LDAP support for Active Directory global catalog servers

John_G_Gauthier · March 14, 2011, 10:28pm

After more time than I care to admit, I have figured out what exactly is required to get my Openfire 3.7.0 instance to authenticate and pull users from a full Active Directory domain forest.

company.local
- northamerica.company.local
- europe.company.local
- asiapacific.company.local

I pointed Openfire at a domain controller in company.local with the global catalog server role and made the following changes to LdapManager:

Index: LdapManager.java
===================================================================
--- LdapManager.java     (revision 2)
+++ LdapManager.java     (revision 3)
@@ -622,7 +622,11 @@
              * the secure connection has been established. */
             if (!(startTlsEnabled && !sslEnabled)) {
                     env.put(Context.SECURITY_AUTHENTICATION, "simple");
-                    env.put(Context.SECURITY_PRINCIPAL, userDN + "," + baseDN);
+                    if (baseDN == null || baseDN.trim().isEmpty()) {
+                         env.put(Context.SECURITY_PRINCIPAL, userDN);
+                    } else {
+                         env.put(Context.SECURITY_PRINCIPAL, userDN + "," + baseDN);
+                    }
                     env.put(Context.SECURITY_CREDENTIALS, password);
                } else {
                     if (followReferrals)

System properties:

ldap.adminDN = openfire@company.local
ldap.autoFollowAliasReferrals = false
ldap.autoFollowReferrals = false
ldap.baseDN =
ldap.encloseDN = true
ldap.host = 10.0.0.10
ldap.port = 3268
xmpp.domain = company.local

Please note that a global catalog server communicates on TWO different ports:

389: global catalog server responds as a domain controller in its natural domain
3268: global catalog server responds as a global catalog server

While this is in place and working, it requires that the ldap.basedn variable be set to blank or null, a situation the installer is not impressed with.

Are my changes above worth considering for implementation in a future release? If so, can someone work with me to insure the installer functions correctly for future global catalog owners?

Thanks! And I hope this is useful to someone in the future.

akrherz · March 16, 2011, 12:11am

Hello,

There isn’t really anybody actively developing openfire’s code. We need more folks to help out.

daryl

John_G_Gauthier · March 27, 2011, 12:10am

My blog post on this:

http://blog.johngauthier.com/2011/03/26/openfire-3-7-0-authenticating-with-an-ac tive-directory-global-catalog-server/

I’ll try to keep everything up to date as I make more progress on this.

Joe23 · March 28, 2011, 5:58pm

Can you provide a compiled jar with your patch?

Thank you

John_G_Gauthier · March 28, 2011, 6:17pm

Attached.
openfire.jar (7194518 Bytes)

Ivan_A_Smith · July 13, 2011, 10:02am

hello, John! Can you help me a little bit? I did just as you told (i.e. applied patch, emptied baseDN etc).

Yet, I cannot add users from other trees in my domain.

The structure is as follows:

domain.local

userOU

chatGroup1

office,domain.local

officeOU

chatOffice

office2.domain.local

office2OU

chatOffice2

Only the users from cn=chatGroup1,ou=userOU,dc=domain,dc=local are available. How can I fetch users from other trees?

P.S. The search filter is:

(&(objectClass=organizationalPerson)(|(memberOf=cn=ChatGroup1,ou=userOU,dc=domai n,dc=local)(memberOf=cn=chatOffice,ou=officeOU,dc=domain,dc=local)(memberOf=cn=c hatOffice2,ou=officeOU2,dc=domain,dc=local)))