LDAP and Active Directory error

joshcatlin · January 31, 2005, 8:08pm

Hi there. I’‘ve recently upgraded to the latest official build (2.1.1) and I’‘m trying to get LDAP with Windows Active Directory to work. I’‘ll be the first to say I’'m not familiar with LDAP so my problems may all come down to that.

I tweaked jive-messenger.xml (including listing a couple users as admins) and temporarily used an account with administrative privilages to make sure security rights weren’‘t my problem. Starting the Jive server up I cannot log in to the admin console with any of the users I specified. I’'ve read several bits of info on why this might be, but it may have to do with the error clients are getting when they try to connect to the Jive server.

Using Trillian Pro 3.0:

Creating connection “user@servername”

Auth: NOTE: Server does not support digest passwords, reverting to plaintext.

Connect: Authorization failed (401): (null)

Connect: The password for this account is incorrect. Please enter the correct password!

Using Psi v0.9.2 with plain text allowed:

There was an error communicating with the Jabber server.

Details: Authentication error: Not authorized

(with or without SSL I get this response)

I turned on debugging in the xml file and here are the lines generated when clients try to connect:

2005.01.31 13:00:40 Connect Socket[addr=/192.168.1.49,port=1680,localport=5222]

2005.01.31 13:00:40 Trying to find a user’'s DN based on their username. uid: joshc, Base DN: DC=smi…

2005.01.31 13:00:40 Creating a DirContext in LdapManager.getContext()…

2005.01.31 13:00:40 Created hashtable with context values, attempting to create context…

2005.01.31 13:00:40 Exception thrown when searching for userDN based on username ‘‘joshc’’

javax.naming.AuthenticationException: LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 525, v893

What am I doing wrong? This seems like such a straight forward thing to get going. Thanks for any suggestions and help you can offer!

-jc

Swad · January 31, 2005, 8:42pm

I’'d read through this tread a good bit and see if you can find your answer. Through this thread is how I got it working, and I think it should answer your questions.

http://www.jivesoftware.org/forums/thread.jspa?forumID=40&threadID=13764&message ID=94052&#94052

joshcatlin · January 31, 2005, 9:08pm

Swad,

I actually read through that thread a couple of times before posting and it’‘s what got me close, but not quite right. Before I wasn’'t even hitting the AD and all clients were showing up in the log as unknown users. At least I know Jive is talking to the AD server now

For the time being I’'m stumped!

Swad · February 1, 2005, 1:55pm

2005.01.31 13:00:40 Trying to find a user’'s DN based on their username. uid: joshc, Base DN: DC=smi…

I see “uid” in that line from above. Are you using “uid” for this field in your jive-messenger.xml file:

uid

If so, I never got it to work with the uid field. I had to make it look like this for AD:

sAMAccountName

If that’‘s how yours looks now, then I’‘m uncertain what else may be the problem. Just as a reference, I’‘ll post my current LDAP portion of my jive-messenger.xml. I only modifed baseDN, adminDN and adminPassword a bit for privacy sake. Also as a preliminary way to make sure you’'re actually connecting to your AD, make sure you have some valid AD user(s) seperated by commas in and log into the admin console with one of them. I managed to do this before I ironed out issues connecting with my clients (was user error).

server.domain.com

389

sAMAccountName

displayName

mail

DC=domain,DC=com

CN=adminUser,CN=Users,DC=domain,DC=com

adminPass

org.jivesoftware.messenger.ldap.LdapUserProvider

org.jivesoftware.messenger.ldap.LdapAuthProvider

joshcatlin · February 1, 2005, 3:39pm

uid

That’'s how I had it.

If so, I never got it to work with the uid field. I

had to make it look like this for AD:

sAMAccountName

Changed it to this and things still weren’'t working.

Then I noticed this in your LDAP section:

CN=adminUser,CN=Users,DC=domain,DC=com

I didn’'t have the “,cn=Users,DC=domain” bit and decided to put that in there. Sure enough that fixed everything! Admin console works and clients can connect!

Thank you very much for helping me with this I’'m off to see about getting a contact list to populate with AD members now.

