Jive Messenger LDAP Guide

Introduction

This document details how to configure your Jive Messenger installation to use an external LDAP store when authenticating users.

Background

LDAP (Lightweight Directory Access Protocol) has emerged as a dominant standard for user authentication and for storage of user profile data. It serves as a powerful tool for large organizations (or those organizations integrating many applications) to simplify user management issues.

By default, Jive Messenger stores all user data in a database and performs authentication using database lookups. The LDAP module replaces that functionality and allows Jive Messenger to:

Use a LDAP server to authenticate a user's identity.
Load and store user profile information in a LDAP directory.

This document will guide you through preparing your LDAP server and provide details about how to install the LDAP module on Jive Messenger. These instructions assume that you're a competent LDAP user, and that you're familiar with Jive Messenger setup issues. The iPlanet Directory Server 5.0 LDAP server was used for development and testing, but any LDAP compliant server should also work.

Choosing an LDAP storage mode

Two modes for storing user data in an LDAP directory are supported:

Mixed Mode (LDAP and User Database) -- Username, name and email are stored in LDAP. All Jive-specific data is stored in the Jive Messenger user database. This mode requires no changes to your LDAP directory.
Pure LDAP Mode -- All user data is stored in LDAP, including Messenger-specific data. This mode requires you to make changes to your LDAP schema.

The first option is easier to setup and is generally the better solution. However, the second option is also appropriate in some cases.

Configuration

In order to configure your server to use LDAP you need complete the following tasks:

Stop Messenger.
Edit MESSENGER_HOME/config/jive-messenger.xml as described below.
Restart Messenger.

Configure Messenger

Open the Messenger configuration file MESSENGER_HOME/config/jive-messenger.xml in your favorite editor and add or change the following settings:

UserProvider.id.className - com.jivesoftware.xmpp.ldap.LdapUserIDProvider
UserProvider.properties.className
UserProvider.info.className
UserProvider.account.className
UserProvider.roster.className
ldap.host - LDAP server host; e.g. localhost or machine.example.com, etc.
ldap.port - LDAP server port number
ldap.usernameField - The field name that the username lookups will be performed on.
ldap.baseDN - The starting DN that searches for users will performed with. The entire subtree under the base DN will be searched for user accounts.
ldap.nameField - The field name that holds the user's name.
ldap.emailField - The field name that holds the user's email address.
ldap.adminDN - A directory administrator's DN. All directory operations will be performed with this account. For normal usage of the module, the admin should have full administrative controls over the directory.
ldap.adminPassword - The password for the directory administrator.
ldap.debugEnabled - A value of "true" if debugging should be turned on. When on, trace information about buffers sent and received by the LDAP provider is written to System.out
ldap.sslEnabled - Enable SSL connections to your LDAP server. If you enable SSL connections, the LDAP server port number most likely should be changed to 636.
ldap.mode - "0" for all LDAP mode, "1" for mixed LDAP/Jive DB mode

Below is a sample set up.


<jive>
...
  <UserProvider>
    <id>
      <className>org.jivesoftware.messenger.ldap.LdapUserIDProvider</className>
    </id>
    <properties>
      <className>org.jivesoftware.messenger.ldap.LdapUserPropertiesProvider</className>
    </properties>
    <info>
      <className>org.jivesoftware.messenger.ldap.LdapUserInfoProvider</className>
    </info>
    <account>
       <className>org.jivesoftware.messenger.ldap.LdapUserAccountProvider</className>
    </account>
  <UserProvider>
  <ldap>
    <host>myhost.com</host>
    <port>389</port>
    <usernameField>uid</usernameField>
    <emailField>mail</emailField>
    <baseDN>o=mycompany, c=mycountry</baseDN>
    <nameField>cn</nameField>
    <adminDN>cn=ldap-administrator</adminDN>
    <adminPassword>adm1npwd</adminPassword>
    <debugEnabled>false</debugEnabled>
    <sslEnabled>false</sslEnabled>
    <mode>1</mode>
  </ldap>
...
</jive>

Configure the LDAP Server (optional)

Note: If you use the "mixed mode" of the Jive Messenger LDAP module, no changes to your LDAP directory are necessary. However, if you use the "pure mode", you'll need to make changes to your directory as detailed below. Several custom LDAP attributes are used to store things such as the numeric Jive Messenger user ID, the date the account was created, privacy flags, etc. The first step is to define these attributes in your LDAP directory.

Name	Type	OID	Multi-valued	Description
jiveUserID	Integer	1.3.6.1.4.1.10985.389.2	No	A numeric ID that Jive Messenger uses to identify a user.
jiveNameVisible	String	1.3.6.1.4.1.10985.389.3	No	The value is "true" if a user wishes to show their name publicly; "false" otherwise.
jiveEmailVisible	String	1.3.6.1.4.1.2.10985.389.4	No	The value is "true" if a user wishes to show their email address publicly; "false" otherwise.
jiveCDate	String	1.3.6.1.4.1.10985.389.6	No	The date the user became a Jive Messenger user.
jiveMDate	String	1.3.6.1.4.1.10985.389.7	No	The date the user information was last updated.
jiveProps	String	1.3.6.1.4.1.10985.389.8	Yes	A collection of extended properties for the user.

Next, you can optionally create a new object class that uses the specified attributes (or modify an existing object to add the attributes). The Jive Messenger LDAP module does not actually pay attention to object types, but only looks for the correct attributes. If you do create a new object, the object name should be "jivePerson" with an OID of 1.3.6.1.4.1.2.10985.389.1.

Each of the attributes listed above must be added as an optional attribute since the attributes will not be created until the user logs into Jive Messenger for the first time.

Also, you may wish to create an index on the "jiveUserID" attribute so that lookups on that field are fast.