powered by Jive Software

Openfire Vs AD

Hi,

i´m trying out Openfire + Spark

Openfire (v3.6.4) is running in a Windows 2003 Server integrated with AD. It all went well, all users from my staff were able to login, send files, create conference groups and etc, but when we decide to release it to other people from my work… i got a User name or Password error.

After spending a day trying to figure it out what would be the problem i found it. Users who has no login restrictions* (my staff) are able to login at Spark, people who has login restriction* can not

I can´t give access to all users here for security metter, how can i fix this problem?

Thanks

I’m running with login restrictions without any issue. It may be something else. You may want to check your time zones maybe.

what is the specific error?

@Speedy, the time zone its ok, it´s the same as the server

@Todd Getz, Invalid username or password

i get it when i try to logon in spark

We decided to install the Openfire in the AD server machine, i did the same configuration as before and still getting the same problem:

Invalid username or password

If i set the user to logon where the openfire is installed (ad server) he can connect without any problem

Looking the server log i notice an error but its about the search plugin, what i solved momentanly by disabling the plugin. (log below)

*2009.12.09 10:04:23 [org.jivesoftware.openfire.container.PluginManager.loadPlugin(PluginManager.jav a:507) *

*] Error loading plugin: G:\Arquivos de programas\Openfire\plugins\search *

*java.lang.NullPointerException: No ComponentManager implementation available. *

*at org.xmpp.component.ComponentManagerFactory.getComponentManager(ComponentManager Factory.java:53) *

*at org.jivesoftware.openfire.plugin.SearchPlugin.initializePlugin(SearchPlugin.jav a:137) *

*at org.jivesoftware.openfire.container.PluginManager.loadPlugin(PluginManager.java :448) *

*at org.jivesoftware.openfire.container.PluginManager.access$300(PluginManager.java :47) *

*at org.jivesoftware.openfire.container.PluginManager$PluginMonitor.run(PluginManag er.java:1032) *

*at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source) *

*at java.util.concurrent.FutureTask$Sync.innerRunAndReset(Unknown Source) *

*at java.util.concurrent.FutureTask.runAndReset(Unknown Source) *

*at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$101 (Unknown Source) *

*at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.runPeriodi c(Unknown Source) *

*at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknow n Source) *

*at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source) *

*at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) *

at java.lang.Thread.run(Unknown Source)

PS.: I´m using default configuration with internal openfire db


  • Did you give your openfire server a FQDN at install (e.x. chatserver.domain.com)
  • Is that name set in your DNS server?
  • Is the firewall configured to allow the server to be accessed
  • Does it have a dedicated NIC (could there be a port conflict issue, doubt it)

Did you give your openfire server a FQDN at install (e.x. chatserver.domain.com)

yes, i set full FQDN at install and everytime i reconfigure it

Is that name set in your DNS server?

Is the firewall configured to allow the server to be accessed?

Sure, as i said it´s now installed in the AD Server

Does it have a dedicated NIC (could there be a port conflict issue, doubt it)

It´s not a connection problem as i can see, since the File Server and the AD Server are in the same machine, as now the Openfire and everybody have access to the server.

i can login at spark anywhere but only with users who can login locally on the AD Server (only people from my staff)

I check the time zone at Server Manager > System Properties and the time zone is set to locale.timeZone America/Halifax, but at Server Manager > Language and Time the time zone is Current Settings: English / (GMT-4:00) Atlantic Time (Canada) what it the correct time we use at the server and every computer here. Is that correct?

Excuse my ignorance but because it is installed on the AD server does not mean it has the FQDN you gave the chat server automatically in DNS. Unless you gave the openfire server the same FQDN as the AD server you would have to manually add it as an a record to your DNS server.

Additionally the authentication issues could be caused by the settings used for the BaseDN, User and Group Filters.

Here is how the AD and Openfire is set up

AD Server

FQDN: xxx.YYY

Domain: YYY

…|------OU: ZZZ

…|------sub-OU:aaa

…|------sub-OU:bbb

…|------sub-OU:ccc

…|------sub-OU:ddd

LDAP Settings

  1. Connection Settings

Host: xxx.YYY

Port: 389

Base DN: ou=“ZZZ”, dc=“YYY”

Administrator DN: <my_user>@YYY

  1. User Mapping

Default Settings + Store Avatar in database of not provided by LDAP

  1. Group Mapping

Group field: cn

Member Field: ZZZ

Description Field: description

Finally something I can answer! Okay I had the same problem. The user must have the ability to login to the machine that Openfire is installed on. So even if Openfire is installed on an AD controller if you give your users the ability to login to that machine it will work. That is just another reason IMHO to not install Openfire on AD controller in the first place…but that goes not just for Openfire.

