.12 17:32:24 Loading plugin admin

2005.09.12 17:41:43 Trying to find a user’'s DN based on their username. sAMAaccountName: EilerJ, Base DN: DC=finishmaster;DC=com…

2005.09.12 17:41:43 Creating a DirContext in LdapManager.getContext()…

2005.09.12 17:41:43 Created hashtable with context values, attempting to create context…

2005.09.12 17:41:43 … context created successfully, returning.

2005.09.12 17:41:43 Starting LDAP search…

2005.09.12 17:41:44 … search finished

2005.09.12 17:41:44 User DN based on username ‘‘EilerJ’’ not found.[/u]

2005.09.12 17:41:44 Exception thrown when searching for userDN based on username ‘‘EilerJ’’

org.jivesoftware.messenger.user.UserNotFoundException: Username EilerJ not found

at org.jivesoftware.messenger.ldap.LdapManager.findUserDN(LdapManager.java:465)

at org.jivesoftware.messenger.ldap.LdapManager.findUserDN(LdapManager.java:400)

at org.jivesoftware.messenger.ldap.LdapAuthProvider.authenticate(LdapAuthProvider. java:88)

at org.jivesoftware.messenger.auth.AuthFactory.authenticate(AuthFactory.java:97)

at org.jivesoftware.messenger.admin.login_jsp._jspService(login_jsp.java:136)

at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:94)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:688)

at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:427)

at org.mortbay.jetty.servlet.WebApplicationHandler$CachedChain.doFilter(WebApplica tionHandler.java:822)

at org.jivesoftware.util.LocaleFilter.doFilter(LocaleFilter.java:43)

at org.mortbay.jetty.servlet.WebApplicationHandler$CachedChain.doFilter(WebApplica tionHandler.java:813)

at org.jivesoftware.util.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingF ilter.java:41)

at org.mortbay.jetty.servlet.WebApplicationHandler$CachedChain.doFilter(WebApplica tionHandler.java:813)

at org.jivesoftware.admin.AuthCheckFilter.doFilter(AuthCheckFilter.java:98)

at org.mortbay.jetty.servlet.WebApplicationHandler$CachedChain.doFilter(WebApplica tionHandler.java:813)

at org.mortbay.jetty.servlet.WebApplicationHandler.dispatch(WebApplicationHandler. java:494)

at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:569)

at org.mortbay.http.HttpContext.handle(HttpContext.java:1482)

at org.mortbay.jetty.servlet.WebApplicationContext.handle(WebApplicationContext.ja va:624)

at org.mortbay.http.HttpContext.handle(HttpContext.java:1434)

at org.mortbay.http.HttpServer.service(HttpServer.java:896)

at org.mortbay.http.HttpConnection.service(HttpConnection.java:814)

at org.mortbay.http.HttpConnection.handleNext(HttpConnection.java:981)

at org.mortbay.http.HttpConnection.handle(HttpConnection.java:831)

at org.mortbay.http.SocketListener.handleConnection(SocketListener.java:244)

at org.mortbay.util.ThreadedServer.handle(ThreadedServer.java:366)

at org.mortbay.util.ThreadPool$PoolThread.run(ThreadPool.java:534)

See, it successfully creates the search object and doesn’'t find the user… Help![/b]

I have tried both, neither work.

Ok… One more thing that has caused me grief is capital letters in the “pre-Windows 2000” login name in Active Directory Users & Computers. I had to edit every user account so that they are all lower case. This is a known issue see: JM-394

Message was edited by:

rdale

EilerJ is multicase, but test isn’‘t… it’'s all lowercase, and it should login.

One thing that stands out to me is that youre using sAMAaccountName and not sAMAccountName - note the two A’'s in account.

If it helps heres my working ldap config for ad to a mixed w2k/w2k03 domain -

Great! It’'s always the small things. I got logged into the AD and JM server - but, I need to filter this down now and give only people in the IMusers group permission to login and search only in that group in AD. How do I do that?

Try changing this line from say

I don’'t know if that will work. The group that the users are in is in a separate OU than the actual OU for the users. So, the group I would need to allow access to is IMusers. The users are all under a different OU - so, how do I manage this?

J

Here is my updated section that does do exactly what I want it to do - it gets the users from the group IMusers from AD and allows only them to login and use JM. However, it takes FOREVER to load the users in the AdminConsole, assuming because it’‘s enumerating through all of our users and seeing if they’'re in the group. Is there a better, faster way to do this???

/b

Thanks,

J[/b]

Looking at the souce code (http://tinyurl.com/cjbo4), the query is using a sAMAccountName=* which means you’‘re return all the users (as expected). How many users are being returned? I’'ve seen a query like this against 900 users performance fine.

Another thing, you’'re query

(&(objectClass=user)(objectCategory=Person)

(&(memberOf=CN=IMusers,OU=Security,OU=FM Groups,

DC=finishmaster,DC=com)(sAMAccountName=)))[/code] can be written as:
(&(objectClass=user)(objectCategory=Person)(memberOf=CN=IMusers,OU=Security,
OU=FM Groups,DC=finishmaster,DC=com)(sAMAccountName=))[/code]

I’‘m not sure if that would make a difference (you’'d hope AD can optimize that!) Also please the most restrictive condition first (again, I hope AD is smart, but you never know).

Noah

Does it matter that I still have debugging turned on? I have changed the search strings and still don’'t see any difference in the time it takes to load all the information.

Also, once I have the users set and authenticating against the domain, how can I subcategorize the Users to be in subgroups with JM, or does this all have to be done in AD now since I’'m using it as my “database”?

J

Ok, the answer to the debug question is YES! It definately runs faster now. The problem I have now is that no one is showing up in the group roster in Exodus.

I checked with a couple other clients - they don’'t work either. Is there a known bug or a fix I can use, or do I just have to use native auth until the bugs get worked out?

Nevermind… we just gave in and bought Live Communications Server 2005 from MicroHell.

Thanks for the help.