Multiple LDAP

Is it possible to have Wildfire authenticate users on multiple LDAP?



Can you explain a little more what you mean by “multiple ldap”? Multiple LDAP servers can actually be specified, but with the current implementation they must all be exact copies of eachother.

I have Wildfire running for my organization. Another sister organization wants to use Jabber service, I told them they could probably use our server. So, I need Wildfire to authenticate against our and their active directory.

What do you mean by exact copies of each other?



What you are looking to do likely wont work. What would happen if two users had the same username? The way it works now is all servers listed are considered equivilant. That means if one server fails the authentication, it wont go on to try another server. This is why its important that if you list multiple LDAP servers they are exact copies of each other. By that I mean they contain exactly the same information. This is really only useful in case one LDAP server goes down, the others will respond in its place.

That said, if you are using Active Directory, its possible to have a trust relationship between the realms, so I could see MS doing something in LDAP that would make this work. But since I dont use Windows, I cant say if this is really possible.

Another option might be to use hybrid auth, and use LDAP for both of them. I dont know how this works either.

Thank you for your response. That makes sense.

I guess the best option is for them to run a Wildfire server. If they do run a Wildfire server, would their clients (employees) be able to talk to mine?



If your orginizations share a common forest/global catalog and there is a trust relationship between the domains, you can point wildfire to any global catalog server and any user in the entire forest can authenticate with wildfire.

This works in my orginization, with 8 domains, and 100k+ users. I pointed wildfire to a global catalog in the root domain, and any user in the forest can log on to wildfire.

Be sure to change the LDAP port to the global catalog service port (3268) in your config for this to work.

Our eventual goal is to be in one forest. However, this will be a few years down the line (some political issues).

Anyone can let me know if users from two differnet Wildfire servers can communicate with each other?

Perhaps you should try an LDAP proxy (like OpenLDAP with ldap / meta backend) to virtually combine your ldap servers in one directory tree.

I guess the best option is for them to run a Wildfire server. If they do run a Wildfire server, would their clients (employees) be able to talk to mine?

Yes, of course. That is what s2s is for.

Thanks, I am new to this Jabber/Wildfire thing. I don’'t know what s2s is but will look into that.

Caleb, What was the base DN that you specified in your wildfire.xml? We’'re looking to implement wildfire and we have 6 companies all with their own domain names, we have a rootdomain (for this call it rootdomain) and each company is a member of that root domain with trusts between them. Would we put the basedn as rootdomain? If we do that do people show up as or do they show up as ?

So I talked to one of our AD architects and it turns out that our ‘‘rootdomain’’ isn’‘t really a root since then the company domains would all have instead of So that means all of our domains are really root domains. I guess we’'ll have to go with multiple instances and figure out how to get server to server working. Is there any good documentation about that?

Message was edited by: winter