powered by Jive Software

LDAP AD issue after Ubuntu updates


#1

Hello all,

Running Openfire 4.2.1 on an Ubuntu VM and after a recent set of Ubuntu updates (I’m thinking its a java update) has broken my LDAP connection to AD. It has been working great for sometime and I’m using LDAP secure on port 636 to my domain controller. After the Ubuntu updates no one can login via spark and I cannot get into the admin console. Below is an error I’m seeing in the logs that may be the cause:

2019.03.06 20:56:48 ERROR [main]: org.jivesoftware.util.AesEncryptor - AES cipher failed
java.lang.IllegalArgumentException: Null input buffer
	at javax.crypto.Cipher.doFinal(Cipher.java:2160)
	at org.jivesoftware.util.AesEncryptor.cipher(AesEncryptor.java:100)
	at org.jivesoftware.util.AesEncryptor.decrypt(AesEncryptor.java:74)
	at org.jivesoftware.util.JiveProperties.loadProperties(JiveProperties.java:422)
	at org.jivesoftware.util.JiveProperties.init(JiveProperties.java:89)
	at org.jivesoftware.util.JiveProperties.getInstance(JiveProperties.java:65)
	at org.jivesoftware.util.JiveGlobals.getProperty(JiveGlobals.java:544)
	at org.jivesoftware.util.cache.CacheFactory.<clinit>(CacheFactory.java:88)
	at org.jivesoftware.openfire.XMPPServer.initialize(XMPPServer.java:311)
	at org.jivesoftware.openfire.XMPPServer.start(XMPPServer.java:535)
	at org.jivesoftware.openfire.XMPPServer.<init>(XMPPServer.java:163)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
	at java.lang.Class.newInstance(Class.java:442)
	at org.jivesoftware.openfire.starter.ServerStarter.start(ServerStarter.java:102)
	at org.jivesoftware.openfire.starter.ServerStarter.main(ServerStarter.java:53)

#2

What ‘java -version’ shows?
Also try running Openfire manually via ‘sudo /etc/init.d/openfire start’ and tell what output you get, anything about Java?
Check /usr/lib/jvm, do you have java 8 there? Even if your default java is now 11, you can still change the default by editing:
sudo nano /etc/default/openfire
uncomment JAVA_HOME
set to =/usr/lib/jvm/java-8-openjdk-amd64/jre (see if your path is like that actually)
then reboot the server or restart Openfire deamon


#3

Maybe your error is related to some old cypher used with LDAP which newer version of Java doen’t support. I have no experience with LDAPS. Maybe @speedy will have a suggestion.


#4

@wroot Hey thanks for the reply! Currently it is:

Blockquoteopenjdk version “1.8.0_191”
OpenJDK Runtime Environment (build 1.8.0_191-8u191-b12-2ubuntu0.16.04.1-b12)
OpenJDK 64-Bit Server VM (build 25.191-b12, mixed mode)

But that’s because I had to revert my snapshot and get openfire working again. I’ll attempt the updates again and see what version it goes to. I’ll also check your other questions after applying updates and report back. Thanks!


#5

So between restoring snapshots and updating somehow I had kept that java version. When I rebooted the server the AES error went away but now a new issue:

2019.03.07 20:55:16 ERROR [socket_c2s-thread-2]: org.jivesoftware.openfire.ldap.LdapAuthProvider - Error connecting to LDAP server
javax.naming.CommunicationException: 10.23.200.67:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address [x.x.x.x] found]

This was again breaking the LDAPS connection. After research it turns out there was indeed a change in java and I found it in the release notes.

https://www.oracle.com/technetwork/java/javase/8u181-relnotes-4479407.html

I added this line to my DAEMON_OPTS at /etc/default/openfire

-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

After a service restart the LDAPS connection was working again. I gather if my AD server cert had a SAN IP in it, it wouldn’t be an issue. But either way its fixed now.