Skip navigation
Up to Discussions in Openfire Support
7265 Views 9 Replies Latest reply: Aug 29, 2011 6:19 AM by dparish@co.chambers.tx.us RSS
cb350 Bronze
cb350
4 posts since
Sep 16, 2008
Currently Being Moderated

Sep 26, 2008 5:06 AM

W2K3 Active Directory authentication failing

I am using Active Directory authentication with my Openfire server.  I had tested this out completely on a test system and everything worked.  I put the exact same configuration on the live systems and none of the Active Directory authentication works.  The only difference is the domain name.  I am sure I have the correct information in my xml file.  The domain name on the live system has a dash.  Could this be preventing my authentication from working?  (ex. dc=my-domain,dc=com)

 

Thanks.

Tags: ldap, active_directory, ad, openfire
  • sixthring KeyContributor
    sixthring
    3,798 posts since
    Apr 2, 2007
    Currently Being Moderated
    Sep 26, 2008 6:13 AM (in response to cb350)
    Re: W2K3 Active Directory authentication failing

    The dash should not affect the authentication.  It is going to be near impossible to help without specifics regarding the AD configuration and what your openfire settings are.

  • cb350 Bronze
    cb350
    4 posts since
    Sep 16, 2008
    Currently Being Moderated
    Sep 26, 2008 9:22 AM (in response to cb350)
    Re: W2K3 Active Directory authentication failing

    What additional info do you need?  My active directory is very basic...only one domain controller.

     

    I do get this error in my openfire logs.

    LDAP: error code 8 - 00002028 LdapErr: DSID-0C09018A  Comment: The server requires binds to turn on integrity checking if SSL/TLS are not already active on the connection.

  • Shacker Bronze
    Shacker
    1 posts since
    Dec 10, 2009
    Currently Being Moderated
    Dec 10, 2009 5:51 AM (in response to cb350)
    Re: W2K3 Active Directory authentication failing

    Same problem

    • Japho Bronze
      Japho
      1 posts since
      Jan 15, 2010
      Currently Being Moderated
      Jan 15, 2010 12:22 PM (in response to Shacker)
      Re: W2K3 Active Directory authentication failing

      Did you find a resolution or workaround to this problem? Unfortunately our security requirements prevent me from disabling LDAP signing on my domain.

      • cahollow Bronze
        cahollow
        1 posts since
        Feb 18, 2010
        Currently Being Moderated
        Feb 18, 2010 8:24 AM (in response to Japho)
        Re: W2K3 Active Directory authentication failing

        Japho,

         

        I don't know if you have fixed this yet but the way to fix this issue is to open the Openfire Admin page and then go to the Server Settings tab to edit your LDAP connection.

         

        Change your port to 636 and expand Advanced Setting and set it to Use SSL.  If you then run Test Settings you should see it connect to Active Directory without further issues.  If this doesn't quite fix it I would just check your network to find what port the server is listening on for secure LDAP connections and make sure you have Openfire set to use that port

        • tsoftware Bronze
          tsoftware
          5 posts since
          Feb 18, 2010
          Currently Being Moderated
          Feb 18, 2010 2:36 PM (in response to cahollow)
          Re: W2K3 Active Directory authentication failing

          I am having the same issue and the question is not about SSL.  The question is about SASL.  OpenFire appears to support using SASL with DIGEST-MD5 authentication from the clients, but there does not appear to be a way to configure it for the OpenFire to Active Directory connection.  No matter what you do, it appears to attempt to establish the connection to Active Directory using simple, plain text, authentication.

           

          For reasons that I won't go into here, in my case, a certificate being on the server is not an option, so, securing the authentication through SSL is not an option, but digest authentication would fit the bill.  In specific, the issue that I am working on at the moment is for the OpenFire server connection to enumerate users and groups, or to be able to get through the setup dialog for that matter.

           

          I have spent the majority of the day looking into this issue and there ar number of other questions on this board attempting to resolve this issue as well.  A number of answers have suggested SSL or to use Kerberos, but for those, and me, that is just simply not what we are trying to do.

           

          I have have seen portions of the API that indicate that only plain text is currently available, but other seem to show that digest authentication should be available.  Is there anyone who might be able to point us in the right direction of how to configure the OpenFire connection to Active Directory to use SASL w/DIGEST-MD5?

           

          I am almost at the point of downloading the source code and laboring to find out if it is possible.

          • tsoftware Bronze
            tsoftware
            5 posts since
            Feb 18, 2010
            Currently Being Moderated
            Feb 19, 2010 8:44 AM (in response to tsoftware)
            Re: W2K3 Active Directory authentication failing

            Ok, I will answer my own question here, no it is not possible in the current implementation.  I downloaded the source and went through it and here is what I have found.  The majority of the connection code, and particularly the code that controls the connection type, is found in LdapManager.java.  The attribute name in question is SECURITY_AUTHENTICATION, ref http://java.sun.com/products/jndi/tutorial/ldap/security/digest.html. The only values that this attribute is ever set to is none, which means an Anonymous connection, and simple, which means that the credentials will be sent in clear text.

             

            If the maintainers of this section are perusing, I would like to make a feature request to add DIGEST-MD5 and a configuration option provided.  I would suggest that "simple" be replaced with DIGEST-MD5, which would make it a one or two line change, but I am sure that would break someone else.

            • dparish@co.chambers.tx.us Bronze
              dparish@co.chambers.tx.us
              11 posts since
              Aug 10, 2011
              Currently Being Moderated
              Aug 29, 2011 6:19 AM (in response to tsoftware)
              W2K3 Active Directory authentication failing

              I cannot for the life of me get openfire to connect to my Active Directory.  I have other software that connect just fine with no issues.  I also downloaded and program to test LDAP connectivity, and it worked just fine.  I really want to use spark in our work environment, but if I cannot get active directory/single sign-on to work, I think I will have to probably look at other options.

               

              Did anyone ever figure out if there is a logical remedy to this problem?

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points