Using e-mail address as UID in LDAP

Mark_Burgess · May 16, 2007, 10:05pm

We are using our e-mail address as our UID in LDAP (slapd).

Unfortunately, we cannot login to Wildfire using this scheme.

If my UID is mark@foo.org and I try to login, it is rejected. If I change my UID to mark, then I can login.

In order to connect (I am using iChat), I would enter as my Jabber ID:

mark@host.domain.com (assuming my UID is mark)

But if my UID is mark@foo.org, shouldn’'t I login as mark@foo.org@host.domain.com for my Jabber ID?

Any ideas?

Darren_Sykes · May 17, 2007, 7:05am

I’‘m attempting to do the same thing (I think), and it’'s not easy.

I want my JID to be the same as my email (darren@example.com). However, if I tell Openfire to map it to the ‘‘mail’’ attribute in AD then my JID becomes darren@example.com@server.example.com. That’'s not a valid JID as it cannot legally contain 2 @ signs.

So, the fix would be to:

Set the server name to be the same as my email suffix (to example.com), which would make my JID darren@example.com@example.com
Use an AD attribute which contains only the prefix of my email address (i.e. darren), therefore my JID would be attribute & server name, which would be darren@example.com

The next trick is figuring out that there actually isn’‘t an attribute containing just the first part of my email address. So, before I gave up, I was going to use Microsoft’'s Metadirectory product (which we actually use anyway) to do the processing and attribute updates that are necessary.

I then realised that this may not work with the upcoming SSO capability, so decided to wait to see if I could get Spark 2.5.3 working with SSO (and eventually with my JID being my email address).

edited to say: I also forgot to mention that I believe Openfire will delimit the first @ symbol so you will be able to login but will need /% or whatever it replaces @ with.

D

Message was edited by: DeeJay

Mark_Burgess · May 17, 2007, 12:02pm

Thanks D, that is helpful… at least I know it really can’'t be done!

Why do they allow you to use “mail” as the JID if you can’‘t actually use it? And why can’‘t the UID be used if it is an e-mail address? I can do an ldapsearch with the UID which is an email address, so it’'s not an LDAP problem.

The problem is that we have people from various organizations in our LDAP directory. So, in order to ensure uniqueness across the directory, we have decided on e-mail address as the UID. But I think perhaps I can make a case for using the “%” sign instead of the “@” sign.

Darren_Sykes · May 17, 2007, 12:27pm

The constraint here is that in Openfire:

JID = logonname + server name

Without modifying the source code, that’'s the way it is. The definition of a JID is probably in the protocol definition, and much like SMTP addresses cannot contain 2 @ symbols.

So, if you want to make this work, as is, you need to prepare an attribute in the directory which is the first part of a user’'s email address (so in my example, would be set to darren where my email is darren@example.com).

A simple ADSI script would do it. Then tell openfire to use that (which will effectively make your email address the same as your JID, assuming your XMPP domain (or server name) defined on the server is the same as your email domain).

D

Blomart · July 30, 2007, 1:25pm

I’‘ve encountered the same problem recently and applied a little change to the code. I don’‘t know if there’‘s any plan to introduce this kind of functionality in future version. Tought i’'ve not tested the code extensively i think the changes is not big enough to cause critical problems.

I’'ve changed LdaManager.java and added a property to specify that the username ldap field is an email.

Here is the diff file:

44d43
&lt;  *      &lt;li&gt;ldap.usernameIsMail
134,136d132
&lt;     //Blomart Cedric - 27/07/2007
&lt;     //mail authentication to ldap
&lt;     private boolean usernameIsMail = false;
215,219d210
&lt;         usernameIsMail = false;
&lt;         String usernameIsMailStr = properties.get("ldap.usernameIsMail");
&lt;         if (usernameIsMailStr != null) {
&lt;           usernameIsMail = Boolean.valueOf(usernameIsMailStr);
&lt;         }
311d301
&lt;         buf.append("\t userameIsMail: ").append(usernameIsMail).append("\n");
607,614d596
&lt;         // Blomart Cedric - 27/07/2007
&lt;         // if username is email
&lt;         if (usernameIsMail) {
&lt;           String xmppdomain = JiveGlobals.getProperty("xmpp.domain","");
&lt;           if (xmppdomain!="") {
&lt;             username = username + "@" + xmppdomain;
&lt;           }
&lt;         }
1229c1211
&lt; } ---
&gt; }
\ No newline at end of file

Hope it helps and maybe it could be integrated somehow in the standard distribution