iChat + Active Directory + Openfire

Hey all,

Here’s the deal: our agency has been growing as of late, and where we were once quite content to use iChat + the Bonjour protocol for our office IM solution, we’re now finding that Bonjour simply won’t be adequate as we expand into multiple subnets.

So, after a little searching, I found Openfire and immediately installed it on a test server. After some configuration, I had all of our Active Directory contacts synced to the Openfire user database, and even installed the Kraken gateway plugin so that we could integrate AIM as well. I then set up a group containing all agency members, and installed Spark on a few machines. After having a few employees log on for testing, I can see them in my Spark client, and they can see me, and each other, so that seems to be working quite well, and if it were up to me we’d all just install Spark, ditch iChat, and be done.

But of course, many our users don’t want to give up iChat, being that it’s the native OS X chat client. Now I’m trying to figure out how to get iChat to see all the users currently synced with Openfire, but I’m really not sure how that would need to happen. I’m assuming that XMPP would be the best route, but I don’t have much experience with the protocol.

There are two questions I need answered I guess…a) is iChat (in 10.5-10.7) able to act as the IM client for the Openfire chat server such that synced Active Directory contacts are visible/reachable? And b) if so, does anyone happen to know whats steps must be taken to make this happen (ie, which protocol/gateway to use, how to configure iChat’s settings, do users need to be registered with a service besides Openfire, etc), or know of a good reference on the subject?

Thanks in advance for any tips you’ve got!

ichat should be able to connect to openfire without any problems. just tell it to connect to a jabber server and input required info.

Ah…if only I had pinged first. Turns out we didn’t have a valid name entered into our DNS for that machine, as I discovered after I added the account by referring the IP address instead of the FQDN.

Everything is working perfectly after adding the record to our DNS, except that iChat profile pictures aren’t coming across on the jabber accounts (we just see a light bulb for everyone). If someone has the fix for that, I’d love to hear it. I’ll keep tinkering, and will post the solution if I find it.

try updating the following

Server Manager > System Properties > ldap.override.avatar (true)

If you are a na OS X native house do you not have an OS X server? It has its own native chat server built in. No it does not do AIM, but iChat can do that as well. Just saying…

That setting was set to ‘true’ by default, but I think there is perhaps evidence that the setting is working to some degree. I say this because the picture associated with the other IT guy’s account differs from machine to machine, and he’s changed it a couple of times already. e.g. On my machine, his profile pic is pic A, but on another workstation, logged into a different user account, his profile pic is just a lightbulb. On yet another machine, his pic is pic B.

If I understand the setting correctly, ‘true’ allows users to change their profile pics at will to something besides the pic associated with their Active Directory accounts, while ‘false’ restricts the profile photo to the one associated with an active directory account. The latter setting is the one I’m aiming for now: at some point, we may want to allow users to change their photos, but for now using their AD avatar (stored in the {thumbnailPhoto} attribute is what we’d like. I’ve made this configuration change in Server Settings and have set the ldap.avatar.override=false.

Still though…it doesn’t seem like the profile photo is syncing from AD to Openfire. Or maybe it is, and there’s something about local iChat clients that changes the photo? I’ve tried restarting the Openfire server and restarting iChat on a few machines with the same results.

Any thoughts on what might be happening here? I know I’m close…

Alas, 99% of our workstations are Macs, but 100% of our servers are Windows I’d much rather set up an iChat server on an OS X server, but I don’t have the option presently.


As it turns out, this is definitely an issue with iChat, or at least the default iChat configuration. I know this because a) all PC user pictures show up properly for other users, in iChat AND in Spark, and b) ALL pictures show up properly in Spark. This is with the ldap.avatar.override setting configured ‘false’.

So, the next question is…what is iChat missing? I’m pouring over the settings under preferences but not finding anything pertinent. I’m guessing I’ll need to edit a .plist or something to make it work smoothly, but perhaps there’s another method?