LDAP / Wildfire Auth&User&Group Provider Hybrid

This is not a question, I’'m just testing interest for now.

Over recent months I’'ve been working on a Hybrid User/Group/Authentication system for Wildfire.

So what? Well it does have a few features that may be of interest to you guys.

Here’'s a summary of features:

It allows users, groups, and authentication to be provided by multiple sources. For example, I can mix LDAP provided users/groups with users/groups in Wildfire db.

It allows ldap users/groups to be replicated within Wildfire at the point the user logs in.

User and group information is replicated using wildfire API functions. This is important because it means that modifications to ldap groups are reflected in all logged in users rosters at the point of replication.

I think with the wilfire’'s default ldap provision, you have to wait 6 hours for the wildfire caches to expire before anyone will see changes to groups in the ldap directory reflected in their rosters. With my system, changes to groups are propagated to users whenever any ldap user in those groups logs in.

It’‘s my belief that the replication strategy I’'m using could hugely improve performance for ldap provider. This is because 1) ldap users are actually drawn from wildfire db. 2) Only ldap users that login to wildfire are replicated in the wildfire db. 3) eliminates the need for wildfire to perform huge ldap downloads after startup (or when caches are cleared).

It’‘s still in a kind of prototype phase but seems to be working quite nicely at the moment. The code needs a bit of tidying up before I’‘m ready to publish it more widely, but in the mean time, if anyone’‘s feeling brave enough to look at my code, I’'m happy to send it, or discuss the ideas behind it.

Chris Denham.

That sounds pretty nice! Will it support dynamic LDAP groups (i.e. groupOfURLs vs. groupOfNames/groupOfUniqueNames)?


I’‘ve never used dynamic ldap groups, so I’'m not really qualified to answer that.

However, if the LDAP group info you are after can be picked up using the builtin wildfire LDAP providers, then you should be able to use it with my system. In fact, the LDAP config is the same. i.e. I am using the builtin wildfire ldap provider as a data source for the replication.

If the builtin class ‘‘LdapGroupProvider’’ can’'t do it, you should be able to ‘‘plugin’’ a different class that gets the groups you need quite easily.


Dynamic (or query based) group would be nice. However, the ability to nest groups would be better; I’‘d like to use my existing Exchange DL’'s but cannot because we use nesting extensively.