I have a single OpenFire server that I’m trying to get to allow authentication to multiple AD servers that are between themselves Trusted Domains. What is the best way to do this?
the particulars are OF is running on a Ubuntu 8.04 and presently authenticating to our Local (Alpha) domain server. We also want to allow some of our Indiana users to use OF. They are also in the Alpha Domain, and I can see them when I look at the AD server directly, but when I look at the OF user tab I can not find any of the Indiana users, and when the Spark Client is installed they won’t authenticate. Is there something I’m missing? I was thinking since they were all on the same domain this should be a non-issue.
OK, sorry expanding this a little bit, the group that presently has access is an Ou (call it Red) on the alpha.company.com we want to grant access to a second ou (green) on alpha.company.com without granting all of Alpha.company.com or company.com access. Can you somehow allow multiple OU’s without allowing the whole DC, either via A Semi-colon or something in the base DN?
Sounds like a baseDN issue. Your openfire server is configured to look at a baseDN that is too narrow of a scope to include the other users.
Sorry we must have been typing at the same time (my clarification) I understand the scope is presently too narrow, but without allowing multiple OU’s I can’t expand the scope without going from ~200 users to about 20,000 which I obviously don’t want to do on a single server.
Unfortunately MS does not allow OU LDAP filtering, It must be at the CN level. This means you would need to open your scope, and filter by groups. I would create new groups specifically for the chat server with a common prefix (ie chatgroup1, chatgroup2). You can then filter based on the groups and their members.
Ok, then on a sidenote, how/are the users stored in the OF server? this is a rather under powered machine with 512 MB ram, 172 MB Java Memory. I’m afraid that if I open up the user settings I’ll flood the box out. Is this a valid concern or does it lookup in real-time and the number of users it will be hitting not really matter?
I would increase the RAM just to be safe. I use MySQL on Windows store my data. The database is real small at this point but we do not log conversations. The users are stored in the database, but the authentication is realtime for password. When I started using the product, I had it on a desktop PC. My test server still is on an old Dell Optiplex GX260, but with 2GB of RAM.
one thing you could look at is to employ an ADAM instance, and use a group to authorize users to the openfire server. then set your ldap filter for only those samaccount names that are members of that group. give you a flat tree that contains all of your user names, you could setup a broad base DN, and still only have those that are authorized to use the server. it will add a small overhead to administration, as authorized users will need to be added to the group, but will solve you problem o all users being able to use, or being visible.
my 2 cents.
Here is a sample users filter:
<searchFilter><![CDATA[(&(objectClass=organizationalPerson)(|(memberOf=cn=ChatGroup1,ou=accounts,dc=domain,dc=com)(memberOf=cn=ChatGroup2,ou=SecondaryAccounts,dc=domain,dc=com)))]]>
Here is a group filter to go with this prefixed groups structure:
<groupSearchFilter><![CDATA[(&(objectClass=group)(cn=ChatGroup*))]]></groupSearchFilter>
Hope that helps.