LDAP Configuration enhancements

Rob · January 19, 2005, 11:24pm

Hi there,

I’'ve successfully set up messenger using ldap as the authentication store which works great.

A couple of things need to be configurable to make this work in a large environment. Since messenger queries ldap, any users in ldap are deemed ‘‘valid’’ users. I’'ve got a samba domain in ldap with about 700 users and if we went live with this, we would need some way of filtering on an attribute or group who was allowed to login to use jabber.

A possible solution would be to use ldap groups as in JM-129 as white or black lists, or make a configuration option for an ldap search url matching on a specified ldap attribute.

Another issue I had was vcard information getting populated from ldap, but I see JM-121 will take care of that.

Great work!

Regards,

Rob

matt · January 20, 2005, 12:45am

Rob,

Supporting this may actually be pretty easy.

There are two areas that would need to be fixed:

List and count of users. The current search for users is “(uid=*)” where uid is the username field you’'ve configured through LDAP settings. We could have an optional property that would allow you to override that search with something else.
Loading a single user. Right now that test is “(uid=jsmith)”, again assuming that your username field is set to “uid”. Would being able to override that search work for you? The syntax would be to have a portion be the username. So, you could enter in “((uid=$username$)&(isUser=true)” and Jive Messenger would dynamically replace $username$ with the username being searched for.

Regards,

Matt

Rob · January 20, 2005, 4:21am

Matt,

That’'s exactly was I was thinking, a configurable ldap search url with a variable placeholder for the user.

e.g.

dc=company,dc=com

(&(objectclass=posixAccount)(uid=$username$))

Thanks,

Rob

matt · January 20, 2005, 5:12am

Rob,

We’‘ll get this added for the 2.1.1 release. It’'s in the issue tracker as JM-130. If you have a sec, visit the the issue and vote for it. Votes on issues help us prioritize new features.

Thanks,

Matt

Rob · February 17, 2005, 8:22pm

Hi Matt,

I made some changes to LdapManager and LdapUserProvider to implement JM-130.

I’'ve got it running at my site now and seems to be working well.

The change enables you to specify:

(&(uid=)(objectClass=posixAccount))
where is replaced with username. Of course you can specify any valid ldap search string that returns a dn.

Let me know if you’'re interested in the diffs.

Regards,

Rob

matt · February 18, 2005, 6:09pm

Rob,

Please send them to me by email if you have a chance.

Thanks!

-Matt

Harley_Stack · February 24, 2005, 4:50pm

Hey, Could I get a copy of the diffs for this mod?

Rob · February 24, 2005, 5:07pm

They should be in CVS in a day or so.

Harley_Stack · February 24, 2005, 5:25pm

Thanks much

Harley_Stack · March 7, 2005, 3:13pm

I am authenticating to an AD LDAP server. Would the searchFilter allow me to search through only two AD user containers? If so how would craft the search query?

I want to do this because when I set the baseDN to low I get system accounts and mailboxes. Unfortunately I cannot define one baseDN because of multiple containers for security policy reasons.

Any suggestions?

Thanks,

Harley

Cameron_Moore · March 7, 2005, 4:08pm

I am authenticating to an AD LDAP server. Would the

searchFilter allow me to search through only two AD

user containers? If so how would craft the search

query?

My LDAP skills are not good enough to know if you can limit searches only to two specific OUs. I think you have to set the baseDN to a specific OU only to get that OU, just as you are suggesting. But if all of your users are part of custom AD groups, you can select all the members of those groups. Here’'s an example searchFilter for finding all the users in two groups (I used this to select Faculty & Staff members):

(&(objectCategory=Person)(&(|(memberOf=CN=Group1,DC=example,DC=com)(memberOf=CN= Group2,DC=example,DC=com))(sAMAccountName=)))

Hope this helps. If you want to see what’‘s in AD, go grab Softerra’'s free LDAP browser.

PS - the searchFilter above is previewing with some spaces in it. Please ignore all spaces in the searchFilter.

matt · March 7, 2005, 4:09pm

Harley,

Two options:

Use the alternateBaseDN feature to specify to DN’'s in your directory to load users from.
Set the baseDN to be large portion of your directory and then use the search filter feature to filter out mail boxes and other stuff that’'s not actually user accounts.

Regards,

Matt