Project

General

Profile

[FIXED] Tigase 7.1.0 LDAP Authentication Problem

Ronald Chuck
Added almost 2 years ago

Hi, i just updated to the new tigase 7.1.0 release and I have some troubles getting LDAP authentication to work. I use the same config files as with 7.0.4.

Some clients work fine (psi, jitsi (debian + android), jtalk) but others wont authenticate (conversations (android), movim).

Here is the error log message I get when I try to connect to the server:

2017-02-19 21:10:12.014 [ConnectionOpenThread] SocketThread.() WARNING: 17 socketReadThreads started.

2017-02-19 21:10:12.155 [ConnectionOpenThread] SocketThread.() WARNING: 17 socketWriteThreads started.

2017-02-19 21:10:12.270 [urn:ietf:params:xml:ns:xmpp-sasl Queue Worker 4] ScramCallbackHandler.handleSaltedPasswordCallbackCallback() WARNING: Can't retrieve user password.

tigase.db.TigaseDBException: Not available

at tigase.db.ldap.LdapAuthProvider.getPassword(LdapAuthProvider.java:294)

at tigase.db.AuthRepositoryMDImpl.getPassword(AuthRepositoryMDImpl.java:280)

at tigase.auth.impl.ScramCallbackHandler.handleSaltedPasswordCallbackCallback(ScramCallbackHandler.java:144)

at tigase.auth.impl.ScramCallbackHandler.handleCallback(ScramCallbackHandler.java:77)

at tigase.auth.impl.ScramCallbackHandler.handle(ScramCallbackHandler.java:48)

at tigase.auth.mechanisms.AbstractSasl.handleCallbacks(AbstractSasl.java:52)

at tigase.auth.mechanisms.AbstractSaslSCRAM.processClientFirstMessage(AbstractSaslSCRAM.java:209)

at tigase.auth.mechanisms.AbstractSaslSCRAM.evaluateResponse(AbstractSaslSCRAM.java:151)

at tigase.xmpp.impl.SaslAuth.process(SaslAuth.java:277)

at tigase.server.xmppsession.SessionManager$ProcessorWorkerThread.process(SessionManager.java:2562)

at tigase.util.WorkerThread.run(WorkerThread.java:128)

Here is my tigase ldap auth + user db configuration:

MySQL Database Configuration

--user-db=mysql

--user-db-uri=jdbc:mysql://localhost:3306/tigasedatabase?user=tigaseuser&password=pass&useUnicode=true&characterEncoding=UTF-8&autoCreateUser=true

LDAP

--auth-db=tigase.db.ldap.LdapAuthProvider

--auth-db-uri=ldaps://ldap.domain.com:636

basic-conf/auth-repo-params/user-dn-pattern=uid=%1$s,ou=Users,dc=domain,dc=com

basic-conf/auth-repo-params/sasl-mechs=PLAIN,DIGEST-MD5,CRAM-MD5

basic-conf/auth-repo-params/non-sasl-mechs=password,digest

Maybe this has to do something with the auth mechanism used by movim and conversations? If you need an test account please let me know!

Thanks in advance,

Ronald Chuck

EDIT1: Oh I think conversations and movim use websocket authentication,...

After reading the tigase 7.1.0 changelog i tried to set --ws-allow-unmasked-frames=true, ... this did not solve the problem.

EDIT2: Hmm... could it be that there is an typo in the websocket documentation (http://docs.tigase.org/tigase-server/7.1.0/Administration_Guide/webhelp/_websocket.html)

5291 should be 'ssl' and 5290 'plain'? (I just recognizet this while reading through the documentation, not related with this problem...)

EDIT3: I was wrong with EDIT1...

EDIT4: More verbose log, conversations uses SCRAM-SHA-1

2017-02-20 01:53:20.609 [urn:ietf:params:xml:ns:xmpp-sasl Queue Worker 15] SaslAuth.process() FINEST: Start SASL auth. mechanism=SCRAM-SHA-1

2017-02-20 01:53:20.614 [urn:ietf:params:xml:ns:xmpp-sasl Queue Worker 15] ScramCallbackHandler.handleSaltedPasswordCallbackCallback() WARNING: Can't retrieve user password.

tigase.db.TigaseDBException: Not available

at tigase.db.ldap.LdapAuthProvider.getPassword(LdapAuthProvider.java:294)

at tigase.db.AuthRepositoryMDImpl.getPassword(AuthRepositoryMDImpl.java:280)

at tigase.auth.impl.ScramCallbackHandler.handleSaltedPasswordCallbackCallback(ScramCallbackHandler.java:144)

at tigase.auth.impl.ScramCallbackHandler.handleCallback(ScramCallbackHandler.java:77)

at tigase.auth.impl.ScramCallbackHandler.handle(ScramCallbackHandler.java:48)

at tigase.auth.mechanisms.AbstractSasl.handleCallbacks(AbstractSasl.java:52)

at tigase.auth.mechanisms.AbstractSaslSCRAM.processClientFirstMessage(AbstractSaslSCRAM.java:209)

at tigase.auth.mechanisms.AbstractSaslSCRAM.evaluateResponse(AbstractSaslSCRAM.java:151)

at tigase.xmpp.impl.SaslAuth.process(SaslAuth.java:277)

at tigase.server.xmppsession.SessionManager$ProcessorWorkerThread.process(SessionManager.java:2562)

at tigase.util.WorkerThread.run(WorkerThread.java:128)

2017-02-20 01:53:20.617 [urn:ietf:params:xml:ns:xmpp-sasl Queue Worker 15] SaslAuth.process() FINER: SASL unsuccessful

javax.security.sasl.SaslException: Unknown user

at tigase.auth.mechanisms.AbstractSaslSCRAM.processClientFirstMessage(AbstractSaslSCRAM.java:212)

at tigase.auth.mechanisms.AbstractSaslSCRAM.evaluateResponse(AbstractSaslSCRAM.java:151)

at tigase.xmpp.impl.SaslAuth.process(SaslAuth.java:277)

at tigase.server.xmppsession.SessionManager$ProcessorWorkerThread.process(SessionManager.java:2562)

at tigase.util.WorkerThread.run(WorkerThread.java:128)

EDIT5: Working PSI Log (uses PLAIN), ... here is also an 'tigase.db.UserNotFoundException' something seems very fishy to me....

humer@domain.com exists in tig_users mysql table! I somehow think that there is an mysql database scheme issue, but I may be completely wrong...

2017-02-20 02:23:36.783 [urn:ietf:params:xml:ns:xmpp-sasl Queue Worker 9] SaslAuth.process() FINEST: Start SASL auth. mechanism=PLAIN

2017-02-20 02:23:37.041 [urn:ietf:params:xml:ns:xmpp-sasl Queue Worker 9] SaslAuth.process() FINEST: Authorized as humer@domain.com

2017-02-20 02:23:37.408 [amp Queue Worker 3] MessageAmp.process() INFO: Something wrong, DB problem, cannot load offline messages. tigase.db.UserNotFoundException: User: humer@domain.com was not found in database.

EDIT6: Fixed by disabling SCRAM-SHA-1, i think this is related to https://projects.tigase.org/issues/4678


Replies (1)

Added by Wojciech Kapcia TigaseTeam almost 2 years ago

Ronald Chuck wrote:

EDIT6: Fixed by disabling SCRAM-SHA-1, i think this is related to https://projects.tigase.org/issues/4678

This is correct, not all repositories support SCRAM authentication and appropriate check will be implemented in #4814

    (1-1/1)