Jive with OpenLDAP and search plugin

Buck_Mathers · November 29, 2005, 12:50pm

I am currently trying to set up the Jive Messenger 2.3.0 on a linux Enterprise server with OpenLDAP 2.0.27-20 (RPM). The LDAP server distinguises between enabled and non-enabled users through 2 attributtes (AdminStatus and ManagerStatus). both of these attributes must be set to enabled before a user can log in or be listed during a search. Below is my ldap config:

This configuration works great to only allow enabled users access.

The problem arises when a search is performed. To do a search for sombody@somwhere.com works fine, but when you type a single * to get a list of all users in the LDAP tree, The client is disconnected and no users are returned.

After looking at the search plugin code, I noticed that when a search is performed, it gets a list of ALL users first, then performs a secondary lookup per user to match the search criteria. When the second lookup is performed on a disabled user. The function throws a UserNotFoundException (not because the user doesn’'t exist, but because the users status attributtes were not set to enable) and exits prematurely. below are some jive debug logs and some LDAP debug logs. Any help with a workaround would be GREATLY appreciatted.

Jive Debug Log:

2005.11.28 15:09:22 Trying to find a user’'s DN based on their username. uid: john.doe, Base DN: ou=myOffice, o=myCommunity,dc=myDC…

2005.11.28 15:09:22 Creating a DirContext in LdapManager.getContext()…

2005.11.28 15:09:22 Created hashtable with context values, attempting to create context…

2005.11.28 15:09:22 … context created successfully, returning.

2005.11.28 15:09:22 Starting LDAP search…

2005.11.28 15:09:22 … search finished

2005.11.28 15:09:22 User DN based on username ‘‘john.doe’’ not found.

2005.11.28 15:09:22 Exception thrown when searching for userDN based on username ‘‘brendan.king’’

org.jivesoftware.messenger.user.UserNotFoundException: Username brendan.king not found

at org.jivesoftware.messenger.ldap.LdapManager.findUserDN(LdapManager.java:465)

at org.jivesoftware.messenger.ldap.LdapManager.findUserDN(LdapManager.java:400)

at org.jivesoftware.messenger.ldap.LdapUserProvider.loadUser(LdapUserProvider.java :69)

at org.jivesoftware.messenger.user.UserManager.getUser(UserManager.java:157)

at org.jivesoftware.messenger.user.UserCollection$UserIterator.getNextElement(User Collection.java:94)

at org.jivesoftware.messenger.user.UserCollection$UserIterator.hasNext(UserCollect ion.java:57)

at java.util.AbstractCollection.toArray(AbstractCollection.java:125)

at java.util.ArrayList.addAll(ArrayList.java:474)

LDAP Debug log: (names have been changed to protect the inocent)

Nov 28 15:16:26 dev1 slapd[1153]: conn=4121 op=50 SRCH base=“ou=ou=myOffice,=myCommunity,dc=myDC” scope=2 filter="(mail=*)"

~~notice that the custom filter is not applied above~~

Nov 28 15:16:27 dev1 slapd[1153]: conn=4121 op=54 SRCH base=“ou=myOffice,=myCommunity,dc=myDC” scope=2 filter="(&(uid=john.doe)(jasiAdminStatus=enabled)(jasiManagerStatus=enabled))"

Ryan_Graham · November 29, 2005, 3:07pm

Hi Buck,

I noticed that when a search is performed, it gets a list of ALL users first, then

performs a secondary lookup per user to match the search criteria.

This is actually only done if the user provider doesn’‘t support searching, which in case of using LDAP is not the case. There have been other reports of the search plugin not working properly when people have been using LDAP with a . If you’‘re interested I can send you a beta of the plugin that might take care of the problem you’'re seeing.

Let me know.

Thanks,

Ryan

Buck_Mathers · November 29, 2005, 5:32pm

That would be most helpful. I wasn’‘t completely opposed to patching it myself, but java is not my first (or second for that matter) language. My address is on my profile. I’'ll let you know if it works.

Guy_Martin · January 10, 2006, 2:48am

I have a slightly different, yet related dilema. In our company, we wanted anyone in the LDAP database to be able to log into Jive/Wildfire by just providing their LDAP username/password. We have achieved that by running with LDAP enabled and no searchFilter at all. That’'s the good news.

The bad news is that we now have users who want to use the search plugin to search for users who have ‘‘registered’’ (registered in this context means have logged into our Jabber server at least once and added at least one contact). People can search for users with the search plugin enabled, as from reading it, Ryan uses the Wildfire API’‘s to ask the server if a user is registered. The problem is, because I have to run no search filter to allow people to log in freely, the data that comes back isn’'t very useful - it just tells someone searching that their contact is in the LDAP database, not necessarily that they are a Jabber user.

I’‘ve managed to hack around this a bit by providing a web based search and a custom plugin for Pandion that queries LDAP. The LDAP team has allowed us to create another field in the LDAP schema (jabberID), which we populate hourly via a script I wrote that does some SQL queries into our jiveroster DB table to figure out who the ‘‘registered’’ users are. What we’'d like to have is a way to specify a different search filter just for searches performed by the search plugin. That way, anyone in the LDAP DB could log in freely, and once they were ‘‘registered’’, they would be able to be searched via the search plugin.

Reading through the code for the search plugin, it seems unlikely that the fix would go there, but would instead most likely reside somewhere in the Wildfire API. However, I’'m open to any other suggestions at this point. Thanks.

-Guy

matt · January 10, 2006, 4:10am

Guy,

This sounds like a good feature request and a reasonable one. I filed JM-508. The fix will go in the LdapUser class. If you’'re interested in working on this, please let me know.

Regards,

Matt