Read Only LDAP + Database possible?

peter5 · May 27, 2008, 10:49am

Hi folks

I’m new on Openfire so i hope this is not a stupid question.

We are trying to set up an Jabber Server in our University. The authentication should go throw our campus LDAP Server.

Because we are just allowed to read but not to write I want to ask if it is possible to store all other information in an second LDAP or database.

Is there any howto available ?

NO_MESSAGES_OR_FRIEN · May 27, 2008, 11:07am

I am not sure i understand. This is how openfire works in an LDAP config:

Users and groups are pulled from LDAP. This is a read only function. The users cannot change their data.

Setting particular to the openfire server are stored in a database (embedded or external such as MySQL). These settings will include shared groups, user avatars, Multiuser chat rooms, etc

LG1 · May 27, 2008, 8:06pm

Hi,

you may want to install Openfire one time and run the setup process.

There you need to specify a database for storage and you can specify an LDAP read-only authentication provider.

So what you want is possible and supported.

There may be still some issues with vCards, one can or could not modify and store them in previous versions.

LG

peter5 · May 28, 2008, 10:34am

The problem is that we don’t have the possibility to add new items to the LDAP.

This means we cant create groups, vcards or anything else. (not limited by the way openfire use the ldap but by the security policy’s of our university.)

On the other hand we need to get the login information from this server because we a not allowed to export the password hashes to another ldap.

Because of this we need to store any information except username and password in an seperate database or ldap.

NO_MESSAGES_OR_FRIEN · May 28, 2008, 11:09am

WHat type of information is in your LDAP server. The standard fields should be there. I would also think that more than a few of those fields would be filled in. You need to try an install of Openfire configured for LDAP to see what it pulls. Openfire is read-only when it comes to LDAP so no changes would ever be made to your LDAP server by Openfire.

thalunil · May 28, 2008, 2:40pm

The issue “derpeter” has, is about having the LDAP service only for the authentication purpose, not for retrieving group associations.

The LDAP service is not under our domain, hence we cannot use it for the storage of groups. We can only verify the user credentials.

Can we store the group associations and other stuff (pic, vcard) in the sql backend?