powered by Jive Software

AD settings that work

Can someone post their settings for getting a Unix Jive server talking with a Windows AD server? I’‘ve tried all I can think of and am stuck, and not gotten much feedback from my Q’'s. Thanks

Below is what works for me. Assuming the NetBIOS domain name is “domain” and the fqdn of the server is “host.domain.tld” and the FQDN is the same as the ADS structure. Also assuming there is an OU called “Groups” under the “Users” container where I’'ve placed a “IMGROUP” group whose members are allowed to logon.

Also note that I’'ve commented out the group search section and the provider section relative to groups. AD group integration is not working properly yet so I chose to do shared groups manually via the JM administrative interface. The filter I have there does work, but the JM bug is too much of a headache to deal with right now so I commented the filter until the bug is resolved.

The below has been working for me for quite some time with no problems at all. The debug log (notice I have it turned on) provides lots of useful info for troubleshooting any problems. Also be sure to monitor the Security logs on your ADS controller to see if there are any authentication problems there.

Good luck!

<!--
<groupSearchFilter> <![CDATA[
    (&
            (member=)

(objectClass=group)

(sAMAccountName=IMGROUP)

)

]]>

<![CDATA[

(&

(objectCategory=Person)

memberOf=cn=IMGROUP,ou=Groups,ou=Users,dc=domain,dc=tl

d)

!(userAccountControl:1.2.840.113556.1.4.803:=2))

(sAMAccountName=)

]]></searchFilter> How does one come up with that for the search filter? I''m now getting closer, and I see the following error in my logs. Anyone have some suggestions of where to go next with this? 2005.11.01 17:44:59 Connect Socket[addr=/172.16.139.102,port=38277,localport=5222]

2005.11.01 17:45:01 Trying to find a user’'s DN based on their username. sAMAccountName:dmacpherson, Base DN: CN=Users,DC=mainframe,DC=ca…
2005.11.01 17:45:01 Creating a DirContext in LdapManager.getContext()…
2005.11.01 17:45:01 Created hashtable with context values, attempting to create context…
2005.11.01 17:45:01 Exception thrown when searching for userDN based on username '‘dmacpherson’'
javax.naming.AuthenticationException: LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 525, v893 My config looks like: 9090 9091 Administrator,dmacpherson en org.jivesoftware.database.EmbeddedConnectionProvider true pluto.mainframe.ca 389 sAMAccountName true displayName mail CN=Users,DC=mainframe,DC=ca CN=jabber,CN=Users,DC=mainframe,DC=ca jabber <![CDATA[
(&
(objectCategory=Person)
(memberOf=CN=IMGROUP,OU=Groups,dc=mainframe,dc=ca)
(!(userAccountControl:1.2.840.113556.1.4.803:=2))
(sAMAccountName=)

)

]]>

Had to get the baseDN settings correct.

Can you post your completed settings with the correct BaseDN? We are having similar difficulties getting jive to communicate with AD.

Thanks,

Joe

Can you post your completed settings with the correct

BaseDN? We are having similar difficulties getting

jive to communicate with AD.

are you using W2K3 by chance?

Thanks for replying. Not yet. We have installed Jive on a desktop pc that is running Linux Fedora Core 4. We are trying to get it to query our active directory server which is running WS2000. We are able to log into the Jive admin web interface, but have yet to see any communication between Jive and Active directory. We would greatly appreciate any help you can give us.

Here are our configs:

This works for our authentication needs, though I’'m only letting about 10 people test it right now

http_port 3128

hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin ?

cache_swap_high 90

ftp_user squid@domain.com

ftp_list_width 32

ftp_passive on

ftp_sanitycheck on

ftp_telnet_protocol on

auth_param basic children 5

auth_param basic program /usr/lib/squid/squid_ldap_auth -R -b “DC=domain,DC=com” -D “CN=squid,CN=Users,DC=mainframe,DC=ca” -w “squid” -f sAMAccountName=%s -h server.domain.com

auth_param basic realm Squid proxy-caching web server

auth_param basic credentialsttl 2 minutes

auth_param basic casesensitive off

external_acl_type InetGroup %LOGIN /usr/lib/squid/squid_ldap_group -R -b “DC=domain,DC=com” -D “CN=squid,CN=Users,DC=domain,DC=com” -w “squid” -f “(&(objectclass=person)(sAMAccountName=%v)(memberof=CN=%a,CN=Users,DC=domain,DC =com))” -h server.domain.com