-jc

Andres_Gomez · February 8, 2005, 12:46pm

hello i am the same error

==> logs/debug.log <==

2005.02.08 07:38:33 Created new LdapManager() instance, fields:

2005.02.08 07:38:33 host: ares.mydomain.com

2005.02.08 07:38:33 port: 389

2005.02.08 07:38:33 usernamefield: sAMAccountName

2005.02.08 07:38:33 baseDN: DC=se,DC=net

2005.02.08 07:38:33 alternateBaseDN: OU=Medellín,DC=se,DC=net

2005.02.08 07:38:33 nameField: CN

2005.02.08 07:38:33 emailField: mail

2005.02.08 07:38:33 adminDN: CN=Administrador,CN=Users,DC=se,DC=net

2005.02.08 07:38:33 adminPassword: XXXXX

2005.02.08 07:38:33 ldapDebugEnabled: true

2005.02.08 07:38:33 sslEnabled: false

2005.02.08 07:38:33 initialContextFactory: com.sun.jndi.ldap.LdapCtxFactory

2005.02.08 07:38:33 connectionPoolEnabled: true

2005.02.08 07:38:33 autoFollowReferrals: false

==> logs/debug.log <==

2005.02.08 07:40:33 Trying to find a user’'s DN based on their username. sAMAccountName: aagomez, Base DN: DC=se,DC=net…

2005.02.08 07:40:33 Creating a DirContext in LdapManager.getContext()…

2005.02.08 07:40:33 Created hashtable with context values, attempting to create context…

2005.02.08 07:40:33 Exception thrown when searching for userDN based on username ‘‘aagomez’’

javax.naming.AuthenticationException: LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 52e, v893

at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2985)

at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2931)

at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2732)

at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2646)

at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:283)

at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)

at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)

at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)

at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)

at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)

at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)

at javax.naming.InitialContext.init(InitialContext.java:223)

at javax.naming.ldap.InitialLdapContext.(InitialLdapContext.java:134)

at org.jivesoftware.messenger.ldap.LdapManager.getContext(LdapManager.java:216)

at org.jivesoftware.messenger.ldap.LdapManager.findUserDN(LdapManager.java:379)

at org.jivesoftware.messenger.ldap.LdapManager.findUserDN(LdapManager.java:334)

at org.jivesoftware.messenger.ldap.LdapAuthProvider.authenticate(LdapAuthProvider. java:88)

at org.jivesoftware.messenger.auth.AuthFactory.authenticate(AuthFactory.java:100)

at org.jivesoftware.messenger.admin.login_jsp._jspService(login_jsp.java:132)

at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:94)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:688)

at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:427)

at org.mortbay.jetty.servlet.WebApplicationHandler$CachedChain.doFilter(WebApplica tionHandler.java:816)

at org.jivesoftware.util.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingF ilter.java:41)

at org.mortbay.jetty.servlet.WebApplicationHandler$CachedChain.doFilter(WebApplica tionHandler.java:807)

at org.jivesoftware.admin.AuthCheckFilter.doFilter(AuthCheckFilter.java:76)

at org.mortbay.jetty.servlet.WebApplicationHandler$CachedChain.doFilter(WebApplica tionHandler.java:807)

at org.mortbay.jetty.servlet.WebApplicationHandler.dispatch(WebApplicationHandler. java:488)

at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:569)

at org.mortbay.http.HttpContext.handle(HttpContext.java:1482)

at org.mortbay.jetty.servlet.WebApplicationContext.handle(WebApplicationContext.ja va:624)

at org.mortbay.http.HttpContext.handle(HttpContext.java:1434)

at org.mortbay.http.HttpServer.service(HttpServer.java:896)

at org.mortbay.http.HttpConnection.service(HttpConnection.java:814)

at org.mortbay.http.HttpConnection.handleNext(HttpConnection.java:981)

at org.mortbay.http.HttpConnection.handle(HttpConnection.java:831)

at org.mortbay.http.SocketListener.handleConnection(SocketListener.java:244)

at org.mortbay.util.ThreadedServer.handle(ThreadedServer.java:366)

at org.mortbay.util.ThreadPool$PoolThread.run(ThreadPool.java:534)

Matthew_Lonsdale · February 9, 2005, 9:49pm

I figured I’‘d jump in this thread rather than starting my own seperate thread. I’'m having a very similar (although apparently slightly different) problem.

