LDAP/authentication and MySQL/authorization

Hello everyone,

I’m using Openfire to provide XMPP Instant Messaging service inside our intranet.

I succesfully setup Openfire with SSO to authenticate Spark client against our Active Directory.

As Spark is currently not supporting A.D. nested groups, I’ve written a Perl script that fetches users from nested groups and injects them inside the proper tables of the Openfire database.

This works well but we’re facing some issues with the Spark client (some of these issues not being directly related to Spark) and I would like to know if this would be possible to combine the following to keep Active Directory authentication while removing the SSO feature of my implementation.

I’m thinking about using LDAP to authorize users while keeping the MySQL database and its group for authorization. As for the SSO, this would means the password of the instant messaging service wouldn’t be stored in the database.

Unfortunately, I’m not confident with the configuration of the Openfire server and to be honest, I don’t really know where to look and if this would be possible.

With my actual implementation, authentication is SSO only (also forcing me to make use of Spark) because the user password store in the database is fake and not in synch. with the data available in the A.D.

Any help or comment would be greatly appreciated!.


Absolutely this is possible. How are you currently using AD as your authentication/authorization source? I use AD but use ADAM configured as a flat tree for LDAP authentication.

Wouldn’t it be easier and save time to create custom chat groups in AD. This would be cleaner and not run the risk of corrupting your database.

Hi Jeff,

For authentication, I’m doing a one to one match between my XMPP domains and my Active Directory Domains.

The script I’ve written populates the jiveUser.username field of the Mysql database with the the sAMAccountName field of the Active Directory object.

For authorization, I only rely on the groups created inside the MySQL database. These groups are also populated in the database but I’m using only the top group from where I start the recursion. This way, I can have a pseudo nested group implementation againsts A.D…

The groups are also used for communication filtering through the PacketFilter plugin-in and for contact list group sharing.

I wasn’t aware of ADAM which stands for Active Directory Application Mode?

I’m currently mainly struggling on how to configure Openfire, I don’t really know how to stack the components to have LDAP for authentication and MySQL for autorization.

Thanks and Regards,

Hi mtstravel,

I did this implementation because authentication/authorization against Active Directory nested group is not implemented inside Openfire. I’m also not putting too much pressure against the domain controller because I do very precise LDAP queries against it (E.g.: not fetching 1000+ groups from the tree).

There is a lot of application designed this way where authorization is the result of the mapping between A.D. users and local groups. In my case, I simply use the groups already presents in A.D. to populate the database.

I don’t know how I could corrupt the database as soon as I populate the tables in a proper order. Have you had any bad experience with that?

The main drawback I see in this implementation is the day when Openfire database structure will change and the script might not synch. anymore. Hopefully the database is documented and the software is free software so I should be able to find the changes and adapt the script.