We’d like to use one central Openfire server for all users (in all offices) and that the users can use their email addresses to log in. In order to achieve this, I think we would have to:
a) set xmpp domain to something like im.bigcorp.com along with a proper DNS entry
I’m not sure this would work but if you are using AD as your authentication server you may be able to. You could point your baseDN to the top level domain bigcorp.com. If you can see the subdomain users (not sure you can) then set the the usernameField in the openfire.xml file to point to “mail” instead of “sAMAccountName”. Normally you can’t have multiple domains in openfire but since they are subdomains it may be possible but I’m just guessing this might work.
you would not need to change the sAMAccountName value as this has nothing to do with the email. The ID used by the chat server is a JID which is comprised of the sAMAccountName followed by the name of the server like johnd@chatserver.domain.com. For this reason I would not use an email address for the authentication.
To more directly answer his question what he proposes should work. Ideally the server will need to have the same name as the AD bind name of the computer you install it on. This will limit the errors you have with some of the advanced features such as SSO, which may not even be possible in your environment.
We are using AD for authentication. Every user in the company is somewhere under the root specified in the baseDN. They are all there in the user list in the server console - in fact, I need to refine the searchFilter because it seems there’s a 1000 user limit in Openfire(?). In addition, a lot of cruft is showing up in the user list (admin accounts, etc.).
Could you maybe elaborate what you mention about where to install Openfire? You mean it would be a good idea to run Openfire on the same box that hosts the AD?
Openfire has no user limit it is AD that has a limit on results of a query. A query is performed by Openfire and AD hands off the first 1000 results then stops. This is documented in this MS tech note http://support.microsoft.com/?kbid=315071
It does not matter where you host the Openfire server. I started on an XP desktop ( a very beafy one) then moved it to a shared server with 2 other web based servers (WSUS and Web Helpdesk). What I meant was Openfire runs best when it is configured with the same fully qualified domain name as the AD DNS entry for the computer it is installed on. So if your computer shows in your AD DNS as someserver.domain.com then when you configure openfire it should have the same full name.
Thanks for the answer. It seems that the 1000 user limit is in fact only a limit on the display imposed by the AD server (as you point out). I think that this doesn’t actually affect the number of users that can login (8000+ in our case). At least that’s the impression I have from the testing I’ve been doing.
I was thinking a bit more about addressing: does the portion af the JID after the @ (e.g. @office1.bigcorp.com) not always have to be equal to what is specified in Openfire as xmpp.domain? Even if we set up the DNS SRV entries along the lines I described would people actually be able to use xyz@office1.bigcorp.com alongside abc@office2.bigcorp.com?
Autentication has less to do with DNS than the XMPP name of the server, although the 2 are linked. When you use spark or another client they link the username and server name together to form the JID for authentication. This is why gennerally you need have the XMPP name for the server match the DNS name of the server.
If you want the servers to have names that reflect the sub domains that would be the only real way. That poses other issues though. Such as linking all the servers together. It can be done but it is not easy. Are all your sites linked together via VPN or some other means? How about another Tree in the forrest just for the chat server, with a unique sub-domain that is descriptive of the chat service? AS long as their DNS can look it up IT does not matter where it resides on your domain. Plus you can configure spark to start silent in the tray (I did this even though I skinned my spark with corp logos). With silent start at boot the users have no idea where it is connecting.
Just to throw something else out there to think about. Since you are connecting to the top-level of your AD tree how is Openfire going to know which sub-domain to authenticate against if there is a duplicate username (samAccountname) but associated to different domains. For example jsmith@office1.bigcorp.com and jsmith@office2.bigcorp.com are 2 different people located at different offices. With 8000+ users across multiple locations you are bound to have duplicates sooner or later. With that in mind I can see why you would want to use their email address so they are truely unique.