Ldap Auth with ADS

Jagadish_Kannan · March 30, 2006, 1:26pm

Have setup LDAP Authentication with Active Directory 2003.

When trying to authenticate users who have a ‘’,’’ in the Distinguished name for e.g.

cn=Lastname, Firstname, dc=subdomain, dc=domain, dc=com, don’'t get authenticated and Wildfire 2.5.1 throws an error

2006.03.30 04:02:16 In LdapManager.checkAuthentication(userDN, password), userDN is: ldap://subdomain.domain.com:389/CN=Lastname%5c,%20Firstname,OU=Users,DC=subdoma in,DC=domain,DC=com…

2006.03.30 04:02:16 Created context values, attempting to create context…

2006.03.30 04:02:16 Caught a naming exception when creating InitialContext

javax.naming.AuthenticationException: LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece

I believe this is due to the Escape character of ‘’’’ or %5C escaping ‘’,’’.

Is there a way to change the authentication to username@domain.com instead of using distinguished name?

Alternately, is there a way to add
(two backslashes) for escaping (read somewhere in another forum as a resolution) the comma.

Any help would be appreciated.

Thanks.

Jagadish_Kannan · April 3, 2006, 6:44pm

My earlier guess on the problem seems to be incorrect. This problem is due to the full DN (including ldap://servername/) returned when chasing a referral. This seems to have been resolve in JM-601.

Before looking at that, I modified the LdapManager.java to authenticate using userPrincipalName from ADS. Which works too…

However, still running into a small issue where the wildfire keeps waiting on one (out of 8) ADS server. This happens randomly, e.g. it sometimes waits on dnsdomainzones.subdomain.domain.com and at other on foreigndnszones.subdomain.domain.com… and so on…

I have not been able to establish a pattern to this. Will try to look for the source of this problem. Any tips would be appreciated…

Thanks.

Jagadish_Kannan · April 7, 2006, 5:24am

Will be posting a message in Developer thread with the changes that I have done to make this work for me. Maybe someone will find some use…

I have it working now.

Thanks for all the efforts by all the people in making Wildfire the best XMPP Server that I have come across…

Joshua_Parsell · May 3, 2006, 7:02pm

I am having the same problem, I am able to use a very simple user account for Admin and to log in on spark, but my regular AD user accounts don’'t work. The LDAP search finds them and returns DN, but then gets that same error:

2006.03.30 04:02:16 Created context values, attempting to create context…

2006.03.30 04:02:16 Caught a naming exception when creating InitialContext

The simple user account works. (By “simple” I mean I set up this user with a one-word username, and that same word is the displayName, sAMAccountName, name, and cn in AD. Our regular user accounts have a fairly simple sAMAccountName, but the values for cn, displayName, and name have a comma, a forward slash, and a pair of parentheses. So the distinguishedName for a regular account has those characters as well, including the backslash-escaped comma.)

Message was edited by: parseljc

Joshua_Parsell · May 3, 2006, 8:32pm

Some followup. It definitely seems to be the comma. Several other generic system accounts are working, all of which do not have “Lastname, Firstname” for the distinguished Name. All my user accounts with the “Lastname, Firstname” DN’'s are failing to log in, even though they are found by the initial LDAP lookup.

Here’'s my “simple” user, which works:

2006.05.03 16:22:52 Connect Socket[addr=/10.48.128.138,port=2520,localport=5222]

2006.05.03 16:22:52 Trying to find a user’'s DN based on their username. sAMAccountName: ldapbrowser, Base DN: DC=org,DC=company,DC=parentcorp,DC=local…

2006.05.03 16:22:52 Creating a DirContext in LdapManager.getContext()…

2006.05.03 16:22:52 Created hashtable with context values, attempting to create context…

2006.05.03 16:22:52 … context created successfully, returning.

2006.05.03 16:22:52 Starting LDAP search…

2006.05.03 16:22:52 … search finished

2006.05.03 16:22:52 In LdapManager.checkAuthentication(userDN, password), userDN is: CN=ldapbrowser,OU=Org Users…

2006.05.03 16:22:52 Created context values, attempting to create context…

2006.05.03 16:22:52 … context created successfully, returning.

Notice there is no comma in the CN of userDN.

And here’'s a regular user, which fails:

2006.05.03 16:14:54 Connect Socket[addr=/10.48.128.138,port=2442,localport=5222]

2006.05.03 16:14:54 Trying to find a user’'s DN based on their username. sAMAccountName: joshua.parsell, Base DN: DC=org,DC=company,DC=parentcorp,DC=local…

2006.05.03 16:14:54 Creating a DirContext in LdapManager.getContext()…

2006.05.03 16:14:54 Created hashtable with context values, attempting to create context…

2006.05.03 16:14:54 … context created successfully, returning.

2006.05.03 16:14:54 Starting LDAP search…

2006.05.03 16:14:54 … search finished

2006.05.03 16:14:54 In LdapManager.checkAuthentication(userDN, password), userDN is: “CN=Parsell, Joshua (AJ-East Engineering/Technology),OU=Org Users”…

2006.05.03 16:14:54 Created context values, attempting to create context…

2006.05.03 16:14:54 Caught a naming exception when creating InitialContext

javax.naming.AuthenticationException: LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece

at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)

at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)

at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)

at com.sun.jndi.ldap.LdapCtx.(Unknown Source)

at org.jivesoftware.wildfire.ldap.LdapManager.checkAuthentication(LdapManager.java :335)

at org.jivesoftware.wildfire.ldap.LdapAuthProvider.authenticate(LdapAuthProvider.j ava:90)

at org.jivesoftware.wildfire.auth.AuthFactory.authenticate(AuthFactory.java:114)

at org.jivesoftware.wildfire.net.SASLAuthentication.doPlainAuthentication(SASLAuth entication.java:284)

at org.jivesoftware.wildfire.net.SASLAuthentication.doHandshake(SASLAuthentication .java:144)

at org.jivesoftware.wildfire.net.SocketReader.authenticateClient(SocketReader.java :317)

at org.jivesoftware.wildfire.net.SocketReader.readStream(SocketReader.java:278)

at org.jivesoftware.wildfire.net.SocketReader.run(SocketReader.java:119)

at java.lang.Thread.run(Unknown Source)

Notice there is a comma in the CN of the userDN, and the whole userDN is in double quotes, unlike the userDN for the “simple” user.

Also, I found this by Google:

http://www.codecomments.com/archive408-2005-5-499111.html

Quote: “Duh - some genius (Not I! I do unix) put a backslash in my DN ( CN=Burris, Celeste Suliin) I needed to double it to get the DN to LDAP correctly.”

Any help? Any suggestions? Can I fix this by changing my wildfire.xml or is this something that requires a software update?

I am running Wilfire Server 2.6.2 on RHEL 4. My LDAP is Active Directory 2003.