1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Jive Messenger LDAP Guide</title>
<link href="style.css" rel="stylesheet" type="text/css">
</head>
<body>
<a name="top"></a>
<h1>Jive Messenger LDAP Guide</h1>
<h2>Introduction</h2>
<p>
This document details how to configure your Jive Messenger installation to use an external LDAP store when
authenticating users.
</p>
<h2>Background</h2>
<p>
LDAP (Lightweight Directory Access Protocol) has emerged as a dominant standard
for user authentication and for storage of user profile data. It serves as a
powerful tool for large organizations (or those organizations integrating many
applications) to simplify user management issues.
</p>
<p>
By default, Jive Messenger stores all user data in a database and performs
authentication using database lookups. The LDAP module replaces that
functionality and allows Jive Messenger to:
<ul>
<li>
Use a LDAP server to authenticate a user's identity.
</li>
<li>
Load and store user profile information in a LDAP directory.
</li>
</ul>
</p>
<p>
This document will guide you through preparing your LDAP server and provide
details about how to install the LDAP module on Jive Messenger. These
instructions assume that you're a competent LDAP user, and that you're familiar
with Jive Messenger setup issues. The iPlanet Directory Server 5.0 LDAP server
was used for development and testing, but any LDAP compliant server should also
work.
</p>
<h2>Choosing an LDAP storage mode</h2>
<p>Two modes for storing user data in an LDAP directory are supported:
<ol>
<li>
Mixed Mode (LDAP and User Database) -- Username, name and email are stored in
LDAP. All Jive-specific data is stored in the Jive Messenger user database.
This mode requires no changes to your LDAP directory.
</li>
<li>
Pure LDAP Mode -- All user data is stored in LDAP, including Messenger-specific
data. This mode requires you to make changes to your LDAP schema.
</li>
</ol>
The first option is easier to setup and is generally the better solution.
However, the second option is also appropriate in some cases.
</p>
<h2>Configuration</h2>
<p>
In order to configure your server to use LDAP you need complete the following
tasks:
<ol>
<li>
Stop Messenger.
</li>
<li>Edit <tt>MESSENGER_HOME/config/jive-messenger.xml</tt> as described below.
</li>
<li>
Restart Messenger.
</li>
</ol>
</p>
<h3>Configure Messenger</h3>
<p>
Open the Messenger configuration file <tt>MESSENGER_HOME/config/jive-messenger.xml</tt> in your favorite
editor and add or change the following settings:
</p>
<ul>
<li>UserProvider.id.className - com.jivesoftware.xmpp.ldap.LdapUserIDProvider</li>
<li>UserProvider.properties.className</li>
<li>UserProvider.info.className</li>
<li>UserProvider.account.className</li>
<li>UserProvider.roster.className</li>
<li>ldap.host - LDAP server host; e.g. localhost or machine.example.com, etc.</li>
<li>ldap.port - LDAP server port number</li>
<li>ldap.usernameField - The field name that the username lookups will be performed on.</li>
<li>ldap.baseDN - The starting DN that searches for users will performed with. The entire subtree under the base
DN will be searched for user accounts.
</li>
<li>ldap.nameField - The field name that holds the user's name.</li>
<li>ldap.emailField - The field name that holds the user's email address.</li>
<li>ldap.adminDN - A directory administrator's DN. All directory operations will be performed with this account.
For normal usage of the module, the admin should have full administrative controls over the directory.
</li>
<li>ldap.adminPassword - The password for the directory administrator.</li>
<li>ldap.debugEnabled - A value of "true" if debugging should be turned on. When on, trace information about
buffers sent and received by the LDAP provider is written to System.out</li>
<li>ldap.sslEnabled - Enable SSL connections to your LDAP server. If you enable SSL connections, the LDAP server port
number most likely should be changed to 636.
</li>
<li>ldap.mode - "0" for all LDAP mode, "1" for mixed LDAP/Jive DB mode</li>
</ul>
<p>
Below is a sample set up.
</p>
<pre><code>
<jive>
...
<UserProvider>
<id>
<className>org.jivesoftware.messenger.ldap.LdapUserIDProvider</className>
</id>
<properties>
<className>org.jivesoftware.messenger.ldap.LdapUserPropertiesProvider</className>
</properties>
<info>
<className>org.jivesoftware.messenger.ldap.LdapUserInfoProvider</className>
</info>
<account>
<className>org.jivesoftware.messenger.ldap.LdapUserAccountProvider</className>
</account>
<UserProvider>
<ldap>
<host>myhost.com</host>
<port>389</port>
<usernameField>uid</usernameField>
<emailField>mail</emailField>
<baseDN>o=mycompany, c=mycountry</baseDN>
<nameField>cn</nameField>
<adminDN>cn=ldap-administrator</adminDN>
<adminPassword>adm1npwd</adminPassword>
<debugEnabled>false</debugEnabled>
<sslEnabled>false</sslEnabled>
<mode>1</mode>
</ldap>
...
</jive>
</code></pre>
<h2>Configure the LDAP Server (optional)</h2>
<p>
<b>Note:</b> If you use the "mixed mode" of the Jive Messenger LDAP module, no changes to your LDAP directory are
necessary. However, if you use the "pure mode", you'll need to make changes to your directory as detailed below.
Several custom LDAP attributes are used to store things such as the numeric Jive Messenger user ID,
the date the account was created, privacy flags, etc. The first step is to define these attributes in your LDAP
directory.
</p>
<table>
<tr>
<th>Name</th>
<th>Type</th>
<th>OID</th>
<th>Multi-valued</th>
<th>Description</th>
</tr>
<tr>
<td>jiveUserID</td>
<td>Integer </td>
<td>1.3.6.1.4.1.10985.389.2 </td>
<td>No </td>
<td>A numeric ID that Jive Messenger uses to identify a user.</td>
</tr>
<tr>
<td>jiveNameVisible </td>
<td>String </td>
<td>1.3.6.1.4.1.10985.389.3 </td>
<td>No </td>
<td>The value is "true" if a user wishes to show their name publicly; "false" otherwise.</td>
</tr>
<tr>
<td>jiveEmailVisible </td>
<td>String </td>
<td>1.3.6.1.4.1.2.10985.389.4 </td>
<td>No </td>
<td>The value is "true" if a user wishes to show their email address publicly; "false" otherwise.</td>
</tr>
<tr>
<td>jiveCDate </td>
<td>String </td>
<td>1.3.6.1.4.1.10985.389.6 </td>
<td>No </td>
<td>The date the user became a Jive Messenger user.</td>
</tr>
<tr>
<td>jiveMDate </td>
<td>String </td>
<td>1.3.6.1.4.1.10985.389.7 </td>
<td>No </td>
<td>The date the user information was last updated.</td>
</tr>
<tr>
<td>jiveProps </td>
<td>String </td>
<td>1.3.6.1.4.1.10985.389.8 </td>
<td>Yes </td>
<td>A collection of extended properties for the user.</td>
</tr>
</table>
<p>Next, you can optionally create a new object class that uses the specified attributes
(or modify an existing object to add the attributes). The Jive Messenger LDAP module does not actually pay attention to
object types, but only looks for the correct attributes. If you do create a new object, the object name should be
"jivePerson" with an OID of 1.3.6.1.4.1.2.10985.389.1.
</p>
<p>
Each of the attributes listed above must be added as an optional attribute since the attributes will not be
created until the user logs into Jive Messenger for the first time.
</p>
<p>
Also, you may wish to create an index on the "jiveUserID" attribute so that lookups on that field are fast.
</p>
</body>