SASL Mechanisms

I’m using Openfire 4.7.4 and recently I’ve changed the SASL mechanism configuration to just have enabled the SCRAM-SHA-1 mechanism (before all mechanisms were selected).

After doing this change, all the clients that tried to connect starts receiving error:
<failure xmlns=“urn:ietf:params:xml:ns:xmpp-sasl”><not-authorized />

But if I edit the user password with the same value in the openfire portal, afterwards the clients can connect successful!

This change affects the definition of the password somehow? IS this a known issue?

Yes, but it’s “by design”. The passwords are stored as hashes in the database. If you previously used e.g. DIGEST-MD5, then Openfire is unable to derive the SCRAM-SHA-1 hash from that. You have to provide Openfire once again with the plain text password, so that Openfire can calculate the SCRAM hash for it.

1 Like

Is there any procedure to re-provide the passwords for all users (like a db script or something) or other means to overcome this issue?