powered by Jive Software

Use of another "server" name for login than real xmpp server

Hello,

First of all, I use Openfire with the Jive integration with users being in Jive so far. As we plan to migrate the user to AD and as we will use the UPN for authentication, we found a few issues with the Openfire integration.

Indeed, to authentificate our users accross the forest, we have to use the UPN (ie login@country.company.org), which looks not compatible with Openfire login format which is login@openfire-server.com

Is there a way to consider the @country.company.org as a simple information to use it for login but use the openfire-server.com as server for the connection ? I would like to do the same as I do for gtalk : you will use your gmail adress as login but use talk.google.com as server name for the connection.

Is it an openfire/jabber limitation or due to the jive connector plugin ? Jive support is not very clear on that and I would appreciate your feedback.

Thanks,

Nicolas

Have you tried to use a DNS alias?

I am by no means an expert but we successfully use AD integration via LDAP and have a different XMPP domain than the server we actually connect to. They are really seperate issues. You can have an XMPP domain of “mybiz.com” so that users will have a jabber id with something like "user@mybiz.com" but mybiz.com doesn’t actually resolve using DNS to your openfire server (most likely it resolves to a web server holding your website). You can accomplish this using SRV records in the DNS server for your “mybiz.com” domain. For example, let’s assume that the IP address of your openfire server is 1.1.1.1, you could make an (A) record in your DNS server for somethign like “jabber.mybiz.com” and point it to 1.1.1.1. Then you would need to make (at least these two) SRV (service) records:

Service/Protocol/Domain *
TTL
Class
**Type
**
Priority
Weight
Port
Target *
_xmpp-client._tcp.mybiz.com.
86400
IN
SRV
5
0
5222
jabber.mybiz.com.
_xmpp-server._tcp.mybiz.com.
86400
IN
SRV
5
0
5269
jabber.mybiz.com.

  • the trailing periods are intentional and required

If you’ve done that correctly now your users will be able to connect to “mybiz.com” as the server and it will know to actually connect to “jabber.mybiz.com”. Depending on which XMPP client you’re using you may have to specifiy the server or you may just enter the full jabber id. I believe spark makes you enter the username and server seperately but you will still only have to enter “mybiz.com” and not “jabber.mybiz.com” and the client will check and understand the SRV records and connect to the correct server.

Now, in regards to your second issue which, if I understand it correctly, is that your having trouble with getting your AD integration working. First, let me tell you that in our implimentation openfire thinks of its users without the XMPP domain in them. That means that a user named “john” will attempt to be authenticated as “john” even though his full jabber id may be "john@mybiz.com". Here is how we accomplish this.

I just used the setup wizard to setup active directory but the trick where I’ve seen lots of people mess up is understand how to tell openfire where to find it’s users in AD. If you have a complex AD tree with users in multiple OU’s then you will have to ask someone more knowledgable than I but for what we do it works perfectly. Make sure you have a correct LDAP path (and password) for an admin account (an account that browse the AD structure), something like this:

CN=“Adminuser”,OU=“Users”,DC=“mybiz”,DC=“local”

You also need a proper path to be able to tell openfire where to find it’s list of all the users, something like this:

OU=“Users”,DC=“mybiz”,DC=“local”

When done correctly it works perfectly, as proof of this I would cite one instance of openfire I’m using for a part of our company which is a very simple setup but seems to be exactly what you’re looking for.

This was a small office so I didn’t even bother to setup the SRV records for them so all their users open spart and put in credentials that look like this:

Username: john

Password: ****

Server: office.mybiz.com

The XMPP domain for the openfire server is “office.mybiz.com” so the users all have jabber id’s that look like "john@office.mybiz.com". However, we use AD integration and the AD domain is neither “office.mybiz.com” nor is it “mybiz.com” it is actually “mybiz.local”. The server see’s all the users in AD and anyone with an AD account can login to spark using the same username (e.g. “john”) and password that they use for the network.

I hope at least some of that was helpful.

Darren

Thanks a lot, it’s exactly what I had in mind for the “DNS aliasing” ; I forgot the existence of those xmpp special directive for DNS.

Will test it and see how far can I go with my AD integration through Jive also.

All the best,

Nicolas

Hi Darren,

I did this setup but my problem is, it takes for an hour to propagate my manually added Host(A) and SRV Records which is jabber.example.local. Is there an option in DNS Server to push/force for SRV Records to update at startup?

I have my thread in here, hopefully someone can give/suggest what I need to do.

Thank you,

-kikigak

Hi,

Here’s a quick little howto when I setup this.

Hope it helps to someone.

-kikigak