Combine LDAP and local db

is there a way to add users that are not LDAP users when running in LDAP mode.

I would love to be able to add external users that are not part of my local domain.

is that possible? if it not, can someone please tell me where i can make that request for future releases.


If you are using AD, what I did for “external” users was create a security group named something like “Wildfire-Exclusive”, created domain accounts for the users, and added them to that group and whatever roster groups in which they belonged.

Then, at the root of my domain, I created a GPO with very restrictive settings that basically deny all executables and hides everything but the “Log off” and “Change Password” functions. In the security settings for the GPO, I removed “Authenticated Users” and added the “Wildfire-Exclusive” group, checking “Apply Group Policy”.

This way, if any users in the entire domain who are marked “Wildfire-Exclusive” manage to gain access to a machine somewhere, they will be limited to a very restricted environment. You could also go as far as going into the Domain Security Policy and denying the group rights to log on interactively and so forth.

This also works well if you have a decent terminal server, as it will enable them to change their own passwords.


yeah, i thought about that, but the trouble it caused for me was that the external users are already part of my domain, but they are remote users that use keyFOBs to login. (RSA keychains). basically, that makes those users passwords empty in AD. if i made another account for them in AD, it would require them to use a new user name. I wanted them to be able to keep they AD username and have a static password for this application. However, your solution may be what i have to do.

Just a wild thought:

A set of plug-ins for the WF server and IM clients…

One for the clients, to handle the keychain and pass-through the authentication to the server

One for the server to verify (or challenge/response, or whatever) the information provided by the client plug-in.

It would definitely take some development … but how cool would that be?

actually, the spark client would be the only thing that needed the plugin. it would need to take the clients token and be able to use it.