I’‘m trying to setup Wildfire 3.0.0 using LDAP authentication. I’'ve followed the LDAP guide and have set up simple authentication for any user in the directory, but I would really like to restrict authenticated users to members of a particular group.
I’‘ve tried adding a searchFilter entry, checking that the user is a “memberOf” the particular group, but it doesn’‘t seem to work. Has anyone tried to do this before? I’'m using OpenDirectory (OpenLDAP) on MacOS X Server 10.4, if that makes any difference.
I’‘ve got my LDAP setup using a group for Wildfire users, and it’'s been working smoothly for some time now. You probably want your searchFilter to look something like this:
Thanks for the tip. I added a searchFilter entry with something similar to what you supplied, and no logins in the specified group worked.
Here’‘s the LDAP config I’'m using:
org.jivesoftware.wildfire.ldap.LdapUserProvider org.jivesoftware.wildfire.ldap.LdapAuthProvider --- I''ve tried a number of variations on the search filter, but none seem to work: <![CDATA[(&(uid=)(memberOf=cn=tlaf-staff,cn=Groups,dc=theli
This won’'t work because OpenDirectory on OS X does not use the memberOf attribute.
I’'ve just set up the same thing on our xserve. The problem is that OpenDirectory has a somewhat non-standard way of representing group membership.
My workaround is to set a specific primary group for users who should have access to jabber. You need to edit each user individually and change their primary group. Then you can use the filter
[/b]
where gidNumber is the Group ID of the primary group you have set (you can see this ID in Workgroup Manager).
I don’‘t know how to create a filter that will work with groups other than the primary group, but it might be possible, I’'m not very experienced with LDAP.
Gah… that’‘s a bit nasty. I’‘ve had a look around and it doesn’‘t look like there’'s an easy way to do this, short of grabbing the members of a group and iterating over them when a user tries to log in. (Something which I doubt I could hook into Wildfire?)
Does anyone have any other suggestions on how to achieve this? I’‘m pretty stumped… I plan on using the same LDAP directory to authenticate JIRA and Confluence users, so I suspect I’'ll run into the same problem then…
Not sure if the OP is still watching this thread, but i have a halfway solution for them.
I use OpenDirectory also so i spent some time being frustrated
Since memberOf doesnt work I created a group in OD for each of my offices with the name prefixed with “jabber”, such as '‘JabberSanJose". Then as you can see in my search filter for groups I filter out all groups that don’'t start with “jabber”. Now in my admin console I see only groups that start with the jabber name, from there i can edit the group and give it a nice display name and set which users have the group.
As for access, you can also see that i am currently allowing all my users access, I really don’'t want this. So my thinking in the search filter would be to only allow users that have the apple-imhandle attribute (which is defined in the workgroup manager, info page, chat) that has a value that begins with JABBER as if i fill this value in the user should have access.
Yes, I am still watching this post… That method sounds alright, but I think it still requires manually modifying the LDAP records in order to provide access, which is a bit annoying. One other way of doing it might be to put in a search filter for the domain that is being served by the Wildfire server.
e.g.
However… while a workaround, it would be much better to be able to get authentication via group membership working on OpenDirectory.