ldap-guide.html 23.1 KB
Newer Older
Matt Tucker's avatar
Matt Tucker committed
1
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
2

Matt Tucker's avatar
Matt Tucker committed
3 4
<html>
<head>
5
<title>Openfire: LDAP Guide</title>
6
<link href="style.css" rel="stylesheet" type="text/css">
Matt Tucker's avatar
Matt Tucker committed
7 8
</head>
<body>
9 10 11

<div id="pageContainer">

Matt Tucker's avatar
Matt Tucker committed
12 13
<a name="top"></a>

14 15 16 17 18 19 20 21 22
	<div id="pageHeader">
		<div id="logo"></div>
		<h1>LDAP Guide</h1>
	</div>
	<div class="navigation">
		<a href="index.html">&laquo; Back to documentation index</a>
	</div>

	<div id="pageBody">
Matt Tucker's avatar
Matt Tucker committed
23 24 25 26

<h2>Introduction</h2>

<p>
27
    This document details how to configure your Openfire installation to use
Matt Tucker's avatar
Matt Tucker committed
28
    an external directory such as Open LDAP or Active Directory. Integration with a directory
Matt Tucker's avatar
Matt Tucker committed
29
    lets users authenticate using their directory username and password. Optionally, you can
30 31
    configure Openfire to load user profile and group information from the directory. Any group in
    Openfire can be designated as a shared group, which means that you can pre-populate user's
Matt Tucker's avatar
Matt Tucker committed
32
    rosters using directory groups.
Matt Tucker's avatar
Matt Tucker committed
33
</p>
34

Matt Tucker's avatar
Matt Tucker committed
35
<h2>Background</h2>
36

Matt Tucker's avatar
Matt Tucker committed
37
<p>
38 39 40
    LDAP (Lightweight Directory Access Protocol) has emerged as a dominant standard
    for user authentication and for storage of user profile data. It serves as a
    powerful tool for large organizations (or those organizations integrating many
Matt Tucker's avatar
Matt Tucker committed
41 42 43 44
    applications) to simplify user management issues. Many LDAP servers are available,
    such as <a href="http://www.openldap.org/">Open LDAP</a>, 
    <a href="http://www.microsoft.com/windowsserver2003/technologies/directory/activedirectory/">Active Directory</a>, 
    and Novell's <a href="http://www.novell.com/products/edirectory/">eDirectory</a>.
45

Matt Tucker's avatar
Matt Tucker committed
46
</p>
47

Matt Tucker's avatar
Matt Tucker committed
48
<p>
49
    By default, Openfire stores all user data in its database and performs
50
    authentication using database lookups. The LDAP module replaces that
51
    functionality and allows Openfire to:
52 53 54 55 56
    <ul>
        <li>Use a LDAP server to authenticate a user's identity.</li>
        <li>Load user profile information from a LDAP directory.</li>
        <li>Load group information from an LDAP directory.</li>
    </ul>
57

58
    <b>Note:</b> Openfire treats the LDAP directory as read-only.
Matt Tucker's avatar
Matt Tucker committed
59
</p>
60

Matt Tucker's avatar
Matt Tucker committed
61
<p>
62
    This document will guide you through configuring LDAP support in Openfire. These
63
    instructions assume that you're a competent LDAP user, and that you're familiar
64
    with Openfire setup issues.
Matt Tucker's avatar
Matt Tucker committed
65 66 67
</p>

<h2>Configuration</h2>
68

Matt Tucker's avatar
Matt Tucker committed
69
<p>
70
    The Openfire setup tool includes an easy to use LDAP setup wizard.
Matt Tucker's avatar
Matt Tucker committed
71 72
    Choose the LDAP option on the Profile Settings page to configure directory integration.
    The wizard along with in-line help will guide you through the rest of the process.
73
    <a href="#activedirectory">Specific tips</a> for working with Active Directory are noted below.
Matt Tucker's avatar
Matt Tucker committed
74 75 76 77 78 79

    <img src="images/setup_ldap.png" alt="LDAP settup" width="710" height="400" vspace="10">
    <br clear="left"/>

