powered by Jive Software

Restricting users to local contacts?

Hi,

We’‘re currently running a Wildfire server using LDAP on our network in conjunction with Pandion. We’'d like to make it so that users can only add users to their contact list which exist on our local server, not any external Jabber servers. How would I go about doing this? Im unsure of the architecture so Im not clear on how Pandion/Wildfire communicate and how adding users are processed. Would this need ot be done via a Wildfire plugin or is it something that would have to be done client side on Pandion?

Hi Jon,

I’‘ve actually been working on a plugin that allows Wildfire administrators to intercept and automatically reject or accept subscription requests. Here’'s a snippet from the documentation:

Configuration

The subscription plugin is configured via Subscription Properties sidebar item which can found under the Sever tab in Wildfire Admin Console. The subscription plugin can be configured in one of three ways:

  • Disabled (Default setting) - Subscription requests will not be intercepted.

  • Accept - Subscription requests will be intercepted and accepted.

  • Local - Only subscription requests sent by users who have[/u] an account on the Wildfire server on which

the plugin is installed, will be intercepted and accepted.

  • All - All subscription requests, regardless of which server the user account resides on, will be

intercepted and accepted. Selecting this level will make Wildfire vulnerable to spIM*.

  • Reject - Subscription requests will be intercepted and rejected.

  • Local - Only subscription requests sent by users who do not have[/u] an account on the Wildfire server on which

the plugin is installed, will be intercepted and rejected.

  • All - All subscription requests, regardless of which server the user account resides on, will be

intercepted and rejected.

  • spIM is unsolicited messages sent via an instant messaging system; similiar in nature to email SPAM.

/code

If you think this plugin might help you and would like to test it out let me know.

Thanks,

Ryan

Should you not just disallow server-to-server connections? That would prevent them from being able to add contacts or communicate with anyone outside as long as they were logged into your local server. You could also, presumably, stop outgoing Jabber connections at the firewall…

Timothy Collett

Should you not just disallow server-to-server connections?

Good idea. If Jon wants to disallow all outside communication going that route makes the most sense.

One of the ideas behind the plugin was to prevent users from adding any additional “outside” contacts beyond what they may already have setup. So in a sense I wanted to add some additional granularity to the whitelisting that can be done with s2s communication. I suppose at some point I could add the ability to whitelist on a per user or possibly group basis…

Cheers,

Ryan

Well we don’'t want a blanket ban - some users will be allowed to add external users. Also blocking it at the firewall wouldnt really provide any feedback to the user as to why they cannot add a contact…

I’'m thinking a possible way to go would be to set up a PacketInterceptor plugin that reads the JIDs of packets, and blocking any which do not contain the domain of our local server if that user does not have permission. Would this work?

Hi Jon,

Yes, that would work. If you’'d like to use the source to the subscription plugin as a starting point to let me know.

Cheers,

Ryan

I’'m thinking a possible way to go would be to set up

a PacketInterceptor plugin that reads the JIDs of

packets, and blocking any which do not contain the

domain of our local server if that user does not have

permission. Would this work?

Thats exactly the same type of plugin that I am looking for - did you manage to get working ?

Ryan:

When i get this plugin???

The subscription plugin is configured via Subscription Properties sidebar item which can found under the Sever tab in Wildfire Admin Console. The subscription plugin can be configured in one of three ways:

If you think this plugin might help you and would like to test it out let me know.

Of course this plugin is just all i need!!!

Regards

MAdeleine

Hi Madeleine,

I’‘ve emailed the plugin to the address listed in your profile. I’‘ve been waiting on feedback from people who have been using the beta of this plugin before officially releasing it and so far I haven’'t heard anything. ?:expressionless:

Try it out and let me know how it works for you.

Thanks,

Ryan