Openfire LDAP Authentication Query

Openfire Openfire Support
1

Hi all,

I use Openfire, and authenticate around 60 users from our enterprise LDAP Server. The LDAP server has around 5,000 entries! therefore I use the searchfilter in the openfire.xml. All works fine.

But in the searchfilter, I need to filter by username (our LDAP doesn’t use any unique groupings for our user unfortunately). Among the disadvantages of this method is the fact that whenever a new user comes along, I need to add his username to the searchfilter string, and RESTART the server - not desirable whenever people are connected of course, and some who stay connected overnight.

My question - is it possible to use a local SQL database to maintain the list of users, and use LDAP only to authenticate the passwords of these users? This means I can add users to my local SQL database, easily, and when the user connectes, his password only will be checked against the LDAP server.

Thanks a lot

Grant

2

Hi guys,

Further information about this issue. Some of my users are not able to connect using their Jabber client. others have no problems. I have run a debug and can see that when the users who are having problems, try to connect, you can see that every user listed in the SearchFilter box is being searched and authenticated.

So, user A connects, I can see queries in the debug, against the LDAP, for ALL the users listed in the searchfilter. Surely there is an easier way to set this up, where the permitted users are listed in al ocal SQL database, but the password authentication comes from the LDAP server. Or, I have set something up wrong

Any ideas?

Thanks

Grant

Extract:

2007.09.24 10:58:07 Creating a DirContext in LdapManager.getContext()…

2007.09.24 10:58:07 Created hashtable with context values, attempting to create context…

2007.09.24 10:58:08 … context created successfully, returning.

2007.09.24 10:58:08 Ldap attribute ‘sn’=>‘Geely’

2007.09.24 10:58:08 Ldap attribute ‘uid’=>‘geelalf’

2007.09.24 10:58:08 Ldap attribute ‘mail’=>‘alfred.geely@myemail.com’

2007.09.24 10:58:08 Ldap attribute ‘givenname’=>‘Alfred’

2007.09.24 10:58:08 Getting mapped vcard for geelalf

2007.09.24 10:58:08 Returning vcard

2007.09.24 10:58:08 Trying to find a user’s DN based on their username. uid: germste, Base DN: ou=user,o=pub…

2007.09.24 10:58:08 Creating a DirContext in LdapManager.getContext()…

2007.09.24 10:58:08 Created hashtable with context values, attempting to create context…

2007.09.24 10:58:08 … context created successfully, returning.

2007.09.24 10:58:08 Starting LDAP search…

2007.09.24 10:58:08 … search finished

2007.09.24 10:58:08 Trying to find a user’s DN based on their username. uid: germste, Base DN: ou=user,o=pub…

2007.09.24 10:58:08 Creating a DirContext in LdapManager.getContext()…

2007.09.24 10:58:08 Created hashtable with context values, attempting to create context…

2007.09.24 10:58:09 … context created successfully, returning.

2007.09.24 10:58:09 Starting LDAP search…

2007.09.24 10:58:10 … search finished

2007.09.24 10:58:10 Creating a DirContext in LdapManager.getContext()…

2007.09.24 10:58:10 Created hashtable with context values, attempting to create context…

2007.09.24 10:58:10 … context created successfully, returning.

2007.09.24 10:58:10 Ldap attribute ‘sn’=>‘Germos’

2007.09.24 10:58:10 Ldap attribute ‘uid’=>‘GERMSTE’

2007.09.24 10:58:10 Ldap attribute ‘mail’=>‘Steven Germos@myemail.com

2007.09.24 10:58:10 Ldap attribute ‘givenname’=>‘Steven’

2007.09.24 10:58:10 Getting mapped vcard for germste

2007.09.24 10:58:10 Returning vcard

2007.09.24 10:58:10 Trying to find a user’s DN based on their username. uid: zaghabd, Base DN: ou=user,o=pub…

2007.09.24 10:58:10 Creating a DirContext in LdapManager.getContext()…

2007.09.24 10:58:10 Created hashtable with context values, attempting to create context…

2007.09.24 10:58:10 … context created successfully, returning.

2007.09.24 10:58:10 Starting LDAP search…

2007.09.24 10:58:11 … search finished

2007.09.24 10:58:11 Trying to find a user’s DN based on their username. uid: zaghabd, Base DN: ou=user,o=pub…

2007.09.24 10:58:11 Creating a DirContext in LdapManager.getContext()…

2007.09.24 10:58:11 Created hashtable with context values, attempting to create context…

2007.09.24 10:58:11 … context created successfully, returning.

2007.09.24 10:58:11 Starting LDAP search…

2007.09.24 10:58:12 … search finished

2007.09.24 10:58:12 Creating a DirContext in LdapManager.getContext()…

2007.09.24 10:58:12 Created hashtable with context values, attempting to create context…

2007.09.24 10:58:12 … context created successfully, returning.

