Good afternoon,
Our Openfire server has been plugging along swimmingly for months now. Yesterday afternoon, it started telling everyone “invalid username or password”, and no one has been able to log in since.
Of course, I was unable to log into the admin console, so I got in using a onetimetoken. As far as I can tell, everything is fine. Our SSL certificate is up to date, we’re on the lastest version of Openfire, and the logs are reporting that people are failing authenticating, but I can’t find any error messages anywhere that tell me why people can’t authenticate.
Looking on the auth logs on our domain controller, I don’t see my Openfire user even trying to authenticate against Active Directory, or that the Openfire server is trying to connect at all.
I can telnet to port 389 on the domain controller from the Openfire server, and it connects just fine. Also my Base DN and Administrative DN are correct, and I’ve verified that the Active Directory account that Openfire uses is not locked.
Here is a sanitized snippet from the debug log, of what it looks like every time someone tries to log in:
2019.07.17 15:30:04 org.jivesoftware.openfire.ldap.LdapManager - LdapManager: Trying to find a user's DN based on their username. sAMAccountName: <someuser>, Base DN: DC=<domainname>,DC=<suffix>...
2019.07.17 15:30:04 org.jivesoftware.openfire.ldap.LdapManager - LdapManager: Creating a DirContext in LdapManager.getContext()...
2019.07.17 15:30:04 org.jivesoftware.openfire.ldap.LdapManager - LdapManager: connection pooling was requested but has been disabled because of StartTLS.
2019.07.17 15:30:04 org.jivesoftware.openfire.ldap.LdapManager - LdapManager: Created hashtable with context values, attempting to create context...
2019.07.17 15:30:04 org.jivesoftware.openfire.ldap.LdapManager - LdapManager: ... StartTlsRequest
2019.07.17 15:30:04 org.jivesoftware.openfire.ldap.LdapManager - LdapManager: Exception thrown when searching for userDN based on username '<someuser>'
javax.naming.ServiceUnavailableException: [LDAP: error code 52 - 00000000: LdapErr: DSID-0C091293, comment: Error initializing SSL/TLS, data 0, v3839]
There is a bit there about SSL/TLS failing, but I can’t find any more details about that.
This is on a Linux server running Debian Stretch, fully up to date.
I’ve been messing with this since about 8:30 this morning, and I’ve got nowhere with it.
Any ideas what to try next?