LDAP bind to AD - only works with Domain Administrator

We’ve had an issue with one of our customers recently - Spark stopped allowing anyone to log in. For some reason, the account we created to bind OpenFire (3.9.3) to AD was no longer working. The following steps were tried:-

• Bind OpenFire to LDAP using the domain administrator account - worked fine.
• Recreated service account for OpenFire and tried that to bind to AD - failed.
• Tried another domain administrator - failed.
• Reinstalled OpenFire from scratch (took the opportunity to upgrade from 3.9.1 to 3.9.3 at the same time) - domain Administrator account works, no other account works.
• Recreated service account for OpenFire by copying the domain administrator account - failed.

Whatever I try, I can’t seem to get OpenFire to authenticate using any account other than the domain administrator. To the best of my knowledge, no change has been made in AD recently that would disallow this.

The exception I’m getting in the error log is as follows:-

at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)

at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)

at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)

at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)

at javax.naming.InitialContext.init(Unknown Source)

at javax.naming.ldap.InitialLdapContext.(Unknown Source)

at org.jivesoftware.util.JiveInitialLdapContext.(JiveInitialLdapContext.java :43)

at org.jivesoftware.openfire.ldap.LdapManager.getContext(LdapManager.java:548)

at org.jivesoftware.openfire.ldap.LdapManager.retrieveList(LdapManager.java:1862)

at org.jivesoftware.openfire.ldap.LdapUserProvider.getUsers(LdapUserProvider.java: 191)

at org.jivesoftware.openfire.user.UserManager.getUsers(UserManager.java:282)

at org.jivesoftware.openfire.admin.user_002dsummary_jsp._jspService(user_002dsumma ry_jsp.java:232)

at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:97)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)

at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:547)

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1359)

at com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:11 8)

at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:52)

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1330)

at org.jivesoftware.util.LocaleFilter.doFilter(LocaleFilter.java:74)

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1330)

at org.jivesoftware.util.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingF ilter.java:50)

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1330)

at org.jivesoftware.admin.PluginFilter.doFilter(PluginFilter.java:78)

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1330)

at org.jivesoftware.admin.AuthCheckFilter.doFilter(AuthCheckFilter.java:164)

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1330)

at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:478)

at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:119)

at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:520)

at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:22 7)

at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:94 1)

at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:409)

at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:186 )

at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:875 )

at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)

at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandler Collection.java:250)

at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.jav a:149)

at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:110)

at org.eclipse.jetty.server.Server.handle(Server.java:349)

at org.eclipse.jetty.server.HttpConnection.handleRequest(HttpConnection.java:441)

at org.eclipse.jetty.server.HttpConnection$RequestHandler.headerComplete(HttpConne ction.java:919)

at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:582)

at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:218)

at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:51 )

at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.jav a:586)

at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java :44)

at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:598 )

at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:533)

at java.lang.Thread.run(Unknown Source)

Any help or suggestions that people could provide would be greatly appreciated. I have tried searching for similar issues, but haven’t found anything so far.

My apologies - I should have noted that whilst leaving OpenFire running with the domain administrator account will work in the short term, a security audit by the company’s parent has insisted that we stop using the domain administrator for all services and this account will be disabled in the next couple of months. Therefore, I need to get this issue resolved - the current workaround is not a suitable long term option.

I have since worked out the reason for this myself - it was a dumb mistake. Just in case anyone else has the same issue, I was using the wrong DN format - I was using “CN=,OU=…” rather than “CN=,OU=…”

To verify the correct DN to use, run "dsquery user -samid " from the command line of a domain controller, and the full DN will be returned.