LDAP Grouping

Chris_White · April 25, 2005, 9:45pm

I’‘ve been trying off and on for a few days now to restrict users to our Jive server to a select group in the company defined by LDAP. It works fine if I just set the the baseDN to the nearest OU but any attempt to add the appropriate CN to the baseDN or to use searchFilter throws errors. So our company layout is basically one big OU and then a myriad of CN’‘s which define groups. I need to allow access to Jive Messenger only to one particular CN. (forgive me if I seem simplistic, I’'m new to using LDAP).

Here’'s my ldap portion of jivemessenger.xml

ldap.corporate.com

389

uid

cn

mail

o=MyCorp , c=US

This works fine. If I add

((uid=)(cn=Information Systems))
I get an error of
2005.04.25 14:14:09 Trying to find a user’'s DN based on their username. uid: user4242, Base DN: o=MyCorp , c=US…
2005.04.25 14:14:09 Creating a DirContext in LdapManager.getContext()…
2005.04.25 14:14:09 Created hashtable with context values, attempting to create context…
2005.04.25 14:14:09 … context created successfully, returning.
2005.04.25 14:14:09 Starting LDAP search…
2005.04.25 14:14:10 … search finished
2005.04.25 14:14:10 User DN based on username ‘‘user4242’’ not found.
2005.04.25 14:14:10 Exception thrown when searching for userDN based on username '‘user4242’'
org.jivesoftware.messenger.user.UserNotFoundException: Username user4242 not found If I try
(&(uid=)(cn=Information Systems))

as stated in a few posts on this topic, I can’'t even start the service. It returns

ERROR 11144 (): Error reading XML properties

org.dom4j.DocumentException: Error on line 39 of document : The entity name must immediately follow the ‘’&’’ in the entity reference. Nested exception: The entity name must immediately follow the ‘’&’’ in the entity reference.

If I try no and instead set my baseDN to

cn=Information Systems, o=MyCorp , c=US

I throw an error

2005.04.25 14:07:42 Trying to find a user’'s DN based on their username. uid: user4242, Base DN: cn=Information Systems, o=MyCorp , c=US…

2005.04.25 14:07:42 Creating a DirContext in LdapManager.getContext()…

2005.04.25 14:07:42 Created hashtable with context values, attempting to create context…

2005.04.25 14:07:42 … context created successfully, returning.

2005.04.25 14:07:42 Starting LDAP search…

2005.04.25 14:07:42 Exception thrown when searching for userDN based on username ‘‘user4242’’

javax.naming.NameNotFoundException: LDAP: error code 32 - No Such Object; remaining name ‘’’’

Any guidance with this issue would be greatly appreciated!

~Chris

Chris_White · April 25, 2005, 10:25pm

And just to cover my bases. By “not work” I mean that I can’‘t login to the admin console, nor can I connect to the server with a client (Psi, Exodus, or Gush) once I’'ve made an attempt to filter by the CN=Information Systems.

Cameron_Moore · April 26, 2005, 2:00pm

You need to either escape your ampersand in valid XML or use the CDATA tags as described in the LDAP Guide of the documentation.

Chris_White · April 26, 2005, 5:23pm

Thanks for the input!

Well I’'ve added the [CDATA[(&(uid=user4242)!(uid=user5454))]]>

But that always kills the deal and then I can’'t login as either user.

Anymore ideas?

Chris_White · April 26, 2005, 6:18pm

Ok, I’‘ve finally figured out that everything I’‘m filtering on is withing an object defined as a user and that object has no reference to any groups that it may belong to. Unless there’‘s some functionality to look at an objectclass=groupOfUniqueNames and only allow the UniqueMembers of this objectclass I’‘m going to have to manually put each user in the system. So, if anyone can either enlighten me on the first or show me how to do an OR operator in my searchFilter I’'d appreciate it!

Cameron_Moore · April 26, 2005, 6:34pm

If you have a CN that contains all of your users, set the BaseDN to that CN. You are right in noting that the filter only filters attributes of a given user object. Unless the user object actually has group membership info in it, the filter is useless for solving this specific problem.

Also, I’'m wondering if you may have the BaseDN wrong. Try this: “cn=Information Systems,dc=MyCorp,dc=US”. I notice you have “o=MyCorp,c=US”. I assume that means “ou=MyCorp,dc=US”. You might also try those prefixes as well. Not sure if that will make a difference or not.

Chris_White · April 27, 2005, 1:43pm

Yeah, I started initially with specifying that BaseDN that you suggest and it wouldn’‘t let me login afterwards. Well, but using o= and c= because that’‘s how our server is setup. Now it’'s not beyond reason that our LDAP server is a bit screwed up.

At this point I’'ve managed to get it to work by manually specifying each user using operators in the fashion of

Yes this is horribly cludgey and a PITA to maintain but it works for now until I can devote some more time to the issue. We’'re planning to roll out AD shortly so maybe when we do that I can authenticate against it instead and that will work out much better.

Thanks for your help hrothgar!