9 Replies Latest reply on Nov 13, 2007 4:23 PM by tfxapatel

    Active Directory / LDAP Authentication behavior change from 1.6 -> 1.7

      Summary of issue:

       

      We have upgraded our 1.6 clearspace installation in a development environment and found a change in the login behavior. We currently have an apache2.2 / tomcat5 intranet that uses LDAP authentication. The inital layer of authentication is using a SUN Directory server. We have added clearspace as a web application within this infrastructure; however, we configured clearspace to use Active Directory authentication. In 1.6 this worked fine, users would authenticate using their SUN LDAP credentials and then authenticate again into clearspace using their Active Directory information. After the upgrade we noticed that 1.7 is automatically trying to use the inital SUN LDAP password to login (unfortunately with 1 wrong login attempt in clearspace 1.6 and 1.7, the application sends 5 auth requests to Active Directory and locks the user out).

       

      We also tried a clean install of 1.7 on the development servers and found the exact same behavior with ldap authentication and user lockout.

       

      Questions:

       

      1. Is there a way set the configuration to stop this new behavior in 1.7 regarding ldap authentication? We want the same 1.6 behavior where clearspace will not try to use the ldap credentials that are already present in the initial apache request?

       

      2. Can we limit the auth attempts to Active Directory when the incorrect username/password combination is userd? (Currently 5 requests are sent with only 1 incorrect login attempt)

        • Re: Active Directory / LDAP Authentication behavior change from 1.6 -> 1.7
          scott.hirdes

          Hi,

           

          Could you possibly recreate this with your debug log on and then attached your debug log?  Also could you provide your jive properties?  Just run SELECT * FROM jiveproperty against your database.

           

          - Scott

            • Re: Active Directory / LDAP Authentication behavior change from 1.6 -> 1.7

              Scott,

               

              I posted the jiveProperty information below. How do I enable the debug log?

               

              ----


              ----


              +

              name

              propValue

              ----


              ----


              +

              jive.auth.disallowGuest

              true

              feeds.protected

              true

              skin.default.displayFullNames

              true

              ldap.host

              10.1.x.x

              ldap.port

              389

              ldap.baseDN

              DC=company,DC=domain,DC=pvt

              ldap.adminDN

              CN=Clearspace User,OU=Service Accounts,OU=Intranet,OU=Global Systems,DC=company,DC=domain,DC=pvt

              ldap.adminPassword

              ldap.usernameField

              sAMAccountName

              ldap.nameField

              cn

              ldap.emailField

              mail

              ldap.searchFilter

              (sAMAccountName=)                                                                             | | ldap.groupNameField                                                                                | cn                                                                                | | ldap.groupMemberField                                                                                | member                                                                                | | ldap.groupDescriptionField                                                                           | description                                                                                | | ldap.groupSearchFilter                                                                               | (&(cn=Clearspace*)(member=)(objectClass=group))

              ldap.sslEnabled

              false

              ldap.ldapDebugEnabled

              false

              ldap.followReferrals

              false

              ldap.connectionPoolEnabled

              true

              UserManager.className

              com.jivesoftware.base.ldap.LdapUserManager

              GroupManager.className

              com.jivesoftware.base.ldap.LdapGroupManager

              AuthFactory.className

              com.jivesoftware.base.ldap.LdapAuthFactory

              __jive.spi.com.jivesoftware.spi.user.impl.ldap.AuthenticationProviderImpl:Group Description Field

              description

              __jive.spi.com.jivesoftware.spi.user.impl.ldap.AuthenticationProviderImpl:Administrator DN

              CN=Clearspace User,OU=Service Accounts,OU=Intranet,OU=Global Systems,DC=company,DC=domain,DC=pvt

              __jive.spi.com.jivesoftware.spi.user.impl.ldap.AuthenticationProviderImpl:SSL Enabled

              false

              __jive.spi.com.jivesoftware.spi.user.impl.ldap.AuthenticationProviderImpl:Administrator Password

              __jive.spi.com.jivesoftware.spi.user.impl.ldap.AuthenticationProviderImpl:Auto Follow Referrals

              false

              __jive.spi.com.jivesoftware.spi.user.impl.ldap.AuthenticationProviderImpl:Email Field

              mail

              __jive.spi.com.jivesoftware.spi.user.impl.ldap.AuthenticationProviderImpl:Username Field

              sAMAccountName

              __jive.spi.com.jivesoftware.spi.user.impl.ldap.AuthenticationProviderImpl:Base DN

              DC=company,DC=domain,DC=pvt

              __jive.spi.com.jivesoftware.spi.user.impl.ldap.AuthenticationProviderImpl:Connection Pooling Enabled

              true

              __jive.spi.com.jivesoftware.spi.user.impl.ldap.AuthenticationProviderImpl:Search Sub Trees

              true

              __jive.spi.com.jivesoftware.spi.user.impl.ldap.AuthenticationProviderImpl:Search Filter

              (sAMAccountName=)

