Hello, Openfire 3.5.2 / LDAP Active Directory, Spark 2.5.8
I have the attribute set in openfire.xml to pull the avatars from AD, and the system property ldap.override.avatar is “true”. Contacts’ avatars show up correctly, but if the contact wishes to change it - they can’t, instead an error is returned “Server does not support VCards. Unable to save your VCard” However if the contact doesn’t have a photo in AD, so the thumbnailPhoto attribute is blank - they are able to upload a new avatar, change it etc.
Is this the correct behaviour? Could the permissions of the Openfire LDAP service account be causing it - at the moment that account just has read permissions to AD…
Ideas appreciated,
Cheers, Nick
There is no support in OpenFire for writing vCards to LDAP. This includes the avatar. There is a special-case for avatars though, where they can be stored to the database backend used by OpenFire. However, this only applies to cases where LDAP is missing the picture entirely; it does not allow the user to override the picture from LDAP.
Hope this helps.
Hawke is absolutly correct. If you are using Photos from LDAP I would would be better off turning off the LDAP override. That way you avoid the user posting unwanted photos to their openfire account.
Thanks guys, it was just clarification of that point I was after. For the Openfire pilot, I uploaded a load of peoples’ photos to AD, just to grab the users’ attention when they logged in. Now of course, they all want to change them…
What tool did you use to set the jpegPhoto attributes in AD?
If you want to allow them to change their pictures, it should be simple enough to simply remove that attribute for the users that want to do so.
I used DameWare Utilities AD browser - the users have an additional “picture” tab that allows you to upload a pic to AD - the attribute. I just edited openfire.xml to look at that attribute and bingo. Users that have complained that they don’t like the photo - I will just remove it from AD as you say and let them upload their own to Openfire.
Very nice tool to use but you could put the power into their hands with a different tool. I use Directory Update: http://www.directory-update.com/ This will allow users to edit their own AD profile based on what fields youe allow them to have access to ( Just photo or any or all profile fields).
You know what - we already use that tool! I even implemented it myself - obviously can’t see the wood for the trees at the moment. Yes that is a very good option - at the moment we don’t have the photo as an editable field in Directory Update, but I can easily change that.
However I think in my case it’s not really a problem - only my department has photos in AD and that’s because I uploaded them. When we rollout to everyone else, there will be no issue - I just wanted to confirm this is how it should work, I’m happy with the explanation.
Cheers
What did you have to do in openfire.xml? I know how to map existing attributes, but I (for one) don’t have a PHOTO attribute in my vcard template. Can you post that snippet of the vcard template with a couple of lines of context? Thanks!
Sure, here’s the snippet…
<vCard xmlns=“vcard-temp”>
<N>
<GIVEN></GIVEN>
<FAMILY></FAMILY>
</N>
<EMAIL>
<INTERNET/>
<USERID></USERID>
</EMAIL>
<FN></FN> <NICKNAME></NICKNAME>
<PHOTO>
<TYPE>image/jpeg</TYPE>
<BINVAL></BINVAL>
</PHOTO>
<ADR>
<HOME/>
<STREET></STREET>
<PCODE></PCODE>
<CTRY></CTRY>
</ADR>
etc etc…