    If you have already completed the setup process but need to enable LDAP integration, you
    can re-run the setup tool. To do so:
80
    <ol>
81

82
        <li>
83
            Stop Openfire.
84
        </li>
85
        <li>Edit <tt>conf/openfire.xml</tt> in your Openfire installation folder and set
Matt Tucker's avatar
Matt Tucker committed
86
            &lt;setup&gt;true&lt;/setup&gt; to &lt;setup&gt;false&lt;/setup&gt;.
87 88
        </li>
        <li>
89
            Restart Openfire and enter the setup tool.
90 91
        </li>
    </ol>
92

Matt Tucker's avatar
Matt Tucker committed
93
</p>
94

95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129
<h2><a name="activedirectory">Working with Active Directory</a></h2>

<p>Microsoft's Active Directory is a broadly deployed directory system that supports the
LDAP protocol. You'll be prompted for several LDAP fields when connecting to Active Directory
servers, some of which are detailed below:
</p>

<ul>
    <li><b>Base DN</b><br/><br/>
        <p>The base DN describes where to load users and groups. If you're using a default
            Active Directory setup, all user accounts and groups are located in the
            "Users" folder under your domain. In LDAP form, that's <tt>cn=Users;dc=&lt;Your Domain&gt;</tt>.
            To get more specific, say your domain is <tt>activedirectory.jivesoftware.com</tt>. In that case,
            your base DN would be <tt>cn=Users;dc=activedirectory,dc=jivesoftware,dc=com</tt>. If
            you've customized where users are stored, you'll just need to replicate that folder
            structure using LDAP syntax.
        </p>
    </li>
    <li><b>Administrator DN</b><br/><br/>
        <p>By default, Active Directory does not allow anonymous LDAP connections. Therefore,
            you'll need to enter the DN of a user that's allowed to connect to the server and read
            all user and group data. Unless you've created a special user account for this
            purpose, an easy choice is to use the built-in administrator account. By default,
            the administrator DN is in the form <tt>cn=Administrator,dc=&lt;Your Domain&gt;</tt>.
            Using our previous example,
            <tt>cn=Administrator,cn=users,dc=activedirectory,dc=jivesoftware,dc=com</tt>.
        </p>
    </li>

</ul>


<div align="center"><img src="images/active_directory.png" width="629" height="414"></div>


Matt Tucker's avatar
Matt Tucker committed
130
<h3>Manually Editing the Config File</h3>
131

Matt Tucker's avatar
Matt Tucker committed
132
<p>
Matt Tucker's avatar
Matt Tucker committed
133
    If you prefer to edit the configuration file to enable LDAP integration directly, use the following
134
    instructions. Open the configuration file <tt>conf/openfire.xml</tt> from your Openfire
135 136 137 138 139 140
    installation in your favorite
    editor and add or change the following settings. Properties flagged with (<font color="red">
    <b>*</b></font>)
    must be set. Properties flagged with (<font color="red"><b>**</b></font>) must be set in order
    to enable LDAP group
    support, all other properties are optional:
141

Matt Tucker's avatar
Matt Tucker committed
142 143
</p>
<ul>
Matt Tucker's avatar
Matt Tucker committed
144 145
    <b>Main Settings</b><br><br>

146
    <li>provider.user.className <font color="red"><b>*</b></font> -- set the value to
147
        "org.jivesoftware.openfire.ldap.LdapUserProvider".</li>
148
    <li>provider.auth.className <font color="red"><b>*</b></font> -- set the value to
149
        "org.jivesoftware.openfire.ldap.LdapAuthProvider".</li>
150

