Multidomain LDAP Auth Problems

Hello,

I’m trying to setup pidgin to authenticate off two Domains:

1 - domain.name

2 - child.domain.name

I’ve configured my LDAP settings as follows:

Host: GlobalCatalog5.domain.name

Port: 389

BaseDN: DC=domain,DC=name

Admin DN: CN=openfire,OU=Service Accounts,OU=users,DC=domain,DC=name

I have the following set:

ldap.alternateBaseDN: DC=child,DC=domain,DC=name

ldap.connectionPoolEnabled: true

ldap.autoFollowAliasReferrals: true

ldap.autoFollowReferrals: true

If I disable autoFollowReferrals, I’m unable to login with any users from the alternate Base DN. However, with autoFollowReferrals enabled I’m able to login with users from both domains… BUT not consistently. I’ve noticed that the login can take anywhere from 3 seconds to something outrageous like a 3 minutes. Additionally I’ve seen users get not authorized error messages and are unable to login, when looking at the debug logs when a user gets not authorized I see:

2015.05.27 08:34:51 org.jivesoftware.openfire.net.SASLAuthentication - User Login Failed. PLAIN authentication failed for: user1

Additional information

  • I’ve confirmed there are no firewalls in the way of port 389 for LDAP authentication
  • domain.name” is the parent domain and “child.domain.name” is a child domain of “domain.name
  • The admin user used in the LDAP configuration is an enterprise admin and has access to both domains.
  • I’ve increased my Roster cache to 10mb to contain all users.

Any ideas on why users would be unable to login??

try using port 3268, and for your base dn, use the root of your forest. That might work, but I haven’t tested it. I don’t think multi domain is officially supported.

the forest root domain is “domain.name” so that is my current base dn, with the alternate base dn property set to “child.domain.name” . Also since this is passing authentication information it should default to using a Global Catalog. Additionally all the Domain Controllers in our domain are Global catalogs, so 389 should work. I can try 3268 after hours, and probably next week as I’ll have to wait for our Networking team to open some firewalls for me.

bump Anyone have any ideas on why this might work sometimes and fail others? I could accept that it would not work at all, but the fact that it’s intermittently working for users of both domains when configured this way indicates that there might be some sort of timeout setting or cache that could be increased to allow users to authenticate reliably.

whats your ldap search filter look like? Do all your users from both domains show up in the openfire admin users page?

All users do show up in the users page on the openfire admin (although it does take a while to load when running in multi-domain config).

My user mapping is set to sAMAccountName

User Filter is set to (objectClass=organizationalPerson)

I’m not currently using a Search Filter under the user mappings. If you’re referring to the baseDN for the LDAP search it’s set to (DC=domain,DC=name) and the alternatebaseDN is set to (DC=child,DC=domain,DC=name)

if all the users from both domains are listed, than you should good for the most part. What happens if you remove alternatebasedn, but leave the follow referrals enabled?

I tried that, but it ends up behaving the same way as with the alternate base DN. All users display in the users/groups, but some users are unable to login, and authentication takes several minutes.