OpenLDAP 2

Openfire Openfire Support
1

HI, I’'m having some trouble with getting ldap setup for our wildfire server.

I’'m running Wildfire 3.2.1 with JDK 1.5 and our ldap server is openldap v2 with no ssl.

Wildfire starts up and I get into the web setup, and I get as far as the first LDAP setup page, I enter our server, base dn, manager cn and password and click test and it returns successfully. If i specify the wrong manager or password it returns a fail, same with server or dn. So I am sure it actually connects.

Next page, User Mapping i leave the defaults, our uid is uid. I click test and I am displayed a user record with no data. i’‘ve clicked next record a hundred times and it finds no user data. If i change uid to an incorrect value it returns an error. So I know it’'s using it.

Next page is Groups, again defaults, except for “member” I replace with memberUid, I click test and I am shown a combination of user, machine and group accounts. I’‘m not sure if this is purposeful, but i expected to see a list of unix groups, not uids with their group descriptions. So I wonder if it’'s mapping incorrect data to fields.

Anyway so I move on, to adding administrative users, if i select an ldap account it returns success, if i select an entry with no ldap account it returns a fail. So I guess it’'s checking against accounts.

However upon trying to test authenticate for any user in my admin list, it returns fail despite the password being correct.

If I continue anyway I am unable to login to the web interface or jabber clients with ldap username and passwords.

If anyone can shed some light on this for me I’'d appreciate it.

Thanks,

wildfire.xml

*...dc=********,dc=cn=Manager,dc=,dc=

]]>

uid

mail

cn

memberUid

description

true

org.jivesoftware.wildfire.ldap.LdapVCardProvider

false

true

2

It seems to be related to the password checking and I am 100% sure I am inputing the correct passwords.

I get this in debug when I try to connect with a jabber client or web interface:

2007.02.17 13:39:49 Trying to find a user’'s DN based on their username. uid: administrator, Base DN: dc=********,dc=****…

2007.02.17 13:39:49 Creating a DirContext in LdapManager.getContext()…

2007.02.17 13:39:49 Created hashtable with context values, attempting to create context…

2007.02.17 13:39:49 … context created successfully, returning.

2007.02.17 13:39:49 Starting LDAP search…

2007.02.17 13:39:49 … search finished

2007.02.17 13:39:49 In LdapManager.checkAuthentication(userDN, password), userDN is: uid=“administrator”,cn=“Users”,ou=“People”,sambaDomainName="********"…

2007.02.17 13:39:49 Created context values, attempting to create context…

2007.02.17 13:39:49 Caught a naming exception when creating InitialContext

javax.naming.AuthenticationException: LDAP: error code 49 - Invalid Credentials

at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2985)

at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2931)

at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2732)

at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2646)

at com.sun.jndi.ldap.LdapCtx.(InitialDirContext.java:82)

at org.jivesoftware.wildfire.ldap.LdapManager.checkAuthentication(LdapManager.java :456)

at org.jivesoftware.wildfire.ldap.LdapAuthProvider.authenticate(LdapAuthProvider.j ava:98)

at org.jivesoftware.wildfire.auth.AuthFactory.authenticate(AuthFactory.java:149)

at org.jivesoftware.wildfire.net.SASLAuthentication.doPlainAuthentication(SASLAuth entication.java:475)

at org.jivesoftware.wildfire.net.SASLAuthentication.handle(SASLAuthentication.java :233)

at org.jivesoftware.wildfire.net.StanzaHandler.process(StanzaHandler.java:135)

at org.jivesoftware.wildfire.nio.ConnectionHandler.messageReceived(ConnectionHandl er.java:131)

at org.apache.mina.common.support.AbstractIoFilterChain$TailFilter.messageReceived (AbstractIoFilterChain.java:703)

at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:362)

at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:54)

at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:800)

at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimplePr otocolDecoderOutput.java:62)

at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecF ilter.java:192)

at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:362)

at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:54)

at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:800)

at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java :250)

at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(Execut orFilter.java:305)

at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java: 650)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:675)

at java.lang.Thread.run(Thread.java:595)

org.jivesoftware.wildfire.auth.UnauthorizedException: org.jivesoftware.wildfire.auth.UnauthorizedException: Username and password don’'t match

at org.jivesoftware.wildfire.ldap.LdapAuthProvider.authenticate(LdapAuthProvider.j ava:109)

at org.jivesoftware.wildfire.auth.AuthFactory.authenticate(AuthFactory.java:149)

at org.jivesoftware.wildfire.admin.login_jsp._jspService(login_jsp.java:135)