2007.09.24 10:58:12 Ldap attribute ‘sn’=>‘Zaggy’

2007.09.24 10:58:12 Ldap attribute ‘uid’=>‘ZAGHABD’

2007.09.24 10:58:12 Ldap attribute ‘mail’=>‘abdullah.zaggy@myemail.com’

2007.09.24 10:58:12 Ldap attribute ‘givenname’=>‘Abdullah’

2007.09.24 10:58:12 Getting mapped vcard for zaghabd

2007.09.24 10:58:12 Returning vcard

2007.09.24 10:58:12 Trying to find a user’s DN based on their username. uid: duenser, Base DN: ou=user,o=pub…

2007.09.24 10:58:12 Creating a DirContext in LdapManager.getContext()…

2007.09.24 10:58:12 Created hashtable with context values, attempting to create context…

2007.09.24 10:58:12 … context created successfully, returning.

2007.09.24 10:58:12 Starting LDAP search…

2007.09.24 10:58:13 … search finished

2007.09.24 10:58:13 Trying to find a user’s DN based on their username. uid: duenser, Base DN: ou=user,o=pub…

2007.09.24 10:58:13 Creating a DirContext in LdapManager.getContext()…

2007.09.24 10:58:13 Created hashtable with context values, attempting to create context…

2007.09.24 10:58:13 … context created successfully, returning.

2007.09.24 10:58:13 Starting LDAP search…

2007.09.24 10:58:14 … search finished

2007.09.24 10:58:14 Creating a DirContext in LdapManager.getContext()…

2007.09.24 10:58:14 Created hashtable with context values, attempting to create context…

2007.09.24 10:58:14 … context created successfully, returning.

2007.09.24 10:58:14 Ldap attribute ‘sn’=>‘Duenart’

2007.09.24 10:58:14 Ldap attribute ‘uid’=>‘DUENSER’

2007.09.24 10:58:14 Ldap attribute ‘mail’=>‘seria.duenart@myemail.com’

2007.09.24 10:58:14 Ldap attribute ‘givenname’=>‘Seria’

3

rsm_ffm wrote:

My question - is it possible to use a local SQL database to maintain the list of users, and use LDAP only to authenticate the passwords of these users? This means I can add users to my local SQL database, easily, and when the user connectes, his password only will be checked against the LDAP server.

(replace in my example code with regular xml brackets)

I need a similar setup and after looking around, I’ve come up with a method that seems to work. I’m still trying to work out various issues, but I am connecting and authenticating.

First, setup the server as normal without LDAP. Once that was done, under Users I added an account for my self that matched my username in LDAP. Then, in my openfire.xml file, I added both admin and my username to the list. I then added the following to the file to setup the LdapAuthProvider:

org.jivesoftware.openfire.ldap.LdapAuthProvider{/className}

{/auth}

{/provider}

Finally, I added an section that lists the configuration for my LDAP server. Mine looks something like this:

ldap.server.name{/host}

636{/port}

(ldap base dn){/baseDN}

uid{/usernameField}

cn

mail{/emailField}

true{/sslEnabled}

{/ldap}

The full list of configuration options can be found here:

http://www.igniterealtime.org/builds/openfire/docs/latest/documentation/javadoc/

Now I can login with my LDAP username and password to the admin console and add additional users. I put in garbage for the password since it doesn’t get used; I’ve tested and the garbage passwords don’t work; the LDAP one does.

4

I think I have an easy solution for you, something that I have setup myself. The only thing you need to do is create a new group in your ldap.

Here’s what I’ve done:

In my user search filter, I set the following:

“(objectCategory=person)(objectClass=user)(memberOf=cn=IM.Enabled,ou=ExchangeUse r,dc=corp,dc=internal)(!(userAccountControl:1.2.840.113556.1.4.803:=2))”

The groupp I created was “IM.Enabled” and I added all ldap users to it that I want to allow to use openfire. You would obviously have to play around with your memberOf string to point it to the correct location of this group in your LDAP. The setting also filters out all accounts that are not a person category or a user class, as well as any accounts that are disabled.

With this setting, you don’t need to restart openfire or make any changes to the search filter whenever you want to add in a new user. Just add that user in your ldap to the ldap group. You may need to wait for a cache to clear on openfire before it grabs an updated list from the LDAP, but that’s outside of the scope of this answer.

Additionally, you could implement nearly the same filter into your group search filter if you only wanted to have certain groups appear in openfire from ldap, and then add those groups as members of the IM.Enabled group.

Works perfectly for me. I virtually never login to the openfire admin console, I do all my administration within our ldap.

5

I have the exact same set up. It makes LDAP + Openfire integration a breeze, and plays nicely with our current Active Directory set up (meaning I don’t have to move groups or change OUs).

I have a strange issue with > 20 groups membership, but as far as the approach goes, the posted solution is perfect.

6

Hi guys,

Thanks a lot for your responses. Unfortunately, I work in a largecompany with some 6000 users, and I’m not the LDAP admin, otherwise I’d assign our users a unique group and search by that. However, we did manage to get around the problem by editing the openfire.xml, to do grab the users from a local database (which we already had set up for the same group of users for access to other online tools), using the <jdbcUserProvider> as outlined in the Custom Database Integration Guide on this site.

It is a lot quicker now, and basically it has achieved what I want - a local database of users who are authenticating their passwords against our LDAP server.

Thanks

Grant