151
    <li>ldap.host <font color="red"><b>*</b></font> -- LDAP server host; e.g. localhost or
152 153 154
        machine.example.com, etc. It is possible to use many LDAP servers but all of them
        <b>should share the same configuration</b> (e.g. SSL, baseDN, admin account, etc).
        To specify many LDAP servers use the comma or the white space character as delimiter.</li>
155 156
    <li>ldap.port -- LDAP server port number. If this property is not set, the default value is
        389.</li>
157 158 159 160 161 162
    <li>ldap.readTimeout -- The value of this property is the string representation of an integer
        representing the read timeout in milliseconds for LDAP operations. If the LDAP provider doesn't
        get an LDAP response within the specified period, it aborts the read attempt. The integer should
        be greater than zero. An integer less than or equal to zero means no read timeout is specified which
        is equivalent to waiting for the response infinitely until it is received which defaults
        to the original behavior. <i>Requires Java 1.6 or later.</i></li>
163
    <li>ldap.baseDN <font color="red"><b>*</b></font> -- the starting DN that searches for users
164
        will performed with. The entire subtree under the base DN will be searched for user accounts.
165
    </li>
166

167
    <li>ldap.alternateBaseDN -- a second DN in the directory can optionally be set. If set, the
168 169
        alternate base DN will be used for authentication, loading single users and displaying a
        list of users. Content in the base DN and the alternate DN will be treated as one.
Matt Tucker's avatar
Matt Tucker committed
170
    <li>ldap.adminDN -- a directory administrator's DN. All directory operations will be
171 172 173
            performed
            with this account. The admin must be able to perform searches and load user records. The
            user does
174
            not need to be able to make changes to the directory, as Openfire treats the
175 176 177
            directory as read-only.
            If this property is not set, an anonymous login to the server will be attempted.
        </li>
Matt Tucker's avatar
Matt Tucker committed
178 179
    <li>ldap.adminPassword -- the password for the directory administrator.</li>
    <li>ldap.usernameField -- the field name that the username lookups will be performed on. If
180 181
            this property is not set, the default value is <tt>uid</tt>. Active Directory users
            should try the default value <tt>sAMAccountName</tt>.</li>
Matt Tucker's avatar
Matt Tucker committed
182
    <li>ldap.nameField -- the field name that holds the user's name. If this property is not
183 184
            set, the default value is <tt>cn</tt>. Active Directory users should use the default value
            <tt>displayName</tt>.</li>
185

Matt Tucker's avatar
Matt Tucker committed
186
    <li>ldap.emailField -- the field name that holds the user's email address. If this property
187 188
            is not set, the default value is <tt>mail</tt>. Active Directory users should use the
            the default value <tt>mail</tt>.</li>
Matt Tucker's avatar
Matt Tucker committed
189 190 191 192 193 194 195
     <li>ldap.searchFields -- the LDAP fields that will be used for user searches. If
        this property is not set, the username, name, and email fields will be searched. An example
        value for this field is "Username/uid,Name/cname". That searches the uid and cname fields
        in the directory and labels them as "Username" and "Name" in the search UI. You can add
        as many fields as you'd like using comma-delimited "DisplayName/Field" pairs. You should
        ensure that any fields used for searching are properly indexed so that searches return
        quickly.</li>
196 197 198 199 200 201 202 203 204 205 206
    <li>ldap.searchFilter -- an optional search filter to append to the default filter when
        loading users. The default search filter is created using the attribute specified by
        ldap.usernameField. For example, if the username field is "uid", then the default search
        filter would be "(uid={0})" where {0} is dynamically replaced with the username being searched
        for.
        <br/><br/>
        The most common usage of a search filter is to limit the entries that are users
        based on objectClass. For example, a reasonable search filter for a default Active Directory
        installation is "(objectClass=organizationalPerson)". When combined with the default
        filter, the actual search executed would be
        "(&(sAMAccountName={0})(objectClass=organizationalPerson))".</li>
207
    <li>ldap.subTreeSearch -- by default, Openfire will search the entire LDAP sub-tree (starting
208 209 210 211
        at the base DN) when trying to load users. If this property is set to <tt>false</tt>, then
        sub-tree searching is disabled and users will only be loaded directly from the base DN.
        Disabling sub-tree can improve performance, but it will fail to find users if your directory
        is setup to use sub-folders under the base DN.</li>
Matt Tucker's avatar
Matt Tucker committed
212 213 214 215 216

