powered by Jive Software

OpenFire with AD 2003 Server not working

Hi everybody,

I had openfire 3.3.2 running with an Windows 2000 Server ActiveDirectory which worked fine.

Now I set up Openfire completely new with version 3.4.2 and with a new ActiveDirectory on Windows Server 2003.

When setting up Openfire it already complains when testing the LDAP settings, that the credentials are not ok.

I have the following settings:

Server Type: Active Directory

Host: mydc.domain.local

Port: 389

Base DN: OU=usr,DC=domain,DC=local

Admin DN: CN=Administrator,OU=Users,DC=domain,DC=local

The password must be ok, because I am authenticating with these credentials when managing the DC with RDP.

In the logfile I get:

javax.naming.AuthenticationException: LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece^@

at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3005)

at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2951)

at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2753)

at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2667)

at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:287)

at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)

at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)

at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)

at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)

at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)

at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)

at javax.naming.InitialContext.init(InitialContext.java:223)

at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:134)

at org.jivesoftware.openfire.ldap.LdapManager.getContext(LdapManager.java:410)

at org.jivesoftware.openfire.ldap.LdapManager.getContext(LdapManager.java:347)

at org.jivesoftware.openfire.admin.setup.setup_002dldap_002dserver_005ftest_jsp._j spService(setup_002dldap_002dserver_005ftest_jsp.java:67)

at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:97)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)

at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:487)

at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1093)

at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:39)

at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1084)

at org.jivesoftware.util.LocaleFilter.doFilter(LocaleFilter.java:65)

at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1084)

at org.jivesoftware.util.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingF ilter.java:41)

at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1084)

at org.jivesoftware.admin.PluginFilter.doFilter(PluginFilter.java:69)

at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1084)

at org.jivesoftware.admin.AuthCheckFilter.doFilter(AuthCheckFilter.java:98)

at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1084)

at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:360)

at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)

at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181)

at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:712)

at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:405)

at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollect ion.java:211)

at org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:114)

at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:139)

at org.mortbay.jetty.Server.handle(Server.java:313)

at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:506)

at org.mortbay.jetty.HttpConnection$RequestHandler.headerComplete(HttpConnection.j ava:830)

at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:514)

at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:211)

at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:381)

at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:396)

at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:442)

When enabling debugging I get also:

Created new LdapManager() instance, fields:

host: http://mydc.domain.local

port: 389

usernamefield: uid

usernameSuffix:

baseDN: OU=usr,DC=projektron,DC=local

alternateBaseDN: null

nameField: cn

emailField: mail

adminDN: CN=Administrator,OU=Users,DC=projektron,DC=local

adminPassword: ********

searchFilter: null

subTreeSearch:true

ldapDebugEnabled: true

sslEnabled: false

initialContextFactory: com.sun.jndi.ldap.LdapCtxFactory

connectionPoolEnabled: false

autoFollowReferrals: false

groupNameField: cn

groupMemberField: member

groupDescriptionField: description

posixMode: false

groupSearchFilter: null

-> mydc.domain.local:389

0000: 30 45 02 01 01 60 40 02 01 03 04 30 43 4E 3D 41 0E…`@…0CN=A

0010: 64 6D 69 6E 69 73 74 72 61 74 6F 72 2C 4F 55 3D dministrator,OU=

0020: 55 73 65 72 73 2C 44 43 3D 70 72 6F 6A 65 6B 74 Users,DC=dom

0030: 72 6F 6E 2C 44 43 3D 6C 6F 63 61 6C 80 09 34 30 ain,DC=local…**

0040: 45 72 6B 72 61 74 68 ******

<- mydc.domain.local:389

0000: 30 84 00 00 00 67 02 01 01 61 84 00 00 00 5E 0A 0…g…a…^.

0010: 01 31 04 00 04 57 38 30 30 39 30 33 30 38 3A 20 .1…W80090308:

0020: 4C 64 61 70 45 72 72 3A 20 44 53 49 44 2D 30 43 LdapErr: DSID-0C

0030: 30 39 30 33 33 34 2C 20 63 6F 6D 6D 65 6E 74 3A 090334, comment:

0040: 20 41 63 63 65 70 74 53 65 63 75 72 69 74 79 43 AcceptSecurityC

0050: 6F 6E 74 65 78 74 20 65 72 72 6F 72 2C 20 64 61 ontext error, da

0060: 74 61 20 35 32 35 2C 20 76 65 63 65 00 ta 525, vece.

Anybody any idea what this could be?

Do I have to activate anything with the ActiveDirectory?

Thanks a lot,

Matthias

I am guessing its due to the fact your Admin acount is not in the same path/tree as your Base DN. Have you tried setting up an administrative profile that is in the Base DN?

Hi,

thanks for that hint, but unfortunately I already tried the same with base DN dc=domain,dc=local

Matthias

I had a similar problem with AD LDAP integration. Turned out my problem was with the Domain Controller GPO, but if it’s not a DC just look at your local security policy. It was set to require LDAP communications ot be signed. The key can be found under Security Settings > Local Policies > Security Options. The key is “Domain controller: LDAP server signing requirements”. Set it to None or don’t enforce it at all. That did the trick for me. It’s working great now.

Good luck.

Hi Peter,

thanks, that sounded good for me, first…but unfortunately it didnt help at all.

In the DC GPO this setting was not enforced. Then I changed it to “None”, made a gpupdate…no success at all…:frowning:

Matthias