We are also authenticating off the AD server. We have about 20 users, and I’'ve only tested 4. For 3 of us, it works fine. For instance, when I log in, this is what shows up in the debug log:

2005.02.09 14:19:19 SSL Connect 1f68272[SSL_NULL_WITH_NULL_NULL: Socket[addr=/192.168.7.23,port=36946,localport=5223]]

2005.02.09 14:19:19 Trying to find a user’'s DN based on their username. sAMAccountName: matthewl, Base DN: CN=Users,DC=OPTITECH,DC=com…

2005.02.09 14:19:19 Creating a DirContext in LdapManager.getContext()…

2005.02.09 14:19:19 Created hashtable with context values, attempting to create context…

2005.02.09 14:19:19 … context created successfully, returning.

2005.02.09 14:19:19 Starting LDAP search…

2005.02.09 14:19:19 … search finished

2005.02.09 14:19:19 In LdapManager.checkAuthentication(userDN, password), userDN is: CN=Matthew Lonsdale…

2005.02.09 14:19:19 Created context values, attempting to create context…

2005.02.09 14:19:19 … context created successfully, returning.

And everything is just peachy. However, we have one user who can’'t log in. When she tries to log in, this is what shows up in the debug log:

2005.02.09 14:20:45 Connect Socket[addr=/192.168.7.25,port=34123,localport=5222]

2005.02.09 14:20:45 Trying to find a user’'s DN based on their username. sAMAccountName: chethanak, Base DN: CN=Users,DC=OPTITECH,DC=com…

2005.02.09 14:20:45 Creating a DirContext in LdapManager.getContext()…

2005.02.09 14:20:45 Created hashtable with context values, attempting to create context…

2005.02.09 14:20:45 … context created successfully, returning.

2005.02.09 14:20:45 Starting LDAP search…

2005.02.09 14:20:45 … search finished

2005.02.09 14:20:45 In LdapManager.checkAuthentication(userDN, password), userDN is: CN=Chethana Kuloor…

2005.02.09 14:20:45 Created context values, attempting to create context…

2005.02.09 14:20:45 Caught a naming exception when creating InitialContext

javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 52e, v893

at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)

at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)

at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)

at com.sun.jndi.ldap.LdapCtx.(Unknown Source)

at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)

at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)

at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)

at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)

at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)

at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)

at javax.naming.InitialContext.init(Unknown Source)

at javax.naming.InitialContext.(Unknown Source)

at javax.naming.directory.InitialDirContext.(Unknown Source)

at org.jivesoftware.messenger.ldap.LdapManager.checkAuthentication(LdapManager.jav a:256)

at org.jivesoftware.messenger.ldap.LdapAuthProvider.authenticate(LdapAuthProvider. java:91)

at org.jivesoftware.messenger.auth.AuthFactory.authenticate(AuthFactory.java:100)

at org.jivesoftware.messenger.handler.IQAuthHandler.login(IQAuthHandler.java:180)

at org.jivesoftware.messenger.handler.IQAuthHandler.handleIQ(IQAuthHandler.java:12 2)

at org.jivesoftware.messenger.handler.IQHandler.process(IQHandler.java:48)

at org.jivesoftware.messenger.IQRouter.handle(IQRouter.java:192)

at org.jivesoftware.messenger.IQRouter.route(IQRouter.java:74)

at org.jivesoftware.messenger.PacketRouter.route(PacketRouter.java:78)

at org.jivesoftware.messenger.net.SocketReadThread.readStream(SocketReadThread.jav a:207)

at org.jivesoftware.messenger.net.SocketReadThread.run(SocketReadThread.java:109)

2005.02.09 14:20:45 Logging off jabber/cce3fbb8 on org.jivesoftware.messenger.net.SocketConnection@103c29b

Could this be related to the original posters problem? It seems like we get a bit further along the authentication process before it all goes wrong.

Matthew_Lonsdale · February 9, 2005, 10:22pm

OK, having done a bit more research myself, it seems this the standard log when an incorrect password is used. So now to figure out why it thinks that particular password is wrong, which might not be a Jive Messenger issue at all. So never mind!

joshcatlin · February 9, 2005, 10:45pm

Luckily I got sidetracked by something here at work because I was in the middle of writing up a big (and probably not very helpful!) response Glad to hear you tracked down the problem.