    <br><br>
    <b>Group Settings</b><br><br>

    <li>provider.group.className <font color="red"><b>**</b></font> -- set the value to
217
        "org.jivesoftware.openfire.ldap.LdapGroupProvider".</li>
Matt Tucker's avatar
Matt Tucker committed
218 219 220 221
    <li>ldap.groupNameField <font color="red"><b>**</b></font> -- the field name that the groupname
        lookups will be performed on. If this property is not set, the default value is <tt>cn</tt>.</li>
    <li>ldap.groupMemberField -- the field name that holds the members in a group. If this property
        is not set, the default value is <tt>member</tt>.</li>
222

Matt Tucker's avatar
Matt Tucker committed
223 224
    <li>ldap.groupDescriptionField -- the field name that holds the description a group. If this
        property is not set, the default value is <tt>description</tt>.</li>
225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245
    <li>ldap.posixMode <font color="red"><b>**</b></font> -- a value of "true" means that users are
        stored within the group by their user name alone. A value of "false" means that users are
        stored by their entire DN within the group. If this property is not set, the default value
        is <tt>false</tt>. The posix mode must be set correctly for your server in
        order for group integration to work. Posix modes for common LDAP servers:
        <ul>
            <li>ActiveDirectory: false</li>
        </ul>
    </li>

    <li>ldap.groupSearchFilter -- an optional search filter to append to the default filter when
        loading groups. The default group search filter is created using the attribute specified
        by ldap.groupNameField. For example, if the group name field is "cn", then the default
        group search filter would be "(cn={0})" where {0} is dynamically replaced with the group
        name being searched for.
        <br/><br/>
        The most common usage of a search filter is to limit the entries that are groups
        based on objectClass. For example, a reasonable search filter for a default Active Directory
        installation is "(objectClass=group)". When combined with the default
        filter, the actual search executed would be
        "(&(cn={0})(objectClass=group))".</li>
Matt Tucker's avatar
Matt Tucker committed
246 247 248 249 250

    <br><br>
    <b>Connection Settings</b><br><br>

    <li>ldap.debugEnabled -- a value of "true" if debugging should be turned on. When on, trace
251 252
            information about buffers sent and received by the LDAP provider is written to
            System.out</li>
Matt Tucker's avatar
Matt Tucker committed
253
    <li>ldap.sslEnabled -- a value of "true" to enable SSL connections to your LDAP server. If
254 255 256
            you
            enable SSL connections, the LDAP server port number most likely should be changed to
            636.</li>
257

258 259 260 261 262 263
    <li>ldap.initialContextFactory -- the name of the class that should be used as an initial
        context
        factory. if this value is not specified, "com.sun.jndi.ldap.LdapCtxFactory" will be used
        instead.
        Most users will not need to set this value.
    <li>ldap.autoFollowReferrals -- a value of "true" indicates that LDAP referrals should be
Matt Tucker's avatar
Matt Tucker committed
264 265 266 267 268
        automatically followed. If this property is not set or is set to "false", the referral policy used is left
        up to to the provider. A referral is an entity that is used to redirect a client's request to
        another server. A referral contains the names and locations of other objects. It is sent by the server to
        indicate that the information that the client has requested can be found at another location (or
        locations), possibly at another server or several servers.
269 270
    <li>ldap.connectionPoolEnabled -- a value of "false" disables LDAP connection pooling. If this
        property is not set, the default value is "true".
Matt Tucker's avatar
Matt Tucker committed
271

Matt Tucker's avatar
Matt Tucker committed
272
</ul>
273

Matt Tucker's avatar
Matt Tucker committed
274
<p>
275
    Below is a sample config file section:
Matt Tucker's avatar
Matt Tucker committed
276
</p>
277
<pre>
278 279 280
    &lt;jive&gt;
      ...
      &lt;ldap&gt;
281

Matt Tucker's avatar
Matt Tucker committed
282 283
        &lt;host&gt;&lt;/host&gt;
        &lt;port>389&lt;/port&gt;
284
        &lt;usernameField&gt;uid&lt;/usernameField&gt;
Matt Tucker's avatar
Matt Tucker committed
285
        &lt;nameField&gt;cn&lt;/nameField&gt;
286

