Openfire 3.7.1 - LDAP Authentication failed

Hi,

We are trying to establish an Openfire server for intra-company IM communication. In our test environment, we installed openfire 3.7.1 with LDAP authentication. Some users using Spark client can connect successfully, but others cannot login with error message “Invalid username or password”.

The AD is based on Windows 2008 R2 domain and the password policy forces the users to have complex passwords using various symbols.

The openfire info log returns the error "org.jivesoftware.openfire.net.SASLAuthentication - User Login Failed. PLAIN authentication failed for: ".

Is this a bug of openfire server? Is there a solution of this problem? By the way, it seems a very good and promising IM server.

Thank you

Nick

whats your base dn look like, and what kind of filters are you using?

My DN is like OU=,DC=<1st part of domain>,DC=gr

All the users are in an OU under the root node.

The installation has the default filtering parameters.

Thanks

When I enable the debug mode for LDAP, during the login process, it returns the following exception:

2012.06.20 12:13:13org.jivesoftware.openfire.ldap.LdapManager - LdapManager: Created contextvalues, attempting to create context…
2012.06.20 12:13:14 org.jivesoftware.openfire.ldap.LdapManager - LdapManager:Caught a naming exception when creating InitialContext
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr:DSID-0C0903A9, comment: AcceptSecurityContext error, data 531, v1db1]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
at javax.naming.InitialContext.init(Unknown Source)
at javax.naming.ldap.InitialLdapContext.(Unknown Source)
atorg.jivesoftware.util.JiveInitialLdapContext.(JiveInitialLdapContext.jav a:43)
at org.jivesoftware.openfire.ldap.LdapManager.checkAuthentication(LdapManager.java :653)
atorg.jivesoftware.openfire.ldap.LdapAuthProvider.authenticate(LdapAuthProvider. java:126)
atorg.jivesoftware.openfire.auth.AuthFactory.authenticate(AuthFactory.java:176)
at org.jivesoftware.openfire.net.XMPPCallbackHandler.handle(XMPPCallbackHandler.ja va:102)
atorg.jivesoftware.openfire.sasl.SaslServerPlainImpl.evaluateResponse(SaslServer PlainImpl.java:120)
atorg.jivesoftware.openfire.net.SASLAuthentication.handle(SASLAuthentication.jav a:274)
at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:179)
atorg.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHand ler.java:169)
atorg.apache.mina.common.support.AbstractIoFilterChain$TailFilter.messageReceive d(AbstractIoFilterChain.java:570)
atorg.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(A bstractIoFilterChain.java:299)
atorg.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFil terChain.java:53)
at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)
atorg.apache.mina.common.IoFilterAdapter.messageReceived(IoFilterAdapter.java:80 )
atorg.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(A bstractIoFilterChain.java:299)
atorg.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFil terChain.java:53)
atorg.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceiv ed(AbstractIoFilterChain.java:648)
at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimplePr otocolDecoderOutput.java:58)
atorg.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodec Filter.java:185)
at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)
atorg.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFil terChain.java:53)
atorg.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceiv ed(AbstractIoFilterChain.java:648)
atorg.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.jav a:239)
atorg.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(Execu torFilter.java:283)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
atorg.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:51 )
at java.lang.Thread.run(Unknown Source)

N.

Ok, I solved the problem!

As you can see on the above exception, the error message returns the id 531. This LDAP error means “not permitted to logon at this workstation”.

Our security policy defines exactly which user can connect from specific workstations. So we had to configure our policy to allow users to be able to logon to our domain controller, configured in LDAP configuration of openfire.

I hope this will help other openfire users.

N.

Hi,

I’m looking for the scalability of Openfire, I wonder if it can have more than 500 000 connexion at the sametime, and if the acceleration of the pubsub under 1 second?

I’ve found the Pidgin is buggy, we’ve stopped using it for the issue you are experiencing. Use Spark and you shouldn’t have any trouble.

http://www.igniterealtime.org/projects/spark/

it doesn’t work if user has enabled User-Workstaion attribute in their AD settings on tab Account->“Log On to…”