              __jive.spi.com.jivesoftware.spi.user.impl.ldap.AuthenticationProviderImpl:Name Field

              cn

              __jive.spi.com.jivesoftware.spi.user.impl.ldap.AuthenticationProviderImpl:Group Name Field

              cn

              __jive.spi.com.jivesoftware.spi.user.impl.ldap.AuthenticationProviderImpl:Debugging Enabled

              false

              __jive.spi.com.jivesoftware.spi.user.impl.ldap.AuthenticationProviderImpl:Read Timeout

              10000

              __jive.spi.com.jivesoftware.spi.user.impl.ldap.AuthenticationProviderImpl:Port

              389

              __jive.spi.com.jivesoftware.spi.user.impl.ldap.AuthenticationProviderImpl:Alternate Base DN

              __jive.spi.com.jivesoftware.spi.user.impl.ldap.AuthenticationProviderImpl:Server Address

              10.1.x.x

              __jive.spi.com.jivesoftware.spi.user.impl.ldap.AuthenticationProviderImpl:Initial Context Factory

              __jive.spi.com.jivesoftware.spi.user.impl.ldap.AuthenticationProviderImpl:Enclose User DN

              false

              __jive.spi.com.jivesoftware.spi.user.impl.ldap.AuthenticationProviderImpl:Posix Mode

              __jive.spi.com.jivesoftware.spi.user.impl.ldap.AuthenticationProviderImpl:Group Member Field

              member

              __jive.spi.com.jivesoftware.spi.user.impl.ldap.AuthenticationProviderImpl:Search Wild Card Pattern

              *

              i18n.defaultLanguage

              en

              i18n.allowedLanguages

              en

              cron.propertiesUpgraded

              true

              search.user.indexCreated

              1193850787601

              search.user.indexVersion

              1.7.0

              search.indexCreated

              1193856343864

              search.indexVersion

              1.7.0

              update.lastCheck

              1194218724644

              mail.smtp.host

              smtprelay.domain.com

              mail.smtp.port

              25

              jiveURL

              https://name.domain.com/teamspaces

              checkmail.host

              checkmail.port

              110

              checkmail.protocol

              pop3

              system.adminuser.fromName

              Do Not Reply

              system.adminuser.email

              donotreply@domain.com

              setup

              true

              cookieKey

              U0X5dNSKTgIQ06I

              opensearch.key

              U2i57VA3GpWy3W5

              jive.xmpp.host

              xmpp.domain.com

              jive.xmpp.port

              5275

              jive.xmpp.secret

              jive.xmpp.commonUsernames

              true

              jive.xmpp.XMPPPresenceEnabled

              true

              jive.xmpp.domain

              domain.com

              jive.xmpp.enabled

              true

              ----


              ----


              +

                • Re: Active Directory / LDAP Authentication behavior change from 1.6 -> 1.7
                  scott.hirdes

                  To enable the debug log, go into the Admin Console under System -> Management -> Log Viewer and then click the tab for "Debug."  There is an option to set it to Enabled or Disabled there and an update button.

                    • Re: Active Directory / LDAP Authentication behavior change from 1.6 -> 1.7

                      Scott,

                       

                      Here is the debug log showing the UnauthorizedException thrown by Clearspace after the intial successful login to apache using SUN Ldap. The user "gknteamspace1" was locked out of Active Directory because clearspace tried to authenticate 5 times using the initial apache password credential. To clarify, the username in SUN Ldap and Active Directory is the same - "gknteamspace1" - just the passwords are different. If we set the password to be the same between both directories, the user is automatically logged into clearspace without a problem. We want to disable the auto login behavior in 1.7....

                       

                      2007.11.09 15:35:45 Setting contentType of response to "text/html; charset=ISO-8859-1"

                      2007.11.09 15:35:45 Creating an AuthToken in LdapAuthFactory.createAuthToken(username,password) - username is gknteamspace1...

                      2007.11.09 15:35:45 Trying to find a user's DN based on their username. sAMAccountName: gknteamspace1, Base DN: DC=company,DC=domain,DC=pvt...

                      2007.11.09 15:35:45 Creating a DirContext in LdapManager.getContext()...

                      2007.11.09 15:35:45 Created hashtable with context values, attempting to create context...

                      2007.11.09 15:35:45 ... context created successfully, returning.

                      2007.11.09 15:35:45 Starting LDAP search...

                      2007.11.09 15:35:45 Finding (&(sAMAccountName=*)(sAMAccountName=gknteamspace1))

                      2007.11.09 15:35:45 ... search finished

                      2007.11.09 15:35:45 Found userDN: CN=GKN Teamspace 1,OU=Users,OU=Intranet,OU=Global Systems for username: gknteamspace1.