Matt Tucker's avatar
Matt Tucker committed
287
        &lt;emailField&gt;mail&lt;/emailField&gt;
Matt Tucker's avatar
Matt Tucker committed
288 289
        &lt;baseDN&gt;ou=People;dc=example;dc=com&lt;/baseDN&gt;
        &lt;adminDN&gt;cn=Directory Administrator&lt;/adminDN&gt;
Matt Tucker's avatar
Matt Tucker committed
290
        &lt;adminPassword&gt;&lt;/adminPassword&gt;
291

292 293
      &lt;/ldap&gt;
      &lt;provider&gt;
Matt Tucker's avatar
Matt Tucker committed
294
        &lt;user&gt;
295
          &lt;className&gt;org.jivesoftware.openfire.ldap.LdapUserProvider&lt;/className&gt;
Matt Tucker's avatar
Matt Tucker committed
296
        &lt;/user&gt;
297

Matt Tucker's avatar
Matt Tucker committed
298
        &lt;auth&gt;
299
          &lt;className&gt;org.jivesoftware.openfire.ldap.LdapAuthProvider&lt;/className&gt;
Matt Tucker's avatar
Matt Tucker committed
300
        &lt;/auth&gt;
301
        &lt;group&gt;
302
          &lt;className&gt;org.jivesoftware.openfire.ldap.LdapGroupProvider&lt;/className&gt;
303

304
        &lt;/group&gt;
305 306 307
      &lt;/provider&gt;
      ...
    &lt;/jive&gt;
308
</pre>
Matt Tucker's avatar
Matt Tucker committed
309

310
<p>You'll most likely want to change which usernames are authorized to login to the
311 312
    admin console. By default, only the user with username "admin" is allowed to login. However,
    you may have different users in your LDAP directory that you'd like to be administrators. The
313
    list of authorized usernames is controlled via the <tt>admin.authorizedUsernames</tt>
314
    property. For example, to let the usersnames "joe" and "jane" login to the admin console:</p>
Matt Tucker's avatar
Matt Tucker committed
315

316
<pre>
317 318
    &lt;jive&gt;
      ...
319
      &lt;admin&gt;
320
        ...
Matt Tucker's avatar
Matt Tucker committed
321
        &lt;authorizedUsernames&gt;joe, jane&lt;/authorizedUsernames&gt;
322
      &lt;/admin&gt;
323

324 325
      ...
    &lt;/jive&gt;
326
</pre>
327

Matt Tucker's avatar
Matt Tucker committed
328
<p><a name=""><h2>Custom Search Filter</h2></a></p>
329

330
<p>By default, Openfire will load all objects under the baseDN that
331 332 333 334 335 336 337 338 339
    have the attribute specified by <tt>ldap.usernameField</tt>. In the
    case that the username field is set to "uid", the search for all users
    would be "(uid=*)". However, there are cases when this logic does
    not work -- for example, when a directory contains other objects besides
    users but all objects share "uid" as a unique identifier field. In that
    case, you may need to specify a custom search filter using
    <tt>ldap.searchFilter</tt>. As an example, a search filter for all users
    with a "uid" and a "cn" value of "joe" would
    be:</p>
340 341 342 343

<pre>(&(uid={0})(cn=joe))</pre>

<p>The "{0}" value in the filter above is a token that should be present in
344 345
    all custom search filters. It will be dynamically replaced with "*" when
    loading the list of all users or a username when loading a single user.</p>
346 347

<p>Some custom search filters may include reserved XML entities such as
348
    "&". In that case, you must enter the search filter into the openfire.xml
349
    file using CDATA:
350

351
    <pre>&lt;searchFilter&gt;&lt;![CDATA[(&(sAMAccountName={0})(|(givenName=GEORGE)(givenName=admin)))]]&gt;&lt;/searchFilter&gt;</pre>
352

353
    <p><a name="ctxFactory"><h2>Custom Inital Context Factory</h2></a></p>
354

