Can someone post their settings for getting a Unix Jive server talking with a Windows AD server? I’‘ve tried all I can think of and am stuck, and not gotten much feedback from my Q’'s. Thanks
Below is what works for me. Assuming the NetBIOS domain name is “domain” and the fqdn of the server is “host.domain.tld” and the FQDN is the same as the ADS structure. Also assuming there is an OU called “Groups” under the “Users” container where I’'ve placed a “IMGROUP” group whose members are allowed to logon.
Also note that I’'ve commented out the group search section and the provider section relative to groups. AD group integration is not working properly yet so I chose to do shared groups manually via the JM administrative interface. The filter I have there does work, but the JM bug is too much of a headache to deal with right now so I commented the filter until the bug is resolved.
The below has been working for me for quite some time with no problems at all. The debug log (notice I have it turned on) provides lots of useful info for troubleshooting any problems. Also be sure to monitor the Security logs on your ADS controller to see if there are any authentication problems there.
<!-- <groupSearchFilter> <![CDATA[ (& (member=)
]]></searchFilter> How does one come up with that for the search filter? I''m now getting closer, and I see the following error in my logs. Anyone have some suggestions of where to go next with this? 2005.11.01 17:44:59 Connect Socket[addr=/172.16.139.102,port=38277,localport=5222]
2005.11.01 17:45:01 Trying to find a user’'s DN based on their username. sAMAccountName:dmacpherson, Base DN: CN=Users,DC=mainframe,DC=ca…
2005.11.01 17:45:01 Creating a DirContext in LdapManager.getContext()…
2005.11.01 17:45:01 Created hashtable with context values, attempting to create context…
2005.11.01 17:45:01 Exception thrown when searching for userDN based on username '‘dmacpherson’'
javax.naming.AuthenticationException: LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 525, v893 My config looks like: 9090 9091 Administrator,dmacpherson en org.jivesoftware.database.EmbeddedConnectionProvider true pluto.mainframe.ca 389 sAMAccountName true displayName mail CN=Users,DC=mainframe,DC=ca CN=jabber,CN=Users,DC=mainframe,DC=ca jabber <![CDATA[
Had to get the baseDN settings correct.
Can you post your completed settings with the correct BaseDN? We are having similar difficulties getting jive to communicate with AD.
Can you post your completed settings with the correct
BaseDN? We are having similar difficulties getting
jive to communicate with AD.
are you using W2K3 by chance?
Thanks for replying. Not yet. We have installed Jive on a desktop pc that is running Linux Fedora Core 4. We are trying to get it to query our active directory server which is running WS2000. We are able to log into the Jive admin web interface, but have yet to see any communication between Jive and Active directory. We would greatly appreciate any help you can give us.
Here are our configs:
This works for our authentication needs, though I’'m only letting about 10 people test it right now
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin ?
auth_param basic children 5
auth_param basic program /usr/lib/squid/squid_ldap_auth -R -b “DC=domain,DC=com” -D “CN=squid,CN=Users,DC=mainframe,DC=ca” -w “squid” -f sAMAccountName=%s -h server.domain.com
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 minutes
auth_param basic casesensitive off
external_acl_type InetGroup %LOGIN /usr/lib/squid/squid_ldap_group -R -b “DC=domain,DC=com” -D “CN=squid,CN=Users,DC=domain,DC=com” -w “squid” -f “(&(objectclass=person)(sAMAccountName=%v)(memberof=CN=%a,CN=Users,DC=domain,DC =com))” -h server.domain.com
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param ntlm use_ntlm_negotiate on
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
maximum_object_size 32 MB
cache_replacement_policy heap LFUDA
- Some debug
#debug_options ALL,1 33,2
- Lots of debug
#debug_options ALL,1 28,9
- Allow allowed_hosts without authentication
acl allowed_hosts src “/root/allowed_hosts”
http_access allow allowed_hosts
acl AuthorizedUsers proxy_auth REQUIRED
acl InetAccess external InetGroup “/root/groups”
acl local_nets src x.x.x.x/24
http_access allow local_nets InetAccess AuthorizedUsers
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl FTP proto FTP
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
cache_dir ufs /var/spool/squid 175000 16 256
I’‘m using W2K3 and am having similar pain with LDAP, and of course, my own inexperience with LDAP doesn’'t help.
One difference I’'ve seen is in the BaseDN, some examples show:
Using a free utility called LDAP browser, there is a Users group that shows up on my domain as a CN and not as an OU - is this a difference between W2K and W2K3? Changing the baseDN to reflect this made things work.
I strongly recommend anybody trying to get this up and going to download LDAP browser (http://www.ldapbrowser.com/download/) and use that to find out your distinguished names.
Using a free utility called LDAP browser, there is a
Users group that shows up on my domain as a CN and
not as an OU - is this a difference between W2K and
W2K3? Changing the baseDN to reflect this made
I seem to recall one of the differences was not allowing anonymous access to the AD. I think the diff tween the OU= or CN= depends on your setup.
Merci - works like a champ!
A minor irritant - the account that I use for adminDN to get LDAP to work seems to have to be in the group that I include in the searchFilter. Is there any way around this, or to “hide” this account from the Jive contact list?
These settings are for Jive?
hehehe. Man, wheres my brain? No map included.
ya sorry that was squid config.
here ya go:
I spent a better part of a day going through different configurations and finally got it to work when I created a new, regular domain user account to do the LDAP lookup.
Here’‘s my config file (Win2K3 AD server internal, Linux-based Jive server DMZ with LDAP traffic passing through); I’'ve put in caps the settings that you will have to substitute. My AD tree looks like:
- Domain Users (OU)
– department (OU)
— user accounts
- Users (default group)
– jabber account
– quote –
– unquote –
One thing I noted I had trouble with that might be nothing but at least worth mentioning is the account I originally set up for LDAP lookup had a First and Last name but a merged firstlastname user account name. For some reason or another, Jabber couldn’'t authenticate using this account so I created a First name (jabber) and user account name (jabber) and things started to work.