Multiple LDAP servers

Dinu · April 13, 2005, 6:45am

Hello,

Is there any possibility to authenticate users using 2 or more LDAP servers - using 2 servers with a baseDN being “child” to the other ?

Example: server 1 has “dc=example,dc=com”. Server 2 has “dc=subdomain,dc=example,dc=com”. I have noticed that “autoFollowReferrals” doesn’'t help.

Any idea would be greatly appreciated.

Regards,

Dinu

Ryan_Graham · April 13, 2005, 1:23pm

Hi Dinu,

Take a look at this thread:

http://www.jivesoftware.org/forums/thread.jspa?messageID=96515

Hope that helps,

Ryan

Dinu · April 14, 2005, 6:24am

Thanks, Ryan

I’‘ve tested that too. When setup to the parent, it wasn’'t authenticating users from the child domain.

From the sources I’'ve seen that Jive first seeks the user, but when the user belongs to a child domain that is handled by a different server the LDAP answer is not the actual baseDN of the user but a referral. Jive then appends the baseDN from the config file again to this value and tries the authentication.

Example:

user DN is “cn=user name, cn=users, dc=child,dc=example,dc=com”.

baseDN in the config file is “dc=example,dc=com”

“dc=child,dc=example,dc=com” is handled by server.child.example.com.

The LdapManager.java:findUserDN(username) will return (instead of user DN) “ldap://server.child.domain:389/CN=User Name, CN=Users, dc=child, dc=example, dc=com”

then in checkAuthentication(userDN, password) in the same file we have env.put(Context.SECURITY_PRINCIPAL, userDN + “,” + baseDN);

so the SECURITY_PRINCIPAL will be “ldap://server.child.domain:389/CN=User Name, CN=Users, dc=child, dc=example, dc=com,dc=example,dc=com”

There is no way the LDAP server will authenticate this.

Regards,

Dinu

Ryan_Graham · April 14, 2005, 8:52pm

Hi Dinu,

Unfortunately, it looks like your problem goes beyond my very limited knowledge of LDAP. Matt is the local LDAP expert, so he’'d probably be your best bet for finding a solution to your problem.

~Ryan

matt · April 14, 2005, 9:02pm

dinu,

You may want to try letting referrals be followed automatically by the provider. This is detailed at:

http://java.sun.com/products/jndi/tutorial/ldap/referral/follow.html

If you aren’'t able to make this change yourself, please let me know and I should be able to provide a custom build of the LDAP classes. If setting the value to “follow” solves the problem, we can make this a standard configurable feature of the LDAP module.

Regards,

Matt

Dinu · April 19, 2005, 10:32am

Matt,

I’'ve looked over the example. But I think the problem is not with following referrals - the code to do this is already there, no need for custom build.

Quoting from LdapManager.java

in the constructor:

+this.followReferrals = Boolean.valueOf(JiveGlobals.getXMLProperty(

“ldap.autoFollowReferrals”)).booleanValue();+

in getContext(String baseDN)

+if (followReferrals) {

env.put(Context.REFERRAL, “follow”);

} +

And this works: the result is the referral in absolute form: ldap://server.subdomain.domain.com:389/cn=User,cn=Users,dc=subdomain,dc=domain, dc=com

The issue seems to be with the fact that this result is returned as is to LdapManager.checkAuthentication(String userDN, String password), where when defining the env Hashtable, the baseDN from the config file is appended again to a “referral” DN * that’'s already in absolute form *.

the result from

+env.put(Context.SECURITY_PRINCIPAL, userDN + “,” + baseDN);+

would be that Context.SECURITY_PRINCIPAL = “ldap://server.subdomain.domain.com:389/cn=User,cn=Users,dc=subdomain,dc=domain ,dc=com, dc=domain,dc=com” given that in jiveMessenger.xml the setting is “dc=domain,dc=com”.

What do you think ?

Regards,

Dinu

matt · April 19, 2005, 3:35pm

Dinu,

That sounds correct. Often, I’‘ve seen people bind with something like “cn=Directory Administrator”. Any possibility you could use something like that where the credentials would be the same between servers? If not, I think you’'d need to modify the LDAP code yourself to more manually handle the referrals.

Regards,

Matt

Dinu · April 22, 2005, 7:54am

Well, I’‘ve modified the LDAP code. In LdapManager.java I’'ve added a function that retrives the DN from the referral. This function is called from LdapAuthProvider and LdapUserProvider whether or not the person belongs to the parent or the child LDAP domain.

And I’‘ve also added into LdapAuthProvider a query to a single-column mysql table that ensures the person is authorized to connect - if the resultset is not empty it goes forward, otherwise it throws an Unauthorized exception. This was the simplest authorization method I’'ve found, since playing with the LDAP filters is not my favorite …

I have another issue: sometimes Jive is retriving the whole tree of LDAP accounts. Since we have a lot of those, distributed among servers, this takes several minutesDuring this process, XMPP clients (i.e. Exodus) are waiting for “Getting contacts” …

I have 3 questions: what would be the impact of Jive not doing this ? And how can this be prevented ? Is the debugging log feature (general, not LDAP) affecting the speed of the process ?

Thanks and regards,

– Dinu

Jason_Rohwedder · July 13, 2005, 6:31pm

This is probably more of a question for matt,…

Is the ability to follow referrals going to be merged into messenger proper? Thanks.

Message was edited by:

rohwedde