powered by Jive Software

Active Directory Questions from prospective customer

I am considering using Wildfire at our company, but need to integrate it with our existing, large sized Active Directory. However, although it’'s said that Wildfire does work with AD, I have some specific questions regarding our peculiar and complex AD configuration:

  1. Can Wildfire integrate with a multi-realm/multi-domain AD environment, where we have some users with id1@abc.com and others with id2@def.com ? We need to be able to specify multiple (more than 2) search locations

  2. It appears from other posts that search filters can be used to screen out users, but is it best practice that the Jabber users within AD are placed into a specific AD group or groups?

  3. How large an AD can be handled? Or does AD size not matter? We may have thousands of users

  4. Can AD groups be passed to Wildfire so that they become shared IM groups?

  5. Can traffic to/from the AD server be secured with SSL?

  6. Does Wildfire communicate with the Domain Controller or the Global Catalog?

Thanx for your help!

  1. Can Wildfire integrate with a

multi-realm/multi-domain AD environment, where we

have some users with id1@abc.com and others with

id2@def.com ? We need to be able to specify multiple

(more than 2) search locations

Your best bet here is to just use 2 servers, one for each realm. The Jabber servers will be able to communicate with eachother. I dont even know if it would be possible to have a single Wildfire server with multiple realms.

  1. It appears from other posts that search filters

can be used to screen out users, but is it best

practice that the Jabber users within AD are placed

into a specific AD group or groups?

How well do you know LDAP? If you know LDAP fairly well, any LDAP query you can craft Wildfire can use. I prefer to add an attribute to the user to designate Jabber ability as it makes the query a little easier to read.

  1. How large an AD can be handled? Or does AD size

not matter? We may have thousands of users

You should be able to handle thousands of users, provided you are using decent hardware. If that gets spliti between 2 servers (as mentioned above) it certainly wont be a problem.

  1. Can AD groups be passed to Wildfire so that they

become shared IM groups?

Yes.

  1. Can traffic to/from the AD server be secured with

SSL?

Yes.

  1. Does Wildfire communicate with the Domain

Controller or the Global Catalog?

Ive never touched AD before, so I dont really understand this question. Maybe someone else can answer it better. But Wildfire just needs to communicate with the LDAP service, wherever that gets set up (it dosnt have to be the master, a replica is acceptable)

Has the 1000 user list limit issue been resolved yet?

(http://www.jivesoftware.org/community/thread.jspa?messageID=99484&#99484) and others.

It’'s not clear to me that there is a fix. That would impact a large AD implementation (like mine).

Thanks

Pat

I am using eDirectory LDAP so not sure if this applies or not, however I have 24, 674 user as of yesterday, and if I do not use my filter, Wildfire will happily return everyone of them much to the delight of this administrator… You can hear the sarcasm right? Seriously though. I am running 2.5.1 on a test box, I am running 2.6.0 nightly on two other boxes all querying the same LDAP database. If I set my view in the webadmin portal to show 100 users per it returns (albiet a little slowly) all 24K plus users on 247 pages.

Now 2.6.0 does this quicker, and with the CDATA search string that we put together, it only returns 3300 users now. So I am not really sure what this 1000 user limit thing is…

Hope this helps a little. You know an easy test, set one up, grab an old P3, stuff 1 gig of ram in it (for speed only mind you) Drop Fedora 2,3,4 on it, setup Wildfire, and the config pointing back to your Active directory. Takes a little bit, but this board can help so it wont be that hard.

The LDAP search is done against a DC not your catalog server.

Jeff

Has the 1000 user list limit issue been resolved

yet?

Nope, no specific fix for that issue yet, although perhaps the workaround mentioned in the thread you linked to will work?

Also, as far as I know, this issue will only affect listing out users in the admin console and not the main integration itself.

Regards,

Matt