                      2007.11.09 15:35:45 In LdapManager.checkAuthentication(userDN, password), userDN is: CN=GKN Teamspace 1,OU=Users,OU=Intranet,OU=Global Systems...

                      2007.11.09 15:35:45 Created context values, attempting to create context...

                      2007.11.09 15:35:45 Caught a naming exception when creating InitialContext

                      2007.11.09 15:35:45 Could not close context: java.lang.NullPointerException

                      2007.11.09 15:35:45 Authentication based on userDN: CN=GKN Teamspace 1,OU=Users,OU=Intranet,OU=Global Systems failed, throwing UnauthorizedException

                      2007.11.09 15:35:45 Setting contentType of response to "text/html; charset=ISO-8859-1"

                      2007.11.09 15:35:45 Creating an AuthToken in LdapAuthFactory.createAuthToken(username,password) - username is gknteamspace1...

                      2007.11.09 15:35:45 Trying to find a user's DN based on their username. sAMAccountName: gknteamspace1, Base DN: DC=company,DC=domain,DC=pvt...

                      2007.11.09 15:35:45 Creating a DirContext in LdapManager.getContext()...

                      2007.11.09 15:35:45 Created hashtable with context values, attempting to create context...

                      2007.11.09 15:35:45 ... context created successfully, returning.

                      2007.11.09 15:35:45 Starting LDAP search...

                      2007.11.09 15:35:45 Finding (&(sAMAccountName=*)(sAMAccountName=gknteamspace1))

                      2007.11.09 15:35:45 ... search finished

                      2007.11.09 15:35:45 Found userDN: CN=GKN Teamspace 1,OU=Users,OU=Intranet,OU=Global Systems for username: gknteamspace1.

                      2007.11.09 15:35:45 In LdapManager.checkAuthentication(userDN, password), userDN is: CN=GKN Teamspace 1,OU=Users,OU=Intranet,OU=Global Systems...

                      2007.11.09 15:35:45 Created context values, attempting to create context...

                      2007.11.09 15:35:45 Caught a naming exception when creating InitialContext

                      2007.11.09 15:35:45 Could not close context: java.lang.NullPointerException

                      2007.11.09 15:35:45 Authentication based on userDN: CN=GKN Teamspace 1,OU=Users,OU=Intranet,OU=Global Systems failed, throwing UnauthorizedException

                      2007.11.09 15:35:45 In LocaleInterceptor

                      2007.11.09 15:35:45 Determining Theme for request.

                      2007.11.09 15:35:45 Did not get theme for request. Checking Global

                      2007.11.09 15:35:45  Finished determineTheme

                      2007.11.09 15:35:45 Setting locale to 'en_US' from community object.

                      2007.11.09 15:35:45 Leaving LocaleInterceptor

                      2007.11.09 15:35:45 Determining Theme for request.

                      2007.11.09 15:35:45 Did not get theme for request. Checking Global

                      2007.11.09 15:35:45 Creating an AuthToken in LdapAuthFactory.createAuthToken(username,password) - username is gknteamspace1...

                      2007.11.09 15:35:45 Trying to find a user's DN based on their username. sAMAccountName: gknteamspace1, Base DN: DC=company,DC=domain,DC=pvt...

                      2007.11.09 15:35:45 Creating a DirContext in LdapManager.getContext()...

                      2007.11.09 15:35:45 Created hashtable with context values, attempting to create context...

                      2007.11.09 15:35:45 ... context created successfully, returning.

                      2007.11.09 15:35:45 Starting LDAP search...

                      2007.11.09 15:35:45 Finding (&(sAMAccountName=*)(sAMAccountName=gknteamspace1))

                      2007.11.09 15:35:45 ... search finished

                      2007.11.09 15:35:45 Found userDN: CN=GKN Teamspace 1,OU=Users,OU=Intranet,OU=Global Systems for username: gknteamspace1.

                      2007.11.09 15:35:45 In LdapManager.checkAuthentication(userDN, password), userDN is: CN=GKN Teamspace 1,OU=Users,OU=Intranet,OU=Global Systems...

                      2007.11.09 15:35:45 Created context values, attempting to create context...

                      2007.11.09 15:35:45 Caught a naming exception when creating InitialContext

                      2007.11.09 15:35:45 Could not close context: java.lang.NullPointerException

                      2007.11.09 15:35:45 Authentication based on userDN: CN=GKN Teamspace 1,OU=Users,OU=Intranet,OU=Global Systems failed, throwing UnauthorizedException

                      2007.11.09 15:35:45 In LocaleInterceptor

                      2007.11.09 15:35:45 Determining Theme for request.

                      2007.11.09 15:35:45 Did not get theme for request. Checking Global

                      2007.11.09 15:35:45  Finished determineTheme

                      2007.11.09 15:35:45 Setting locale to 'en_US' from community object.

