Openfire multiple domain question revisit

I have read the posts on multiple domains but most of them are a few years old. what is the current status on one openfire server viewing multiple domains?

I currently have two domains and would like to have users on both domains communicate with each other via spark. what are the possible solutions for domain.com and domain.net (that trust each other) to communicate on one lan?

Thank you for any advice or experience on this.

hoping for either openfire to support multiple domains now, AD LDS instructions/configuration, or multiple OpenFire servers talking to each other.

Michael

Are the domains in the same forest? if so, you might be able to make your base dn the root of the forest connecting to the global catalog server port. A potential issues might be having users with the same username in both domains.( jdoe@domain.com and jdoe@domain.net). You might have to change your mappings a bit to use something other the samaccountname.

I’ve been meaning to create a lab to test some of this; along with forest-forest trust. I just haven’t been able to get around to it.

I think the quickest way would be to set up 2 different servers, one for each domain, and then set up s2s between the two.

I have the same configuration: two domains with trusted relations, ADAM instance, one openfire server. The production installation was perfomed by my colleague. If you need step-by-step instructions I can post it here.

The issue with the same samAccountName is really present.

Just to clarify, those older posts are still valid. There is no official multi-domain support in Openfire. And it is not planned. It is a complex task for the limited development resources here.

S2S sounds like a better solution for this, but just on paper. One may run into various problems with it. So the already mentioned workaround (with the same account name issue) seems like the only viable option.

Step, if you are able to post that that would be great to see the configuration that you have running for two domains and one openfire server.

Thank you

Michael

Hi Step, we’re also using a two way forest trust here - could you tell me what version of ADAM / AD LDS works for you?

I’m also very keen to know if that setup works with SSO or not using kerberos.

I have created two servers. server A queries Domain 1 and server B queries Domain 2. I have added each server to the Server to Server settings, tested telnet 5269, and DNS resovles the server names.

Im using Spark 2.7.1 and I have added users from both domains to a group that is in domain 1. the user that is in domain 2 is showing the following under groups on the domain 1 server manager (* Note: Remote users or entities should accept presence subscriptions automatically.)

the search function via spark does not show users from the other domain as I try to add the search.domain.com to the search service but it tells me “unable to contact search service”.

any advise on these errors or other testing methods for server to server would be greatly appreciated.

Thank you

Michael

Updated: server 2 server setup for multi domain

With my current configuration I am not able to search using Sparks “search.dserve.net” ( i get the error “unable to contact search service”). I can from a users that is using spark and connected to domain 1, add a contact from domain 2 by typing the user jid of the user (eg name@server.domain1.com).

At this point the issue is having domain1 users search users on domain2 and vice-versa via spark and seeing users in groups cross domain.

Michael,

do you have your srv records (DNS) setup up for each server?

I used a cname and that worked but would rather setup the srv record.

what port does the search service use? I do not see that information on the search plugin page.

any advise on this would be helpful.

thank you

Michael

Im not sure if it will work or not. but the SRV records are used for s2s services. You may need to add the client SRV records too.

you’ll need to create a record to look a little something like this

_xmpp-server._tcp.domain1.com 5269 fqdn

_xmpp-server._tcp.domain2.com 5269 fqdn

_xmpp-client._tcp.domain1.com 5222 fqdn

_xmpp-client._tcp.domain2.com 5222 fqdn

I have created the srv records you suggest but I don’t see any change in behavior. the search and conference rooms still don’t connect. I still need to add a cname for search.server.domain.com and conference.server.domain.com. Should the xmpp srv records be taking the place of the cnames? Am I not understanding what the xmpp srv entries should be doing?

The xmpp srv records seem to work if I am using Pidgin but that only helps for logging in.

I run nslookup -querytype=SRV _xmpp-client._tcp.domain1.com and the result shows this is configured correct.

Would it have anything to do with kind of client I would be using? (spark?)

any update on this would be much appreciated.

I am hoping to have a way to create a srv records rather than a cname for the search and conference services. Im just wondering if I am setting this up with best practice procedures.

thank you

Michael

Michael,

Honestly, I don’t really know the answer to your questions, as I use a single domain and server. I would just make sure your SRV records are correct, and make sure you have one for server and client. From your example, your SRV record might look more like _xmpp-client._tcp.server.domain.com with a target of the FQDN of the server. Maybe someone else can offer more assistance, but I would think the srv record vs cname would be preferred, but you gotta do what works