BTW anyone know why I was unable to login using my orgininal username? I hadn’t used it in quite some time, so I had to reset the password but then after being able to reset it successfully I was told my account was disabled?? I guess because I hadn’t logged in for a while? Sorry for the thread hijack!

pf2k1 (formerly pf2k)

group mappings should be the default as well. if the users have the rights to access this file server then they can login to openfire if your AD settings are correct. http://www.igniterealtime.org/community/docs/DOC-1554

@Todd Getz the group mapping was default the fist time i try it on the previous server.

@pf2k1

So i decided to get back to the previous server (SRV2) i was using to install Openfire, i did a clean install and still the same situation. I chose a random user who can not login on spark and set him to login on the machine where the Openfire is now installed (SRV2), still error. So i set him to login on the AD Server (SRV1) and bingo… he now can login on Spark! So… it doesn’ t matter where the Openfire is or if he can login locally where he is installed… he needs to be able to login on the AD Server. I must have screwed some config in the setup, i dunno… i’m sending the System properties. I really can’t see what it wrong with it

****Installing the Openfire at the AD Server was just a shot in the dark, i thought it may be a communication problem between Openfire and AD

**YYY = Domain **

ZZZ = OU

XXX = Server name where Openfire is installed

DDD = Server name where AD is

admin.authorizedJIDs ** @XXX,<user_1>@XXX **

ldap.adminDN ** @YYY**

ldap.adminPassword ** **

ldap.autoFollowAliasReferrals** true **

ldap.autoFollowReferrals **false **

ldap.baseDN ** ou=ZZZ, dc=YYY **

ldap.connectionPoolEnabled **true **

ldap.debugEnabled **false **

ldap.emailField **mail **

ldap.groupDescriptionField **description **

ldap.groupMemberField **member **

ldap.groupNameField ** cn **

ldap.groupSearchFilter **(objectClass=group) **

ldap.host **DDD.YYY **

ldap.ldapDebugEnabled **false **

ldap.nameField **cn **

ldap.override.avatar **true **

ldap.port **389 **

ldap.posixMode **false **

ldap.searchFilter **(objectClass=organizationalPerson) **

ldap.sslEnabled **false **

ldap.usernameField **sAMAccountName **

ldap.vcard-mapping

{cn}

** **

** **

{mail}

** **

**{displayName} **

** **

**{homePostalAddress} **

**{homeZip} **

{co}

** **

** **

**{streetAddress} **

**{l} **

**{st} **

**{postalCode} **

{co}

** **

** **

** **

{homePhone}

** **

** **

** **

{mobile}

** **

** **

** **

{telephoneNumber}

** **

** **

** **

{mobile}

** **

** **

** **

{facsimileTelephoneNumber}

** **

** **

** **

{pager}

** **

**{title} **

{department}

]]>"><![CDATA[

{cn}

** **

** **

{mail}

** **

**{displayName} **

** **

**{homePostalAddress} **

**{homeZip} **

{co}

** **

** **

**{streetAddress} **

**{l} **

**{st} **

**{postalCode} **

{co}

** **

** **

** **

{homePhone}

** **

** **

** **

{mobile}

** **

** **

** **

{telephoneNumber}

** **

** **

** **

{mobile}

** **

** **

** **

{facsimileTelephoneNumber}

** **

** **

** **

{pager}

** **

**{title} **

{department}

**]]> **

provider.auth.className **org.jivesoftware.openfire.ldap.LdapAuthProvider **

provider.group.className **org.jivesoftware.openfire.ldap.LdapGroupProvider **

provider.user.className **org.jivesoftware.openfire.ldap.LdapUserProvider **

provider.vcard.className **org.jivesoftware.openfire.ldap.LdapVCardProvider **

update.lastCheck **1260543854532 **

xmpp.auth.anonymous **true **

xmpp.domain XXX

xmpp.session.conflict-limit 0

xmpp.socket.ssl.active true