powered by Jive Software

Openfire on Linux with AD Ldap auth

Hello all!

I have Linux server with Openfire 3.6.3 installation. LDAP AD user authorization.

All users maped to their workstaions ( permitted to logon to workstation).

I cant logon to Openfire with Spark client without adding LDAP host to users profule.

javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 531, vece

HEX: 0x531 - not permitted to logon from this workstation **
DEC: 1329 - ERROR_INVALID_WORKSTATION** (Logon failure: user not allowed to log on to this computer.)
LDAP[userWorkstations: ]
NOTE: Returns only when presented with valid username and password/credential.

How can i may allow this users to login to Openfire without adding Domain Controller to their LogOn profiles?

You are restricting authentication on your AD setup to certain machines for certain users. If you do this LDAP autentication won’t work without the users being allowed to authenticate from the LDAP server(s), and possibly the chat server.

Hello

And how i can configure to authenticate users without allowing users login to Domain Controller?

With AD if you are restricting authentication openfire can not authenticate, because the source will be a machine the users do not have rights to.

Hello.

BUT ive got next error

Caught a naming exception when creating InitialContext
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 531, vece

HEX: 0x531 - not permitted to logon from this workstation
DEC: 1329 - ERROR_INVALID_WORKSTATION (Logon failure: user not allowed to log on to this computer.)
LDAP[userWorkstations: ]
NOTE: Returns only when presented with valid username and password/credential.

As i know - “Log On to” option in AD - applies only to interactive logon to workstation.

If the log on to configurations are used openfire cannot authenticate users unless they are given log on rights to the servers. This may be a bug in openfire or it may be a bug in the way AD handles LDAP authentication. I do know it is related to the log on to settings in AD though. take those away and authentication works fine. Unless your servers are physically exposed for logon at the server directly this setting is redundant security. Domain usrs cannot RDP to a server unless it is a terminal services server. you can go further and disable RDP via a profile setting. Local workstations are protected because AD user account profiles are only accessable by domain admins and the user account that created it.