Can this be done? Two companies, Two Active Directories but one roster

excel · April 17, 2008, 7:17pm

Hi everyone,

The title should be pretty self explanatory.

I am in charge for the IT of these two mid-sized companies, each has it’s own Active Directory/Domain controller.

I would like to provide to our users a messaging service that has two groups one for company A and one for company B. Each group should contain all the active users for each company.

So far I have successfully setup Openfire for company A. everything works beautifully and I love it.

I know I cannot link one Openfire to multiple Active Directories so I was thinking about installing another Openfire for company B and then use XMPP to provide connectivity between companies.

Would XMPP take care of sending the entire list of user for the other company?

If XMPP doesn’t work, I would like to hear any other suggestions.

Thanks

NO_MESSAGES_OR_FRIEN · April 17, 2008, 7:35pm

I have done this with a combination of Server 2 Server and the XMPP gateway plugin.

I creatd a John Doe account on each domain.

Create an AD group at each site that contains all users including john doe.

Share this group in openfire

Configure S2S for each openfire server.

Have each user enter the john doe account into there XMPP gateway.

Jason_L · April 17, 2008, 7:38pm

I haven’t tried this, but could you use the connection manager plugin to connect the 2 servers? or maybe something like this

excel · April 18, 2008, 10:27pm

mtstravel,

Thanks for the suggestion. I will give it a try.

Just a clarification. So the users will have to search for john doe in the other server (johndoe@im.serverb.com)?

Will this automatically fill in the entire list of users from the other server or just add the john doe account in the roster?

Thanks

NO_MESSAGES_OR_FRIEN · April 18, 2008, 10:56pm

the users will enter the john doe account into the xmpp gateway of the spark client. This should cause any groups he is a member of to automatically load in the roster.

Craig_Woodward · April 20, 2008, 1:37pm

Here’s how I solved my similar problem.

I’m setting up IM for 6 companies who have between them 9 different active directory domains with no common root.

The best solution I found was to use Microsoft ADAM to create a single LDAP. The problem with ADAM is that is will no do authentication by default. What I did was to convert my user objects into userProxy objects on import.

This was you can see everyone from all companies, search for them, do whatever you want.

There’s a lot of web pages about setting up ADAM, so I’ll let you find those yourself. Finding anything about teh userProxy stuff is next to impossible to here’s a great link.

http://blogs.technet.com/efleis/archive/2005/09/23/adamsync-can-also-transform-u sers-in-to-proxy-users.aspx

Good luck!

John_Tatum · April 21, 2008, 2:05pm

I’m a noob, so please excuse what may seem like a dumb question, but is the XMPP gateway plugin something I would need to get in addition to our OpenFire enterprise setup? If so, where would I find it?

NO_MESSAGES_OR_FRIEN · April 21, 2008, 2:27pm

This is the gateway plugin is an additional plugin that is needed to talk to any other protocols (AIM, Yahoo, MSN, XMPP).

John_Tatum · April 21, 2008, 3:34pm

Thanks for your help on this, I got this up and running, with the rosters loaded, however, it seems that the users on Company A’s side are seeing the message as coming from the Jon Doe account that was entered to the XMPP gateway. Is there any way for it to show up as coming from the username on the company B side?

NO_MESSAGES_OR_FRIEN · April 21, 2008, 3:48pm

Unfortunately that is the one draw back. You would need to have an account for each user at each domain to allow for unique usernames. Or to just use and allow the users to add each other manually to their roster.

excel · April 23, 2008, 3:46pm

Are you saying that when I contact someone at company B they will always see a chat request coming from Jon Doe?

That is a major drawback!

If that’s the case then It looks like the only solution is to merge the two LDAP databases.

NO_MESSAGES_OR_FRIEN · April 23, 2008, 3:53pm

Unfortunately that is what I am saying.

NO_MESSAGES_OR_FRIEN · April 23, 2008, 3:56pm

That unfortunately is what i am saying. I only have a handful of users that needed this capability so i created unique IDs for each.

excel · April 23, 2008, 6:35pm

Winter,

Can you give me a quick description of how you implemented your solution with ADAM?

My idea is to run it on the same server where Openfire is running and basically create a new local LDAP database that includes the users from both corporates AD.

Do you have any suggestion on how to set this up? how often do you refresh the DB?

I am not an LDAP guru but I was able to get openfire to work with one DB

Thanks.

NO_MESSAGES_OR_FRIEN · April 23, 2008, 6:53pm

This is another product that can be used to link the 2 domains. It will create 1 virtual Directory. http://docs.safehaus.org/display/PENROSE/Home

Seth_Martin · April 28, 2008, 2:34pm

What format do you use for the username when logging in to openfire? is it just username@server?

How does that handle username conflicts like domain1\jdoe and domain2\jdoe? or is that all resolved via ADAM?