Guide to using LDAP groups with Active Directory

Get the latest nightly build of JM:[/b]

LDAP group support was added recently. So go and get any build prior to 7/19/2005 from http://www.jivesoftware.org/nightly.jsp.

When upgrading from a previous version of JM:[/b]

If you used groups in your previous installation you will need to clear the table ‘‘jivegroupprop’’ in your database server.

Also remember that when upgrading from a previous version you should check to see if there are any SQL scripts that you need to run.

Edit your jive-messenger.xml file:[/b]

The provider section of the XML file is the only section that must be edited when dealing with Active Directory, other XML properties are optional. The provider section of your XML file should read as follows:

This search filter will populate all groups whose name starts with ‘‘jive’’. So a group that is named ‘‘jiveSupport’’ would be populated but a group named ‘‘support’’ would not be populated. Remember that you can change the display name that will be displayed in the client later. I recommend that you be as specific as possible when creating your search filter so JM isn’'t doing more work than it has to. Here is another example search filter that specifies three specific groups to be populated by jive: Example:

Regardless of the search filter that you choose you must include member= somewhere in the search filter. An example LDAP section of the JM XML file is given below:
localhost 389 sAMAccountName cn mail CN=Users,DC=example,DC=com example\jive jabber

Configure groups inside of the Admin Console:[/b]

Inside of the admin console click on ‘‘Users/Groups’’ and then click on ‘‘Group Summary’’. You should see all of the groups specified by your search filter here. Configure each group with a display name and choose roster preferences for each group by clicking on the group name.

If you get stuck or have any questions let me know.

Greg Ferguson

Hmm… I use OpenLdap/Samba and this doesn’'t work for me

This guide was meant for Active Directory, there are some other configuration options that you need to set in the case of openldap. Give me a couple of minutes and ill post them.

Other options for non Active Directory users:[/b]

The first thing you need to know is how users are stored in your LDAP server. If users are stored by their full DN or if they are stored by their user name. If they are stored by their user name only then you need to set the posixEnabled LDAP property to true. By default this property is set to false. I do not know of another LDAP server that stores members in a group by their full DN other than Active Directory. So most likely you will need to set this to true.

Example:

Other properties are as follows:

  1. ldap.groupNameField – the field name that the groupname lookups will be performed on. If this property is not set, the default value is cn

  2. ldap.groupMemberField – the field name that holds the members in a group. If this property is not set, the default value is member

  3. ldap.groupDescriptionField – the field name that holds the description a group. If this property is not set, the default value is description

within the group. If this property is not set, the default value is false

Last but not least:

You need to set the group search filter. Some of the rules mentioned above still apply but if you are a non Active Directory user you definitely need to change the group search filter.

Example group search filter for non Active Directory LDAP server:

(member=)
**where member is the value set by ldap.groupMemberField. Sample XML LDAP section for non Active Directory LDAP server:
localhost
389
uid
cn
mail
CN=Users,DC=example,DC=com
example\jive
jabber
(uid=)(member=)

Still doesn’'t work with OpenLDAP (JM: nightly build 2005-07-21)

Here is my config:

<groupSearchFilter>(memberUid=)

When I start jive-messengerd and trying to see groups in Admin Console, I got this output from debug.log:

– cut –

2005.07.22 09:27:03 Starting LDAP search…

2005.07.22 09:27:03 Using groupSearchFilter: (memberUid=*)

2005.07.22 09:27:03 … search finished

2005.07.22 09:27:03 Starting to populate groups with users.

2005.07.22 09:27:03 Finished populating group(s) with users.

– cut –

Also in stdout:

– cut –

0…cc. dc=sby

t,dc=amur,dc=ele

ktra,dc=ru…

…membe

rUid0%…displayN

ame…description

…memberUid…0…

.2.16.840.1.1137

30.3.4.2

– cut –

It looks like JM option ‘‘groupNameField’’ doesn’'t work and JM-server tries to use ‘‘nameField’’ option instead (which equals to displayName).

Thank you.

Using the new directives (and I believe adapting properly to our system, though I’‘m not 100% which parts of these strings need to be adapted), I have no luck with groups. I can authenticate against AD, but groups aren’'t going. I have the linked installer for beta 2 of 2.2 installed:

http://www.jivesoftware.org/builds/messenger/jive_messenger_2_2_0_beta2.exe[/cod e]

Added these to the LDAP section:

[/code]

I changed jive* to an AD group that everyone in the company is in just as a basic test–nothing. Other than adding this last part to the provider section, am I missing something else in the configuration? We are using AD from Windows 2000.

[/code]

Get the latest nightly build. Several bugs were fixed as of yesterday.

Greg

Hi,

I’‘m using LDAP / Active Directory (2000) I followed your step, I can see a list of user and computer object (can remove them just need to add a filter) but I cannot login with a username and password. It says all time : you are not authorized to login. (message from client side) I’'m using as client JAJC v0.0.8.110.

I can login to administration page using a domain admin account (or administrator account).

this is my conf file :

You forgot to add the group class to your provider section.

Try this, uncommented in your config file.

You were right, I haven’‘t the group listing it’'s nice to have it now

But the main problem has not been fix. I cannot login with the client unauthorized.

I got it,

In fact i wasn’'t able to connect because of the client side.

I had to enable SSL and select plain text as a way to authenticate.

After that the connection was encrypted via SSL between the client and Jive and the password sent in clean text in the encrypted tunnel who were easy to read by the IM server.

That’'s was the problem.

I hope it cans help someone else

I just installed 2.2.2 on a win2k3 member server with the following XML settings:

    </searchFilter>         <groupSearchFilter>
        <![CDATA[(&(member=)(objectClass=group)(sAMAccountName=Users))]]>

This is basically the default file with the basic info in your first post meshed in. I get no group listings or user listings, what am I doing wrong?

PS, I’'m a noobie when it comes to this stuff