at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:97)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)

at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:491)

at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1074)

at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:39)

at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1065)

at org.jivesoftware.util.LocaleFilter.doFilter(LocaleFilter.java:65)

at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1065)

at org.jivesoftware.util.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingF ilter.java:41)

at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1065)

at org.jivesoftware.admin.PluginFilter.doFilter(PluginFilter.java:69)

at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1065)

at org.jivesoftware.admin.AuthCheckFilter.doFilter(AuthCheckFilter.java:98)

at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1065)

at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:365)

at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:185)

at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181)

at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:689)

at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:391)

at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollect ion.java:146)

at org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:114)

at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:139)

at org.mortbay.jetty.Server.handle(Server.java:285)

at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:457)

at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:765 )

at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:627)

at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:209)

at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:357)

at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:329)

at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:475)

Caused by: org.jivesoftware.wildfire.auth.UnauthorizedException: Username and password don’'t match

at org.jivesoftware.wildfire.ldap.LdapAuthProvider.authenticate(LdapAuthProvider.j ava:99)

3

2007.02.17 17:16:52 org.jivesoftware.admin.LdapUserTester.getAttributes(LdapUserTester.java:173)

javax.naming.NameNotFoundException: LDAP: error code 32 - No Such Object; remaining name ‘‘uid="*****",cn=“Users”,ou=“People”,sambaDomainName=“BARDELCA”’’

I found this in the error log while selecting Test inside the User Mapping stage of setup. I can see two things wrong, one, the extra quotes around the dn and my domain is not fully listed inside the log. it’'s missing the baseDN. it should read: ‘‘uid="******",cn=“Users”,ou=“People”,sambaDomainName="************",dc=*****,dc=’’

If someone can tell me where to look for removing those quotes I’'m sure that will solve it.

Thanks

4

I’'ve completely rebuilt the server and now am seeing this error when trying to authenticate against our ldap.

Any input would be appreciated…

Thanks,

2007.02.19 08:41:24 Trying to find a user’'s DN based on their username. uid: administrator, Base DN: sambaDomainName=***********,dc=bardel,dc=****…

2007.02.19 08:41:24 Creating a DirContext in LdapManager.getContext()…

2007.02.19 08:41:24 Created hashtable with context values, attempting to create context…

2007.02.19 08:41:24 … context created successfully, returning.

2007.02.19 08:41:24 Starting LDAP search…

2007.02.19 08:41:24 … search finished

2007.02.19 08:41:24 In LdapManager.checkAuthentication(userDN, password), userDN is: uid=“administrator”,cn=“Users”,ou=“People”…

2007.02.19 08:41:24 Created context values, attempting to create context…

2007.02.19 08:41:24 Caught a naming exception when creating InitialContext

javax.naming.AuthenticationException: LDAP: error code 49 - Invalid Credentials

at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2985)

at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2931)

at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2732)

at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2646)

at com.sun.jndi.ldap.LdapCtx.(InitialDirContext.java:82)

at org.jivesoftware.wildfire.ldap.LdapManager.checkAuthentication(LdapManager.java :456)

at org.jivesoftware.wildfire.ldap.LdapAuthProvider.authenticate(LdapAuthProvider.j ava:98)

at org.jivesoftware.wildfire.auth.AuthFactory.authenticate(AuthFactory.java:149)

at org.jivesoftware.wildfire.net.SASLAuthentication.doPlainAuthentication(SASLAuth entication.java:475)

at org.jivesoftware.wildfire.net.SASLAuthentication.handle(SASLAuthentication.java :233)

at org.jivesoftware.wildfire.net.StanzaHandler.process(StanzaHandler.java:135)

at org.jivesoftware.wildfire.nio.ConnectionHandler.messageReceived(ConnectionHandl er.java:131)

at org.apache.mina.common.support.AbstractIoFilterChain$TailFilter.messageReceived (AbstractIoFilterChain.java:703)

at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:362)

at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:54)

at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:800)

at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimplePr otocolDecoderOutput.java:62)

at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecF ilter.java:192)

at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:362)

at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:54)

at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:800)

at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java :250)

at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(Execut orFilter.java:305)

at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java: 650)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:675)

at java.lang.Thread.run(Thread.java:595)

5

I am still facing this issue after a few more Openfire releases.

Am I missing anything from this thread that would cause no one to respond to this issue?

I would really like to have this issue addressed as we are unable to deploy our openfire server to our company until this is resolved.

If I can provide any more information I am more than willing, just let me know what you need.

