powered by Jive Software

Guide to using LDAP groups with Active Directory

Get the latest nightly build of JM:[/b]

LDAP group support was added recently. So go and get any build prior to 7/19/2005 from http://www.jivesoftware.org/nightly.jsp.

When upgrading from a previous version of JM:[/b]

If you used groups in your previous installation you will need to clear the table ‘‘jivegroupprop’’ in your database server.

Also remember that when upgrading from a previous version you should check to see if there are any SQL scripts that you need to run.

Edit your jive-messenger.xml file:[/b]

The provider section of the XML file is the only section that must be edited when dealing with Active Directory, other XML properties are optional. The provider section of your XML file should read as follows:

This search filter will populate all groups whose name starts with ‘‘jive’’. So a group that is named ‘‘jiveSupport’’ would be populated but a group named ‘‘support’’ would not be populated. Remember that you can change the display name that will be displayed in the client later. I recommend that you be as specific as possible when creating your search filter so JM isn’'t doing more work than it has to. Here is another example search filter that specifies three specific groups to be populated by jive: Example:

Regardless of the search filter that you choose you must include member= somewhere in the search filter. An example LDAP section of the JM XML file is given below:
localhost 389 sAMAccountName cn mail CN=Users,DC=example,DC=com example\jive jabber

Configure groups inside of the Admin Console:[/b]

Inside of the admin console click on ‘‘Users/Groups’’ and then click on ‘‘Group Summary’’. You should see all of the groups specified by your search filter here. Configure each group with a display name and choose roster preferences for each group by clicking on the group name.

If you get stuck or have any questions let me know.

Greg Ferguson

I haven’‘t had a chance to test your code yet, but I’'m looking forward to doing so. I do have one enhancement I want to throw out. Our current AD setup is to have a security group (in LDAP) for each department. Since we have users in virtually all departments that are not allowed to use Jabber, we add users to a global security group called JabberAccess. Our LDAP auth search filter makes sure you are a user of JabberAccess in order for you to login. This has worked great since we were manually creating groups.

Now with LDAP group support, would it be efficient to add a second query to make sure the users in the LDAP group list are members of a global group?

Just to clarify that I know what your question is, your current searchFilter is something like this, (&(samaccountname=)(memberOf=JabberAccess))? If this is the case than the current code in CVS will not handle this.

This issue was already a concern of mine, I have made the changes to my class to allow this and have sent them off to Matt. The main reason why this was left out before was for speed reasons. It is much faster to just get the members of a group and not check that each member is a valid user of the system. We weren’'t sure if people actually needed this feature.

Thanks for you input.

Greg

Greg,

You are correct on assuming my searchFilter. It looks like Matt has applied the patch for this:

http://jivesoftware.org/fisheye/changelog/cvs-org?cs=MAIN:matt:20050721050152

I’'ll try to do some testing today or tomorrow and let you guys know how it goes. Thanks

Cameron

I’‘ve tested the original version and the latest CVS revision by Matt on LdapGroupProvider.java and can’‘t get either one to find any groups. I’'ve tried building JM myself and using the nightly builds, but nothing works.

Environment is Windows 2000 AD with JM running on RHEL3. LDAP Auth is working[/b]. Only configuration I’'ve made so far is telling JM to use the LdapGroupProvider in the section. Turned on LDAP debugging and see this:

2005.07.21 10:44:02 Trying to find all groups in the system.

2005.07.21 10:44:02 Creating a DirContext in LdapManager.getContext()…

2005.07.21 10:44:02 Created hashtable with context values, attempting to create context…

2005.07.21 10:44:02 … context created successfully, returning.

2005.07.21 10:44:02 Starting LDAP search…

2005.07.21 10:44:02 Using groupSearchFilter: (member=*)

2005.07.21 10:44:02 … search finished

2005.07.21 10:44:02 Starting to populate groups with users.

2005.07.21 10:44:02 Finished populating group(s) with users.[/code]

I’'m able to do exactly the same search, “(member=*)”, with ldapsearch[/i] on the Linux JM server and get back over 70 groups, so I know they are there.