Ignite Realtime

powered by Jive Software

Ignite Realtime Community Forums

OpenFire with AD 2003 Server not working

Openfire Openfire Support

Matthias_Fleschutz December 18, 2007, 5:34pm 1

Hi everybody,

I had openfire 3.3.2 running with an Windows 2000 Server ActiveDirectory which worked fine.

Now I set up Openfire completely new with version 3.4.2 and with a new ActiveDirectory on Windows Server 2003.

When setting up Openfire it already complains when testing the LDAP settings, that the credentials are not ok.

I have the following settings:

Server Type: Active Directory

Host: mydc.domain.local

Port: 389

Base DN: OU=usr,DC=domain,DC=local

Admin DN: CN=Administrator,OU=Users,DC=domain,DC=local

The password must be ok, because I am authenticating with these credentials when managing the DC with RDP.

In the logfile I get:

javax.naming.AuthenticationException: ~~LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece^@~~

at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3005)

at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2951)

at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2753)

at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2667)

at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:287)

at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)

at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)

at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)

at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)

at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)

at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)

at javax.naming.InitialContext.init(InitialContext.java:223)

at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:134)

at org.jivesoftware.openfire.ldap.LdapManager.getContext(LdapManager.java:410)

at org.jivesoftware.openfire.ldap.LdapManager.getContext(LdapManager.java:347)

at org.jivesoftware.openfire.admin.setup.setup_002dldap_002dserver_005ftest_jsp._j spService(setup_002dldap_002dserver_005ftest_jsp.java:67)

at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:97)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)

at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:487)

at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1093)

at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:39)

at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1084)

at org.jivesoftware.util.LocaleFilter.doFilter(LocaleFilter.java:65)

at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1084)

at org.jivesoftware.util.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingF ilter.java:41)

at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1084)

at org.jivesoftware.admin.PluginFilter.doFilter(PluginFilter.java:69)

at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1084)

at org.jivesoftware.admin.AuthCheckFilter.doFilter(AuthCheckFilter.java:98)

at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1084)

at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:360)

at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)

at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181)

at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:712)

at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:405)

at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollect ion.java:211)

at org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:114)

at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:139)

at org.mortbay.jetty.Server.handle(Server.java:313)

at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:506)

at org.mortbay.jetty.HttpConnection$RequestHandler.headerComplete(HttpConnection.j ava:830)

at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:514)

at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:211)

at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:381)

at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:396)

at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:442)

When enabling debugging I get also:

Created new LdapManager() instance, fields:

host: http://mydc.domain.local

port: 389

usernamefield: uid

usernameSuffix:

baseDN: OU=usr,DC=projektron,DC=local

alternateBaseDN: null

nameField: cn

emailField: mail

adminDN: CN=Administrator,OU=Users,DC=projektron,DC=local

adminPassword: ********

searchFilter: null

subTreeSearch:true

ldapDebugEnabled: true

sslEnabled: false

initialContextFactory: com.sun.jndi.ldap.LdapCtxFactory

connectionPoolEnabled: false

autoFollowReferrals: false

groupNameField: cn

groupMemberField: member

groupDescriptionField: description

posixMode: false

groupSearchFilter: null

-> mydc.domain.local:389

0000: 30 45 02 01 01 60 40 02 01 03 04 30 43 4E 3D 41 0E…`@…0CN=A

0010: 64 6D 69 6E 69 73 74 72 61 74 6F 72 2C 4F 55 3D dministrator,OU=

0020: 55 73 65 72 73 2C 44 43 3D 70 72 6F 6A 65 6B 74 Users,DC=dom

0030: 72 6F 6E 2C 44 43 3D 6C 6F 63 61 6C 80 09 34 30 ain,DC=local…**

0040: 45 72 6B 72 61 74 68 ******

<- mydc.domain.local:389

0000: 30 84 00 00 00 67 02 01 01 61 84 00 00 00 5E 0A 0…g…a…^.

0010: 01 31 04 00 04 57 38 30 30 39 30 33 30 38 3A 20 .1…W80090308:

0020: 4C 64 61 70 45 72 72 3A 20 44 53 49 44 2D 30 43 LdapErr: DSID-0C

0030: 30 39 30 33 33 34 2C 20 63 6F 6D 6D 65 6E 74 3A 090334, comment:

0040: 20 41 63 63 65 70 74 53 65 63 75 72 69 74 79 43 AcceptSecurityC

0050: 6F 6E 74 65 78 74 20 65 72 72 6F 72 2C 20 64 61 ontext error, da

0060: 74 61 20 35 32 35 2C 20 76 65 63 65 00 ta 525, vece.

Anybody any idea what this could be?

Do I have to activate anything with the ActiveDirectory?

Thanks a lot,

Matthias

Bill4 December 18, 2007, 6:41pm 2

I am guessing its due to the fact your Admin acount is not in the same path/tree as your Base DN. Have you tried setting up an administrative profile that is in the Base DN?

Matthias_Fleschutz December 19, 2007, 9:21am 3

Hi,

thanks for that hint, but unfortunately I already tried the same with base DN dc=domain,dc=local

Matthias

Peter3 December 19, 2007, 10:21pm 4

^{I had a similar problem with AD LDAP integration. Turned out my problem was with the Domain Controller GPO, but if it’s not a DC just look at your local security policy. It was set to require LDAP communications ot be signed. The key can be found under Security Settings > Local Policies > Security Options. The key is “Domain controller: LDAP server signing requirements”. Set it to None or don’t enforce it at all. That did the trick for me. It’s working great now.}

^Good ^luck.

Matthias_Fleschutz December 20, 2007, 9:23am 5

Hi Peter,

thanks, that sounded good for me, first…but unfortunately it didnt help at all.

In the DC GPO this setting was not enforced. Then I changed it to “None”, made a gpupdate…no success at all…

Matthias