Thanks again,

Josh

Log Snippet:

As I run the Web-based install wizard, I come to the point where I select OpenLdap for the user database.

I enter our Host / Base DN / Manager DN and password, and press Test - The result is Success.

I continue to the next page, and leave all values as default, and select Test Settings.

The search is somewhat successful, as a popup with no data is displayed, and in the log:

2007.05.14 06:13:40 org.jivesoftware.admin.LdapUserTester.getAttributes(LdapUserTester.java:173)

javax.naming.NameNotFoundException: LDAP: error code 32 - No Such Object; remaining name ‘‘uid=“Guest”,cn=“Users”,ou=“People”,sambaDomainName=“DOMAIN”’’

at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3010)

at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2931)

at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2737)

at com.sun.jndi.ldap.LdapCtx.c_getAttributes(LdapCtx.java:1291)

at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(ComponentDirContex t.java:213)

at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompos iteDirContext.java:121)

at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompos iteDirContext.java:109)

at javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:1 23)

at org.jivesoftware.admin.LdapUserTester.getAttributes(LdapUserTester.java:157)

at org.jivesoftware.openfire.admin.setup.setup_002dldap_002duser_005ftest_jsp._jsp Service(setup_002dldap_002duser_005ftest_jsp.java:96)

at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:97)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)

at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:491)

at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1074)

at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:39)

at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1065)

at org.jivesoftware.util.LocaleFilter.doFilter(LocaleFilter.java:65)

at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1065)

at org.jivesoftware.util.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingF ilter.java:41)

at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1065)

at org.jivesoftware.admin.PluginFilter.doFilter(PluginFilter.java:69)

at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1065)

at org.jivesoftware.admin.AuthCheckFilter.doFilter(AuthCheckFilter.java:98)

at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1065)

at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:365)

at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:185)

at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181)

at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:689)

at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:391)

at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollect ion.java:146)

at org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:114)

at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:139)

at org.mortbay.jetty.Server.handle(Server.java:285)

at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:457)

at org.mortbay.jetty.HttpConnection$RequestHandler.headerComplete(HttpConnection.j ava:751)

at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:500)

at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:209)

at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:357)

at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:329)

at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:475)

6

i have the EXACT problem… all is ok until testing the chosen admin username… and cant login into console…

i dont know why no one’'s answering though

7

Howdy all, we are also having the same issue at work. LDAP error 32. Will keep searching and will post as soon as I know something.

-dh

8

You are right, openldap failed to work when cn is enclosed with quotes.

So try the following

add the following in your

This should solve the problem.

9

Hey thanks lz, that seems to have worked for me! If I find out otherwise I’'ll certainly let everybody on this post know. So far so good however.

I did have to:

  1. do the regular web-based setup, all the way through, even though the test authentication on the last page failed.

  2. open up the openfire.xml config and add/change settings the way I want (ie, encloseUserDN stuff). Save, of course.

  3. restart openfire.

  4. it worked with the ldap user name I setup for administration at the end of the web-based setup.

-dn

10

Thanks for the response! I am building a new system now to test this out…

We’'ll let you know,

Josh

11

That did the trick. Thanks again for the input,

Josh

12

mine didnt work…

here’'s what i did:

Message was edited by: Intel

13

I’'m running 3.3.2 and have the same problem, but encloseUserDN isnt fixing the problem.

14

Intel, just to double check, are you getting error 32? i think it is an error caused because of a failed attempt to bind with the username supplied. Somebody please correct me I’'m wrong. Also, is it a failure to bind with your LDAP adminDN username (used for the ldap queries) or a regular user? There could also be problems if you are supposed to be using SSL, but I see that your config says false in that regard. Give more information.

Sorry if I’‘m rambling about stuff you’‘ve already checked, but maybe a snippet from the error log (can’'t remember which one it is at the moment) will help us.

Jim

15

I’‘ve done some more digging into openldap. I had first tried to get openfire to use our main ldap server but since we use tls, there doesn’'t seem to be a way that I can give openfire the ca certificate so that it may talk to the master securely. As a work around, I installed openldap on the machine openfire will be and configured it to be a slave and allow non tls connections from localhost only.

During openfire setup, all was well until it came to testing the login. After learning it is trying to bind to ldap using the supplied password, I tried it using ldapsearch and found I couldnt. I found some obscure postings about a problem like this in openldap and it seems it depends on how the passwords are being stored. We use crypt and if openldap isnt built to support it, the bind fails. I rebuilt openldap and now it works.