powered by Jive Software

Newbie question AD user login problems

Hi,

I have just installed 3.3.3, it looks great. My setup is Linux(Ubuntu), sun150 JRE, Active Directory. During install, AD user and group lookups were successful, I can lookup users through the web app once running.

The assumption Im making is that users can be ‘automatically’ registed in the process of a client ‘creating an account on the server’ (using Pidgin, Linux chat client).

What I hope to achieve is that people have to ‘register’ with their userID and password, that any openfire registration happens on first connection.

Under Registration & Login I believe I want to:

  • disable Inband registration to prevent ad-hoc user ID registrations

  • disable password changes, as this can’t be done with with the AD as its readonly

  • disable anonymous login to stop unauthorized users having access

In my tests I managed to create my own userid as I cannot now create that user, however, I cannot login with it either, getting a 401:Unauthorized error. If the account go created shouldn’t it have authenticated with AD already?

For references here is my config:

<?xml version=“1.0” encoding=“UTF-8”?>

<!–

This file stores bootstrap properties needed by Openfire.

Property names must be in the format: “prop.name.is.blah=value”

That will be stored as:

<prop>

<name>

<is>

<blah>value</blah>

</is>

</name>

</prop>

Most properties are stored in the Openfire database. A

property viewer and editor is included in the admin console.

–>

<!-- root element, all properties must be under this element -->

<jive>

<adminConsole>

<!-- Disable either port by setting the value to -1 -->

<port>9590</port>

<securePort>9591</securePort>

</adminConsole>

<admin>

<!-- Use this section to define users that will have admin privileges. Below,

you will find two ways to specify which users are admins. Admins will

have access to the admin console (only local users) and may have also access

to other functionalities like ad-hoc commands. -->

<!-- By default, only the user with the username “admin” can login

to the admin console. Alternatively, you can specify a comma-delimitted

list usernames that should be authorized to login to the admin console

by setting the <authorizedUsernames> field below. -->

<!-- <authorizedUsernames></authorizedUsernames> -->

<!-- Comma-delimitted list of bare JIDs. The JIDs may belong to local

or remote users. -->

<!-- <authorizedJIDs></authorizedJIDs> -->

<authorizedUsernames>anadmin</authorizedUsernames>

</admin>

<locale>en</locale>

<!-- Network settings. By default, Openfire will bind to all network interfaces.

Alternatively, you can specify a specific network interfaces that the server

will listen on. For example, 127.0.0.1. This setting is generally only useful

on multi-homed servers. -->

<!–

<network>

<interface></interface>

</network>

–>

<connectionProvider>

<className>org.jivesoftware.database.DefaultConnectionProvider</classN ame>

</connectionProvider>

<database>

<defaultProvider>

<driver>com.ibm.db2.jcc.DB2Driver</driver>

<serverURL>jdbc:db2://localhost:50000/OPENFIRE</serverURL>

<username>openfire</username>

<password>xxx</password>

<minConnections>5</minConnections>

<maxConnections>15</maxConnections>

<connectionTimeout>1.0</connectionTimeout>

</defaultProvider>

</database>

<ldap>

<host>aserver</host>

<port>389</port>

<baseDN>xxx</baseDN>

<adminDN>yyy</adminDN>

<adminPassword>zzz</adminPassword>

<connectionPoolEnabled>true</connectionPoolEnabled>

<sslEnabled>false</sslEnabled>

<ldapDebugEnabled>true</ldapDebugEnabled>

<autoFollowReferrals>true</autoFollowReferrals>

<usernameField>sAMAccountName</usernameField>

<searchFilter>(&(objectclass=user)(objectclass=person)(objectclass=or ganizationalPerson)(sn=)(givenName=)(company=)(!(objectclass=computer))(displayName=)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))</searchFilter>

<vcard-mapping><![CDATA[

<vCard xmlns=“vcard-temp”>

<N>

<GIVEN></GIVEN>

</N>

<EMAIL>

<INTERNET/>

<USERID></USERID>

</EMAIL>

<FN>, </FN> <NICKNAME></NICKNAME>

<ADR>

<HOME/>

</ADR>

<ADR>

<WORK/>

<STREET></STREET>

<LOCALITY></LOCALITY>

<REGION></REGION>

<PCODE></PCODE>

<CTRY></CTRY>

</ADR>

<TEL>

<WORK/>

<VOICE/>

<NUMBER> / x</NUMBER>

</TEL>

<TITLE></TITLE>

<ORG>

<ORGUNIT></ORGUNIT>

</ORG>

</vCard>]]></vcard-mapping>

<nameField>displayName</nameField>

<emailField>mail</emailField>

<groupNameField>cn</groupNameField>

<groupMemberField>member</groupMemberField>

<groupDescriptionField>description</groupDescriptionField>

<posixMode>false</posixMode>

<groupSearchFilter>(objectclass=group)</groupSearchFilter>

</ldap>

<provider>

<vcard>

<className>org.jivesoftware.openfire.ldap.LdapVCardProvider</className >

</vcard>

<user>

<className>org.jivesoftware.openfire.ldap.LdapUserProvider</className& gt;

</user>

<auth>

<className>org.jivesoftware.openfire.ldap.LdapAuthProvider</className& gt;

</auth>

<group>

<className>org.jivesoftware.openfire.ldap.LdapGroupProvider</className >

</group>

</provider>

<setup>true</setup>

<log>

<debug>

<enabled>true</enabled>

</debug>

</log>

</jive>

Im sure I’m missing something simple, any guidance apprecaited!

thanks,

Andy

In the logs, Im seeing:

2007.10.29 12:04:12 … search finished

2007.10.29 12:04:12 In LdapManager.checkAuthentication(userDN, password), userDN is: CN="…",OU=“Users”,OU="…"

2007.10.29 12:04:12 Created context values, attempting to create context…

2007.10.29 12:04:13 Caught a naming exception when creating InitialContext

javax.naming.AuthenticationException: LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece

at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2985)

at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2931)

at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2732)

at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2646)

at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:283)

Yet, I’m convinced the password is right. gah, must start a debugger!

Imagine my surprise, when debugging the ldap login in Eclipse and finding the password was wrong

Also, having an old jabber install blocking the ports didn’t help :confused: