Some A/D Users not able to log in

Mattias_Lindgren · April 11, 2008, 12:57am

I am running Openfire 3.5.0 on Windows 2003 (issue happened on previous 3. releases as well).

Some users are unable to log in, they get kicked out with unknown username or password. When I look them up in a user search, the system cannot find the user. When I browse to a group they are a member of, they show up just fine, however they have a red asterisk by their name which says at the bottom:

" Note: Remote users or entities should accept presence subscriptions automatically."

This all seemed to have started a few months ago, but I didn’t hear about it until recently.

Any suggestions would be great as I’m not really seeing anything in the logs that point me in the right direction.

NO_MESSAGES_OR_FRIEN · April 11, 2008, 1:15am

Do the users have any characters in their usernames that are not numbers or letters. Have the users been moved outside your your BsaeDN or user search filter?

Mattias_Lindgren · April 11, 2008, 2:17pm

No, there is nothing unusual about the usernames, nor have they been moved out of the base DN that I can tell. We have one group in A/D that lists all employees, and only those with the * next to them are unable to log in. The only thing out of the ordinary that I can tell is that the group that all these people are in is called “Sales / Marketing” - and I didn’t know if the slash made a difference or not.

Mattias_Lindgren · April 14, 2008, 10:13pm

I changed the A/D group to not have a slash, and nothing seems to have changed. I am really confused here! Any help would be appreciated

NO_MESSAGES_OR_FRIEN · April 15, 2008, 1:03am

I would say that you may need to turn on your debug logs on the server. clear all your logs and then have one of those users attempt to login. Post the resulting error. Before you clear the logs are there any errors already present?

Mattias_Lindgren · April 15, 2008, 7:00pm

This is what I got in my debug log, hopefully it helps:

2008.04.15 11:56:22 LdapManager: In LdapManager.checkAuthentication(userDN, password), userDN is: CN=“Veronica Yager”,OU=“3t Sales & Marketing”,OU=“3t Systems”,OU=“Big Tree Inc.”…

2008.04.15 11:56:22 LdapManager: Created context values, attempting to create context…

2008.04.15 11:56:22 LdapManager: Caught a naming exception when creating InitialContext

javax.naming.AuthenticationException: LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece

at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)

at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)

at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)

at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)

at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)

at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)

at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)

at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)

at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)

at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)

at javax.naming.InitialContext.init(Unknown Source)

at javax.naming.InitialContext.<init>(Unknown Source)

at javax.naming.directory.InitialDirContext.<init>(Unknown Source)

at org.jivesoftware.openfire.ldap.LdapManager.checkAuthentication(LdapManager.java :463)

at org.jivesoftware.openfire.ldap.LdapAuthProvider.authenticate(LdapAuthProvider.j ava:111)

at org.jivesoftware.openfire.auth.AuthFactory.authenticate(AuthFactory.java:155)

at org.jivesoftware.openfire.net.XMPPCallbackHandler.handle(XMPPCallbackHandler.ja va:86)

at org.jivesoftware.openfire.sasl.SaslServerPlainImpl.evaluateResponse(SaslServerP lainImpl.java:112)

at org.jivesoftware.openfire.net.SASLAuthentication.handle(SASLAuthentication.java :230)

at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:147)

at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandl er.java:132)

at org.apache.mina.common.support.AbstractIoFilterChain$TailFilter.messageReceived (AbstractIoFilterChain.java:570)

at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)

at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)

at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)

at org.apache.mina.common.IoFilterAdapter.messageReceived(IoFilterAdapter.java:80)

at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)

at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)

at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)

at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimplePr otocolDecoderOutput.java:58)

at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecF ilter.java:180)

at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)

at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)

at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)

at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java :239)

at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(Execut orFilter.java:283)

at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:51)

at java.lang.Thread.run(Unknown Source)