355
    <p>
356

357 358
        Some LDAP servers or application servers may require that a different LDAP
        initial context factory be used rather than the default (com.sun.jndi.ldap.LdapCtxFactory).
359
        You can set a custom initial context factory by adding the following to openfire.xml:
360 361 362 363

<pre>
  &lt;ldap&gt;
    ... other ldap settings here
364
    &lt;initialContextFactory&gt;com.foo.factoryClass&lt;/initialContextFactory&gt;
365 366
  &lt;/ldap&gt;</pre>
    </p>
367

368
    <p><a name="connectionPool"><h2>Connection Pooling</h2></a></p>
369

370 371 372 373 374
    The default LDAP provider (Sun's) support pooling of connections to the LDAP
    server. Connection pooling can greatly improve performance, especially on
    systems with high load. Connection pooling is enabled by default, but can
    be disabled by setting the Jive property <tt>ldap.connectionPoolEnabled</tt>
    to <tt>false</tt>:
375

376 377 378
    <pre>&lt;ldap&gt;
        ... other ldap settings here
        &lt;connectionPoolEnabled&gt;false&lt;/connectionPoolEnabled&gt;
379

380
        &lt;/ldap&gt;</pre></p>
381 382

<p>
383 384 385
    You should set several Java system properties to change default pool settings.
    For more information, see the following pages:
    <ul>
386

387 388 389 390
        <li><a href="http://java.sun.com/products/jndi/tutorial/ldap/connect/pool.html">
            http://java.sun.com/products/jndi/tutorial/ldap/connect/pool.html</a>
        <li><a href="http://java.sun.com/products/jndi/tutorial/ldap/connect/config.html">
            http://java.sun.com/products/jndi/tutorial/ldap/connect/config.html</a>
391

392
    </ul>
393
</p>
394

395
<p>Note that if you turn on LDAP debugging, connection pooling will not be enabled.
396 397 398 399 400 401 402 403 404 405
    If SSL LDAP mode is enabled, you must set a system property to enable pooling of
    SSL LDAP connections.</p>

<p><a name="vcard"><h2>LDAP vCard Integration</h2></a></p>

<p>The LDAP vCard provider will expose LDAP profile information as vCard data for XMPP
clients that support the XMPP vCard extension. First, enable the provider:</p>

<pre>
    &lt;provider&gt;
406

407 408
      ...
      &lt;vcard&gt;
409
        &lt;className&gt;org.jivesoftware.openfire.ldap.LdapVCardProvider&lt;/className&gt;
410 411 412 413 414
      &lt;/vcard&gt;
      ...
    &lt;/provider&gt;
</pre>

415
<p>Next, you must add mappings between LDAP fields and vCard fields in the openfire.xml file.
416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431
    The vcard attributes are configured by adding an attrs="attr1,attr2" attribute to the vcard
    elements. Arbitrary text can be used for the element values as well as MessageFormat style
    placeholders for the ldap attributes. For example, if you wanted to map the LDAP attribute
    displayName to the vcard element FN, the XML snippet would be:
    &lt;FN attrs="displayName"&gt;{0}&lt;/FN&gt;</p>

<p>The vCard XML must be escaped in CDATA and must also be well formed. It is the exact
    XML this provider will send to a client after after stripping attr attributes and populating
    the placeholders with the data retrieved from LDAP. This system should be flexible enough to
    handle any client's vCard format. An example mapping follows.</p>

<pre>
    &lt;ldap&gt;
      &lt;vcard-mapping&gt;
        &lt;![CDATA[
          &lt;vCard xmlns='vcard-temp'&gt;
God Ly's avatar
God Ly committed
432

Matt Tucker's avatar
Matt Tucker committed
433 434 435
            &lt;FN&gt;{displayName}&lt;/FN&gt;
            &lt;NICKNAME&gt;{uid}&lt;/NICKNAME&gt;
            &lt;BDAY&gt;{dob}&lt;/BDAY&gt;
436

