powered by Jive Software

Loginname different from jid

Hello,

i just switched from a custom postgres database to ldap now i have finally managed to let all our services authenticate against ldap with the uid field.

However I think There are a few missing options one should be able to configure:

  • different basedn for users and groups (makes sense as we serve some external users too and now i have about 60 Groups where 10 would be enough)

  • ability to specify a login attribute as well as a jid attribute (like we have uid for login and mailRoutingAddress as JID - both single valued)

  • This could imho be handled by providing a switch/filter/variable that let’'s you do some more with the loginname you get from the client (e.g providing the localpart and domainpart separated as well as - for ease of use only but would be nice - the fully qualified name).

References to that are spread all over the forums but I couldn’‘t find a workaround (I’'m no coder :/) to do that.

using openldap here so I can’‘t speak for the AD people but I guess it’'ll just boil down to a ldap connection in essence

thanks hoping for it in the next release.

great work guys. I’'m actually trying to talk my bosses into buying the commercial version

SlushPupie is working on the ability to split your login ID from your JID.

The code he currently has works well but won’'t make the production version for a while.

In terms of groups - you do have a different search query. Is there any way you can tag the groups you want and filter the rest out?

Sure I could tag the groups, in fact I’'m setting up an auxiliary objectclass atm (not only because of openfire need to do in anyway)

Reason’'s for a different DN (tagging aside) would be

Our actual layout (mostly linux clients):

dc=example,dc=com

±ou=groups

+±ou=system (System Groups like www-data with the id’'s everywhere)

+±ou=accounts (groups for accounts, bob, alice, users, development, standard memberships)

+±ou=mailAccounts (special mailgroups)

±ou=people

+±ou=accounts (normal user accounts, bob, alice)

+±ou=system (system accounts that need the same uid)

+±ou=contacts (shared ldap address book)

with a single baseDN i need “dc=openforce,dc=com” as base and need to search the whole directory

having different baseDNs i could just supply “ou=accounts,ou=groups,dc…” for groups and “ou=accounts,ou=people,dc…” for our jabber users taking some load from the ldap server which is something I’‘d really like to see very much as we’'re currently heavily using virtualization and I/O is a major problem with this.

Just an idea but I think with large directories that would be an option that could really ease server load.

There is an option for an alternate baseDN.

I remember reading about some constraints with it, but it could possibly allow you to use 2 baseDN’'s.

D