auth_param ntlm children 30

auth_param ntlm max_challenge_reuses 0

auth_param ntlm max_challenge_lifetime 2 minutes

auth_param ntlm use_ntlm_negotiate on

refresh_pattern ^ftp: 1440 20% 10080

refresh_pattern ^gopher: 1440 0% 1440

refresh_pattern . 0 20% 4320

maximum_object_size 32 MB

cache_replacement_policy heap LFUDA

  1. Some debug

#debug_options ALL,1 33,2

  1. Lots of debug

#debug_options ALL,1 28,9

  1. Allow allowed_hosts without authentication

acl allowed_hosts src “/root/allowed_hosts”

http_access allow allowed_hosts

acl AuthorizedUsers proxy_auth REQUIRED

acl InetAccess external InetGroup “/root/groups”

acl local_nets src x.x.x.x/24

http_access allow local_nets InetAccess AuthorizedUsers

acl all src 0.0.0.0/0.0.0.0

acl manager proto cache_object

acl localhost src 127.0.0.1/255.255.255.255

acl to_localhost dst 127.0.0.0/8

acl SSL_ports port 443 563

acl Safe_ports port 80 # http

acl Safe_ports port 21 # ftp

acl Safe_ports port 443 563 # https, snews

acl Safe_ports port 70 # gopher

acl Safe_ports port 210 # wais

acl Safe_ports port 1025-65535 # unregistered ports

acl Safe_ports port 280 # http-mgmt

acl Safe_ports port 488 # gss-http

acl Safe_ports port 591 # filemaker

acl Safe_ports port 777 # multiling http

acl CONNECT method CONNECT

acl FTP proto FTP

http_access allow manager localhost

http_access deny manager

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localhost

http_access deny all

http_reply_access allow all

icp_access allow all

cache_effective_user squid

cache_effective_group squid

httpd_accel_host virtual

httpd_accel_port 80

httpd_accel_with_proxy on

httpd_accel_uses_host_header on

coredump_dir /var/spool/squid

cache_mgr it@domain.com

cache_dir ufs /var/spool/squid 175000 16 256

I’‘m using W2K3 and am having similar pain with LDAP, and of course, my own inexperience with LDAP doesn’'t help.

One difference I’'ve seen is in the BaseDN, some examples show:

Using a free utility called LDAP browser, there is a Users group that shows up on my domain as a CN and not as an OU - is this a difference between W2K and W2K3? Changing the baseDN to reflect this made things work.

I strongly recommend anybody trying to get this up and going to download LDAP browser (http://www.ldapbrowser.com/download/) and use that to find out your distinguished names.

ou=Users,dc=domain,dc=tld

others

cn=Users,dc=domain,dc=tld

Using a free utility called LDAP browser, there is a

Users group that shows up on my domain as a CN and

not as an OU - is this a difference between W2K and

W2K3? Changing the baseDN to reflect this made

things work.

I seem to recall one of the differences was not allowing anonymous access to the AD. I think the diff tween the OU= or CN= depends on your setup.

Merci - works like a champ!

A minor irritant - the account that I use for adminDN to get LDAP to work seems to have to be in the group that I include in the searchFilter. Is there any way around this, or to “hide” this account from the Jive contact list?

These settings are for Jive?

hehehe. Man, wheres my brain? No map included.

ya sorry that was squid config.

sigh.

here ya go:

I spent a better part of a day going through different configurations and finally got it to work when I created a new, regular domain user account to do the LDAP lookup.

Here’‘s my config file (Win2K3 AD server internal, Linux-based Jive server DMZ with LDAP traffic passing through); I’'ve put in caps the settings that you will have to substitute. My AD tree looks like:

domain

  • Domain Users (OU)

– department (OU)

— user accounts

  • Users (default group)

– jabber account

– quote –

– unquote –

One thing I noted I had trouble with that might be nothing but at least worth mentioning is the account I originally set up for LDAP lookup had a First and Last name but a merged firstlastname user account name. For some reason or another, Jabber couldn’'t authenticate using this account so I created a First name (jabber) and user account name (jabber) and things started to work.

Good luck.