powered by Jive Software

W2K3 Active Directory authentication failing

I am using Active Directory authentication with my Openfire server. I had tested this out completely on a test system and everything worked. I put the exact same configuration on the live systems and none of the Active Directory authentication works. The only difference is the domain name. I am sure I have the correct information in my xml file. The domain name on the live system has a dash. Could this be preventing my authentication from working? (ex. dc=my-domain,dc=com)

Thanks.

The dash should not affect the authentication. It is going to be near impossible to help without specifics regarding the AD configuration and what your openfire settings are.

What additional info do you need? My active directory is very basic…only one domain controller.

I do get this error in my openfire logs.

LDAP: error code 8 - 00002028 LdapErr: DSID-0C09018A Comment: The server requires binds to turn on integrity checking if SSL/TLS are not already active on the connection.

Update. I can make my authentication work if I change my group policy.

Domain Controller: LDAP Server signing requirements = None rather than require signing

Does anyone know how to make Openfire work if the LDAP Server siging is set to require signing?

Same problem

Did you find a resolution or workaround to this problem? Unfortunately our security requirements prevent me from disabling LDAP signing on my domain.

Japho,

I don’t know if you have fixed this yet but the way to fix this issue is to open the Openfire Admin page and then go to the Server Settings tab to edit your LDAP connection.

Change your port to 636 and expand Advanced Setting and set it to Use SSL. If you then run Test Settings you should see it connect to Active Directory without further issues. If this doesn’t quite fix it I would just check your network to find what port the server is listening on for secure LDAP connections and make sure you have Openfire set to use that port

I am having the same issue and the question is not about SSL. The question is about SASL. OpenFire appears to support using SASL with DIGEST-MD5 authentication from the clients, but there does not appear to be a way to configure it for the OpenFire to Active Directory connection. No matter what you do, it appears to attempt to establish the connection to Active Directory using simple, plain text, authentication.

For reasons that I won’t go into here, in my case, a certificate being on the server is not an option, so, securing the authentication through SSL is not an option, but digest authentication would fit the bill. In specific, the issue that I am working on at the moment is for the OpenFire server connection to enumerate users and groups, or to be able to get through the setup dialog for that matter.

I have spent the majority of the day looking into this issue and there ar number of other questions on this board attempting to resolve this issue as well. A number of answers have suggested SSL or to use Kerberos, but for those, and me, that is just simply not what we are trying to do.

I have have seen portions of the API that indicate that only plain text is currently available, but other seem to show that digest authentication should be available. Is there anyone who might be able to point us in the right direction of how to configure the OpenFire connection to Active Directory to use SASL w/DIGEST-MD5?

I am almost at the point of downloading the source code and laboring to find out if it is possible.

Ok, I will answer my own question here, no it is not possible in the current implementation. I downloaded the source and went through it and here is what I have found. The majority of the connection code, and particularly the code that controls the connection type, is found in LdapManager.java. The attribute name in question is SECURITY_AUTHENTICATION, ref http://java.sun.com/products/jndi/tutorial/ldap/security/digest.html. The only values that this attribute is ever set to is none, which means an Anonymous connection, and simple, which means that the credentials will be sent in clear text.

If the maintainers of this section are perusing, I would like to make a feature request to add DIGEST-MD5 and a configuration option provided. I would suggest that “simple” be replaced with DIGEST-MD5, which would make it a one or two line change, but I am sure that would break someone else.

I cannot for the life of me get openfire to connect to my Active Directory. I have other software that connect just fine with no issues. I also downloaded and program to test LDAP connectivity, and it worked just fine. I really want to use spark in our work environment, but if I cannot get active directory/single sign-on to work, I think I will have to probably look at other options.

Did anyone ever figure out if there is a logical remedy to this problem?

Is there any update to incorporate the DIGEST-MD5 option. We have customers that have the:

Domain Controller: LDAP Server signing requirements = Require Signing

They are unable to turn this option to “None” and are being required to use OpenFire to connect to other organization’s chats.

Any update would be great!

the quickest workaround is to this is to implement LDAPS, otherwise it would require come code changes.

How difficult are the code changes?

not sure, as I’m not a developer or programmer. class that would need to be looked at is

https://github.com/igniterealtime/Openfire/blob/master/src/java/org/jivesoftware/openfire/ldap/LdapManager.java

and you basically need to change instances of Context.SECURITY_AUTHENTICATION, “simple” to a sasl mech that is supported by your ldap. like DIGEST-MD5