LDAP connection quandry

Hello board. My instance of Jive works using the embedded authentication perfectly. Once I try to use the LDAP authentication though, I cannot log on (using PSI with Plaintext passwds and SSL) using my forest ID.

Do I need Admin rights in the AD that I am attempting to authenticate against? Does my adminDN user need any special rights?

Thanks,

Adam

Hi Adam,

Do I need Admin rights in the AD that I am attempting to authenticate against? Does my

adminDN user need any special rights?

No, just read access.

Are you seeing any sort of errors in your log files? One issue that has tripped up a few people is forgetting to uncomment the provider elements in the jive-messenger.xml configuration file.

Thanks,

Ryan

PS - How are you liking this rainy Colorado weather.

Hi Ryan,

So firstly, the rain is very nice!

Secondly, I am seeing lots of errors in the log files. The portion that catches my eye first is this:

2005.08.11 07:39:17 Trying to find a user’'s DN based on their username. uid: adaughterson, Base DN: OU=Micro Motion,DC=na,DC=emersonprocess,DC=com…

2005.08.11 07:39:17 Creating a DirContext in LdapManager.getContext()…

2005.08.11 07:39:17 Created hashtable with context values, attempting to create context…

2005.08.11 07:39:17 … context created successfully, returning.

2005.08.11 07:39:17 Starting LDAP search…

2005.08.11 07:39:19 … search finished

2005.08.11 07:39:19 User DN based on username ‘‘adaughterson’’ not found.

2005.08.11 07:39:19 Exception thrown when searching for userDN based on username ‘‘adaughterson’’

org.jivesoftware.messenger.user.UserNotFoundException: Username adaughterson not found

Which leads me to the next thing: the usernameField in ./conf/jive-messenger.xml. Is this whatever the AD admins in my organization have decided the username needs to be? I have looked at the schema for this AD and there is uid, username, samAccount, Sam-Account-Name, …etc… All give me the same error. It makes me think that I have something mis-configured for sure, but what??

Here is what my jive-messenger.xml looks like:

Any thoughts?

Thanks,

Adam

Hi Adam,

Everything looks ok to me, but it doesn’‘t take much to have problems when connecting via LDAP. I would tripple check your baseDN to make sure it’‘s correct since, like you said, it appears Messenger isn’‘t finding any users. When I was doing some LDAP testing I found that Softerra’'s LDAP Browser to very helpful.

Also, just to eliminate one possible source of trouble, you might want to try hardcoding your adminDN with a single username.

Thanks,

Ryan

Eureka!! (in a way…)

I finally found what I needed in regards to the DN and username bits of the jive-messenger.xml. I had been using ADSIEDIT.MSC to browse the sprawl of this corporation’'s AD and interestingly enough, on a WinXP box, certain portions of the Forest were not coming up. Once I got Softera LDAP browser to see the proper BaseDN, I could then see what the username, mail, BaseDN, and AdminDN bits should be and got a different error! Here it is:

2005.08.12 11:14:23 Trying to find a user’'s DN based on their username. sAMAccountName: adaughterson, Base DN: OU=Micro Motion,DC=na,DC=emersonprocess,DC=com…

2005.08.12 11:14:23 Creating a DirContext in LdapManager.getContext()…

2005.08.12 11:14:23 Created hashtable with context values, attempting to create context…

2005.08.12 11:14:23 Exception thrown when searching for userDN based on username ‘‘adaughterson’’

javax.naming.AuthenticationException: LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece

at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)

I don’‘t know what it means, but it seems sufficiently obvious that it isn’'t having troubles finding the account now. Does this error mean anything specific to the app, or is there still a bit more digging that I need to do with the LDAP browser?

Adam

Hi Adam,

Good to see you’‘re making progress. I did a quick search of the error you’‘re still seeing and found url=http://www.jivesoftware.org/forums/thread.jspa?threadID=13916this thread[/url] which references the same issue. By the looks of it, the problem was the user hadn’‘t supplied the right password which I’‘m not sure is the problem in your case. I would gess that something still isn’'t quite right in your config file, what does it look like now?

Thanks,

Ryan

PS - Just to let you know how goofy the AD is here, I had to use the mailNickname as the usernameField to make things work.

Thanks Matt. I am now authenticating against the AD. Next, adding other connected users to a roster…