powered by Jive Software

Email authentication

Hello,

Ad i’ve contacted matt a few times about this and don’t know what is to become of the modification i did, i’am opening a thread here.

I’am actualy trying to have a nicer implementation of Jabber at my work (we are actualy running jabberd1.4 on a local server). The nicer means to integrate it with th AD ldap and allow users to simply user jabber. This also means to have the mail as jid (no big security problem as the server is only internal).

So my first problem is to authenticate with the e-mail, wich i resolved by modifying openfire. To do this i set the attruid to the mail field of the AD ldap and add a property to indicate to consider this as an e-mail (jid*@*domain). All these modifications takes places in the org.jivesoftware.openfire.ldap.LdapManager class (see bellow)

Changes to LdapManager.java:


* <li>ldap.usernameField – default value is “uid”.</li>

  • <li>ldap.usernameIsMail</li>

* <li>ldap.nameField – default value is “cn”.</li>

private String usernameField;

private boolean usernameIsMail = false;

private String nameField;

usernameField = “uid”;

  •    }+
    

usernameIsMail = false;

String usernameIsMailStr = properties.get(“ldap.usernameIsMail”);

if (usernameIsMailStr != null) {

usernameIsMail = Boolean.valueOf(usernameIsMailStr);

}

baseDN = properties.get(“ldap.baseDN”);

+Log.debug("Trying to find a user’s DN based on their username. " + usernameField + ": " + username+

  •                + ", Base DN: " + baseDN + "...");+
    
  •    }+
    

if (usernameIsMail) {

String xmppdomain = JiveGlobals.getProperty(“xmpp.domain”,"");

if (xmppdomain!="") {

username = username + “@” + xmppdomain;

}

}

DirContext ctx = null;


Hope this everybody finds it usefull and additionnaly that it might be integrated in openfire.

Cédric

Although I dont think its ever been tested, I think this can be accomplished in Openfire today without modifications. The trick is to use the little known AuthorizationManager and the LdapAuthorizationPolicy. Your users would log in using the username they log into AD with, but would be authorized to a different name (the email field). While this code was written with SSO in mind, it certainly isnt limited to SSO. If you are willing to give it a shot, I would love to hear how it worked out, and if there is anything I can do to imporve it. There is minimal documentation (ie- read the source) on this aspect, so if you need a little extra help, just shout and Ill see what I can do.

I’ve managed a somehow simplier authentication shceme by using mail authentication… this allows me to authenticates users without considerations about their domain.

ex: when john.doe@my.company.com tries to logon to jabber. i had the user lookup problem with ldap that the mail field contains the domain and the uid (sAMAccountName; here it would typicaly be ‘jdoe’) is not the logon i want to use. the POP3 authentication allows me to use what is naturaly done by mail servers: authenticate with john.doe without domain info.

I don’t know if it was possible with the authentication manager abnd LdapAuthotizationPolicy… as we have a AD and the main documents where writen for kerberos, i read them… it was still a bit complicated as i am not in the domain admins and my colleages have difficulties realising what i’am ascking them (jabber principal creation).

My modification is still usefull for the vcard-provider from ldap as the lookup still must be done on the email field althougt a more general form would allow wildcards. kind of “uidattr_format” of ejabberd (which i never got to working right either).

Finally i still have a problem with domain “aliasing” as company employes have a "@my.company.com" email and externs have a "@guest.my.company.com" email.