LDAP HowTo

Can anyone provide an LDAP HowTo? I personally have never delved into LDAP at all. What I want to do is use our AD to authenticate. I’'m fairly sure LDAP is enabled in our AD. All I need to know is what information in the example config correlates to relevant AD information / how to find relevant information.

389

uid

cn

mail

org.jivesoftware.messenger.ldap.LdapUserProvider

org.jivesoftware.messenger.ldap.LdapAuthProvider

If someone could just point out the various lines and where I go in the AD to find that stuff, that would be awesome.

Thanks!

It would help if I actually looked in the documentation directory. Disregard my oversight.

…and I am back again. I don’‘t know enough about how LDAP works with Active Directory (Windows 2000) to know which fields require what settings in the jive-messenger.xml file, nor exactly what the proper settings are from AD to fill in. The install-guide.html also wasn’'t quite enough for someone as novice as me to connect the dots between LDAP and AD.

Can someone with a decent bit of AD and LDAP experience give me an example config, and show me where in AD you pulled each bit of info for the LDAP portion of install-guide.html ?

Message was edited by:

Swad

Here is how I did it…

host: I used the AD domain name (e.g. domain.com), which should resolve to any domain controller. You can also enter a specific domain controller (dc1.domain.com).

port: 389

usernameField: sAMAccountName

nameField: I used displayName, but you can also use the container name field (CN).

emailField: mail

baseDN: The distinguished name of the container that user searches will be performed on. For example, to include all users in your AD, use DC=domain,DC=com. To include only the users in the “Users” container, use CN=Users,DC=yourdomain,DC=com.

adminDN: The distinguished name of the user with permissions to perform directory operations (e.g. CN=Administrator,CN=Users,DC=domain,DC=com). I would recommend creating an account just for this situation and assigning the minimum amount of permissions needed (which I haven’'t determined yet).

authorizedUsernames: the container name of the adminDN user (e.g. Administrator).

Example config:

Administrator

domain.com

389

sAMAccountName

displayName

mail

DC=domain,DC=com

CN=Administrator,CN=Users,DC=domain,DC=com

password

org.jivesoftware.messenger.ldap.LdapUserProvider

org.jivesoftware.messenger.ldap.LdapAuthProvider

Awesome–it worked! Well, mostly. You need to inform matt about the connections between LDAP and AD. He asked in another thread about it. Seems that is the information that links the two, though.

My issue now ishow do I make the client connect? I could do a client connection fine before when it was not LDAP and I just used the integrated database and users I setup in admin interface. I’'ve tried: user@domain.com and user@machine (< this is what i used before) and neither seem to connect. When doing LDAP, which do you do?

Swad,

So, what’'s the information that let you make LDAP work with AD? If you guys can help me figure out what to add to the documentation, that would be great.

Thanks,

Matt

JL pretty much outlined the important fields in the .xml config file, and what AD LDAP field they correlate with. In all honestly, exactly what he wrote in the first post, then gave example of in the second post allowed me to make the appropriate changes to my config reflective of our AD setup, and it worked great (at least logging into the admin console with AD users). I’'d say what he has is a good start for AD <–> LDAP docs. I still have yet to figure out how to get a user to log in via a Psi client, though.

I use user@domain.com to login with Exodus, but I verified that user@machine also works. I haven’'t tried it with Psi.

Are you using SSL? I haven’‘t been able to login with SSL yet, though to be fair I haven’'t really tried that hard either.

I downloaded Psi and was able to successfully login. I used user@domain.com for the jabber id, checked “Allow Plaintext Login,” and manually specified the host.

“Allow Plaintext…” is a temporary setting because I haven’'t enabled and configured SSL on the server yet.

Also, in the Admin Console under System Properties, I set xmpp.domain to the Active Directory domain (e.g. domain.com).

Hope this helps…

I didn’‘t have “Allow Plaintext” on – that was it. So what’‘s the deal if you have that deselected? Are you therefore forced to use SSL? Seems odd that w/o it selected you have to do something else. Anyway, plaintext is working for now, but I’'ll probably want to get SSL going.

Thanks as always!

I didn’'t have “Allow Plaintext” on – that was it.

So what’'s the deal if you have that deselected?

Plaintext is required for LDAP. We don’‘t have access to the LDAP password so there’‘s no way to do digest authentication, for example. I’'ll have to update the docs to note that.

Are

e you therefore forced to use SSL? Seems odd that

w/o it selected you have to do something else.

Anyway, plaintext is working for now, but I’'ll

l probably want to get SSL going.

Yep, using SSL is a good idea when plaintext auth is being used.

Regards,

Matt

JL: Maybe you know a bit more about LDAP and how it functions in AD–is there a way in the baseDN or some other setting to force queries to only search AD users who are part of a particular AD security group? Or is it only possible to specify AD containers when doing this? I ask because we have various AD users in various AD containers, and it may help to fix a different I’'m having with Jive shared groups if I can force LDAP queries to only users who are members of certain security groups in AD. Any ideas?

You can’'t do it by security group, but you can set it to a specific container. I put all of my user accounts in a custom OU named “User Account” instead of the builtin “Users” container, so my baseDN is set to “OU=User Accounts,DC=domain,DC=com.” If you use the builtin “Users” container, use “CN=Users,DC=domain,DC=com.”

If your other problem is disabling General group, I just posted a reply to that thread, too.

BUmmer. We can’‘t do by container as we use 4-5 different containers for users and apply group policies based off of this. We also have more than just users in those containers. The only real reason I wanted to do this was to get rid of it querying the whole AD and populating that General group with the entire AD. With that in mind, I’'m going to go visit that other thread. Thanks.

I’‘ve been check it out the entire thread up and down and i still can’‘t authenticate against my AD. I installed JiveMessenger 2.1.2 in my DC with Win2k Adv Srv. It’'s anything wrong with that? Do I need any other stuff besides the one that comes with a normal domain controller installation? Could anyone help me with this, please?

9090

9091

abe, bill, carl, dave

en

myDomain.edu.com

389

samAccountName

diplayName

mail

DC=myDomain,DC=edu,DC=com

CN=jabber,CN=Users,DC=myDomain,DC=edu,DC=com

12345

org.jivesoftware.messenger.ldap.LdapUserProvider

org.jivesoftware.messenger.ldap.LdapAuthProvider