437 438 439 440 441 442 443 444 445
            &lt;ADR&gt;
              &lt;HOME/&gt;
              &lt;EXTADR&gt;Ste 500&lt;/EXTADR&gt;
              &lt;STREET&gt;317 SW Alder St&lt;/STREET&gt;
              &lt;LOCALITY&gt;Portland&lt;/LOCALITY&gt;
              &lt;REGION&gt;Oregon&lt;/REGION&gt;
              &lt;PCODE&gt;97204&lt;/PCODE&gt;
              &lt;CTRY&gt;USA&lt;/CTRY&gt;
            &lt;/ADR&gt;
446

447 448 449
            &lt;TEL&gt;
              &lt;HOME/&gt;
              &lt;VOICE/&gt;
Matt Tucker's avatar
Matt Tucker committed
450
              &lt;NUMBER&gt;{telephoneNumber}&lt;/NUMBER&gt;
451
            &lt;/TEL&gt;
452

453
            &lt;EMAIL&gt;
God Ly's avatar
God Ly committed
454 455 456 457
              &lt;HOME/&gt;
              &lt;INTERNET/&gt;
              &lt;PREF/&gt;
              &lt;USERID&gt;{mail}&lt;/USERID&gt;
458
            &lt;/EMAIL&gt;
459

God Ly's avatar
God Ly committed
460
            &lt;TITLE&gt;{title}&lt;/TITLE&gt;
Matt Tucker's avatar
Matt Tucker committed
461
            &lt;ROLE&gt;&lt;/ROLE&gt;
God Ly's avatar
God Ly committed
462

463
            &lt;ORG&gt;
Matt Tucker's avatar
Matt Tucker committed
464 465
              &lt;ORGNAME&gt;{o}&lt;/ORGNAME&gt;
              &lt;ORGUNIT&gt;&lt;/ORGUNIT&gt;
466
            &lt;/ORG&gt;
God Ly's avatar
God Ly committed
467

Matt Tucker's avatar
Matt Tucker committed
468
            &lt;URL&gt;{labeledURI}&lt;/URL&gt;
God Ly's avatar
God Ly committed
469
            &lt;DESC&gt;uid: {uidNumber} home: {homeDirectory} shell: {loginShell}&lt;/DESC&gt;
470

471 472 473 474 475
          &lt;/vCard&gt;
        ]]&gt;
      &lt;/vcard-mapping&gt;
    &lt;/ldap&gt;
</pre>
476 477

<h2>LDAP FAQ</h2>
478

479 480
<p>

481 482
    <b>Can I create new users through Openfire when using LDAP?</b>
    <ul>No, Openfire treats LDAP directories as read-only. Therefore, it's
483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503
        not possible to create or edit users through the application.</ul>

    <b>Why is the list of usernames not sorted in the admin console when using LDAP?</b>
    <ul>Several popular LDAP servers such as OpenLDAP do not support server-side
        sorting of search results. On those servers, users will appear out of order.
        However, you can enable client-side sorting of search results by setting
        <tt>ldap.clientSideSorting</tt> to true in the XML configuration file.</ul>

    <b>I switched to LDAP and now cannot login to the admin console. What happened?</b>
    <ul>If you can no longer login to the admin console after switching, one of two
        things most likely happened:<ol>
        <li>By default, only the username "admin" is allowed to login to the
            admin console. Your directory may not contain a user with a username
            of "admin". In that case, you should modify the list of usernames authorized
            to login to the admin console (see above).
        <li>You may have set the baseDN to an incorrect value. The LDAP module
            recursively searches for users under the node in the directory specified
            by the baseDN. When the baseDN is incorrect, no users will be found.
    </ol>
        You can also enable debugging to get more information from the LDAP module. To
        do this, add &lt;log&gt;&lt;debug&gt;&lt;enabled&gt;true&lt;/enabled&gt;&lt;/debug&gt;&lt;/log&gt;
504

505
        to your <tt>conf/openfire.xml</tt> file. Log statements will be written
506 507
        to the <tt>logs/debug.log</tt> file.
    </ul>
508 509


510 511 512 513
	</div>

</div>

Matt Tucker's avatar
Matt Tucker committed
514
</body>
Matt Tucker's avatar
Matt Tucker committed
515
</html>