                      2007.11.09 15:35:45 Leaving LocaleInterceptor

                      2007.11.09 15:35:45 Determining Theme for request.

                      2007.11.09 15:35:45 Did not get theme for request. Checking Global

                      2007.11.09 15:35:45 Determining Theme for request.

                      2007.11.09 15:35:45 Did not get theme for request. Checking Global

                      2007.11.09 15:35:45 Determining Theme for request.

                      2007.11.09 15:35:45 Did not get theme for request. Checking Global

                      2007.11.09 15:35:45 Creating an AuthToken in LdapAuthFactory.createAuthToken(username,password) - username is gknteamspace1...

                      2007.11.09 15:35:45 Trying to find a user's DN based on their username. sAMAccountName: gknteamspace1, Base DN: DC=company,DC=domain,DC=pvt...

                      2007.11.09 15:35:45 Creating a DirContext in LdapManager.getContext()...

                      2007.11.09 15:35:45 Created hashtable with context values, attempting to create context...

                      2007.11.09 15:35:45 ... context created successfully, returning.

                      2007.11.09 15:35:45 Starting LDAP search...

                      2007.11.09 15:35:45 Finding (&(sAMAccountName=*)(sAMAccountName=gknteamspace1))

                      2007.11.09 15:35:45 ... search finished

                      2007.11.09 15:35:45 Found userDN: CN=GKN Teamspace 1,OU=Users,OU=Intranet,OU=Global Systems for username: gknteamspace1.

                      2007.11.09 15:35:45 In LdapManager.checkAuthentication(userDN, password), userDN is: CN=GKN Teamspace 1,OU=Users,OU=Intranet,OU=Global Systems...

                      2007.11.09 15:35:45 Created context values, attempting to create context...

                      2007.11.09 15:35:45 Caught a naming exception when creating InitialContext

                      2007.11.09 15:35:45 Could not close context: java.lang.NullPointerException

                      2007.11.09 15:35:45 Authentication based on userDN: CN=GKN Teamspace 1,OU=Users,OU=Intranet,OU=Global Systems failed, throwing UnauthorizedException

                      2007.11.09 15:35:45 In LocaleInterceptor

                      2007.11.09 15:35:45 Determining Theme for request.

                      2007.11.09 15:35:45 Did not get theme for request. Checking Global

                      2007.11.09 15:35:45  Finished determineTheme

                      2007.11.09 15:35:45 Setting locale to 'en_US' from community object.

                      2007.11.09 15:35:45 Leaving LocaleInterceptor

                      2007.11.09 15:35:45 Determining Theme for request.

                      2007.11.09 15:35:45 Did not get theme for request. Checking Global

                      2007.11.09 15:35:45 Creating an AuthToken in LdapAuthFactory.createAuthToken(username,password) - username is gknteamspace1...

                      2007.11.09 15:35:45 Trying to find a user's DN based on their username. sAMAccountName: gknteamspace1, Base DN: DC=company,DC=domain,DC=pvt...

                      2007.11.09 15:35:45 Creating a DirContext in LdapManager.getContext()...

                      2007.11.09 15:35:45 Created hashtable with context values, attempting to create context...

                      2007.11.09 15:35:45 ... context created successfully, returning.

                      2007.11.09 15:35:45 Starting LDAP search...

                      2007.11.09 15:35:45 Finding (&(sAMAccountName=*)(sAMAccountName=gknteamspace1))

                      2007.11.09 15:35:45 ... search finished

                      2007.11.09 15:35:45 Found userDN: CN=GKN Teamspace 1,OU=Users,OU=Intranet,OU=Global Systems for username: gknteamspace1.

                      2007.11.09 15:35:45 In LdapManager.checkAuthentication(userDN, password), userDN is: CN=GKN Teamspace 1,OU=Users,OU=Intranet,OU=Global Systems...

                      2007.11.09 15:35:45 Created context values, attempting to create context...

                      2007.11.09 15:35:45 Caught a naming exception when creating InitialContext

                      2007.11.09 15:35:45 Could not close context: java.lang.NullPointerException

                      2007.11.09 15:35:45 Authentication based on userDN: CN=GKN Teamspace 1,OU=Users,OU=Intranet,OU=Global Systems failed, throwing UnauthorizedException

                      2007.11.09 15:35:45 In LocaleInterceptor

                      2007.11.09 15:35:45 Determining Theme for request.

                      2007.11.09 15:35:45 Did not get theme for request. Checking Global

                      2007.11.09 15:35:45  Finished determineTheme

                      2007.11.09 15:35:45 Setting locale to 'en_US' from community object.

                      2007.11.09 15:35:45 Leaving LocaleInterceptor

                      2007.11.09 15:35:45 Determining Theme for request.

                      2007.11.09 15:35:45 Did not get theme for request. Checking Global