Skip to content

O
Openfire
Commit 1d3a95c0 authored by Matt Tucker's avatar Matt Tucker Committed by matt
Browse files
Options

Added vCard integration information. 

git-svn-id: http://svn.igniterealtime.org/svn/repos/messenger/trunk@2988 b35dd754-fafc-0310-a699-88a17e54d16e
parent 988c2f3a
Show whitespace changes
Inline Side-by-side
Showing with 296 additions and 181 deletions
documentation/docs/ldap-guide.html
View file @ 1d3a95c0
......@@ -4,6 +4,7 @@
<title>Jive Messenger LDAP Guide</title>
<link href="style.css" rel="stylesheet" type="text/css">
</head>
<body>
<a name="top"></a>
......@@ -12,115 +13,158 @@
<h2>Introduction</h2>
<p>
This document details how to configure your Jive Messenger installation to use
an external LDAP store when authenticating users and loading user profile information.
This document details how to configure your Jive Messenger installation to use
an external LDAP store when authenticating users and loading user profile information.
</p>
<h2>Background</h2>
<p>
LDAP (Lightweight Directory Access Protocol) has emerged as a dominant standard
for user authentication and for storage of user profile data. It serves as a
powerful tool for large organizations (or those organizations integrating many
applications) to simplify user management issues.
LDAP (Lightweight Directory Access Protocol) has emerged as a dominant standard
for user authentication and for storage of user profile data. It serves as a
powerful tool for large organizations (or those organizations integrating many
applications) to simplify user management issues.
</p>
<p>
By default, Jive Messenger stores all user data in a database and performs
authentication using database lookups. The LDAP module replaces that
functionality and allows Jive Messenger to:
<ul>
By default, Jive Messenger stores all user data in a database and performs
authentication using database lookups. The LDAP module replaces that
functionality and allows Jive Messenger to:
<ul>
<li>Use a LDAP server to authenticate a user's identity.</li>
<li>Load user profile information from a LDAP directory.</li>
<li>Load group information from an LDAP directory.</li>
</ul>
</ul>
<b>Note:</b> Jive Messenger treats the LDAP directory as read-only.
<b>Note:</b> Jive Messenger treats the LDAP directory as read-only.
</p>
<p>
This document will guide you through configuring LDAP support in Jive Messenger. These
instructions assume that you're a competent LDAP user, and that you're familiar
with Jive Messenger setup issues.
This document will guide you through configuring LDAP support in Jive Messenger. These
instructions assume that you're a competent LDAP user, and that you're familiar
with Jive Messenger setup issues.
</p>
<h2>Configuration</h2>
<p>
In order to configure your server to use LDAP:
<ol>
<li>
Stop Jive Messenger.
</li>
<li>Edit <tt>conf/jive-messenger.xml</tt> in your Jive Messenger installation folder as described below.
</li>
<li>
Restart Jive Messenger.
</li>
</ol>
In order to configure your server to use LDAP:
<ol>
<li>
Stop Jive Messenger.
</li>
<li>Edit <tt>conf/jive-messenger.xml</tt> in your Jive Messenger installation folder as
described below.
</li>
<li>
Restart Jive Messenger.
</li>
</ol>
</p>
<h3>Editing the Config File</h3>
<p>
Open the configuration file <tt>conf/jive-messenger.xml</tt> from your Jive Messenger installation in your favorite
editor and add or change the following settings. Properties flagged with (<font color="red"><b>*</b></font>)
must be set. Properties flagged with (<font color="red"><b>**</b></font>) must be set in order to enable LDAP group
support, all other properties are optional:
Open the configuration file <tt>conf/jive-messenger.xml</tt> from your Jive Messenger
installation in your favorite
editor and add or change the following settings. Properties flagged with (<font color="red">
<b>*</b></font>)
must be set. Properties flagged with (<font color="red"><b>**</b></font>) must be set in order
to enable LDAP group
support, all other properties are optional:
</p>
<ul>
<li>provider.user.className <font color="red"><b>*</b></font> -- set the value to "org.jivesoftware.messenger.ldap.LdapUserProvider".</li>
<li>provider.auth.className <font color="red"><b>*</b></font> -- set the value to "org.jivesoftware.messenger.ldap.LdapAuthProvider".</li>
<li>provider.group.className <font color="red"><b>**</b></font> -- set the value to "org.jivesoftware.messenger.ldap.LdapGroupProvider".</li>
<li>ldap.host <font color="red"><b>*</b></font> -- LDAP server host; e.g. localhost or machine.example.com, etc.</li>
<li>ldap.port -- LDAP server port number. If this property is not set, the default value is 389.</li>
<li>ldap.baseDN <font color="red"><b>*</b></font> -- the starting DN that searches for users will performed with.
The entire subtree under the base DN will be searched for user accounts.
</li>
<li>ldap.alternateBaseDN -- a second DN in the directory can optionally be set. If set, the alternate base DN
will be used for authentication and loading single users, but will not be used to display a list of users
(due to technical limitations).
<li>ldap.adminDN -- a directory administrator's DN. All directory operations will be performed
with this account. The admin must be able to perform searches and load user records. The user does
not need to be able to make changes to the directory, as Jive Messenger treats the directory as read-only.
<li>provider.user.className <font color="red"><b>*</b></font> -- set the value to
"org.jivesoftware.messenger.ldap.LdapUserProvider".</li>
<li>provider.auth.className <font color="red"><b>*</b></font> -- set the value to
"org.jivesoftware.messenger.ldap.LdapAuthProvider".</li>
<li>provider.group.className <font color="red"><b>**</b></font> -- set the value to
"org.jivesoftware.messenger.ldap.LdapGroupProvider".</li>
<li>ldap.host <font color="red"><b>*</b></font> -- LDAP server host; e.g. localhost or
machine.example.com, etc.</li>
<li>ldap.port -- LDAP server port number. If this property is not set, the default value is
389.</li>
<li>ldap.baseDN <font color="red"><b>*</b></font> -- the starting DN that searches for users
will performed with.
The entire subtree under the base DN will be searched for user accounts.
</li>
<li>ldap.alternateBaseDN -- a second DN in the directory can optionally be set. If set, the
alternate base DN
will be used for authentication and loading single users, but will not be used to display a
list of users
(due to technical limitations).
<li>ldap.adminDN -- a directory administrator's DN. All directory operations will be
performed
with this account. The admin must be able to perform searches and load user records. The
user does
not need to be able to make changes to the directory, as Jive Messenger treats the
directory as read-only.
If this property is not set, an anonymous login to the server will be attempted.
</li>
<li>ldap.adminPassword -- the password for the directory administrator.</li>
<li>ldap.usernameField -- the field name that the username lookups will be performed on. If this property is not set,
</li>
<li>ldap.adminPassword -- the password for the directory administrator.</li>
<li>ldap.usernameField -- the field name that the username lookups will be performed on. If
this property is not set,
the default value is <tt>uid</tt></li>
<li>ldap.nameField -- the field name that holds the user's name. If this property is not set, the default value is
<li>ldap.nameField -- the field name that holds the user's name. If this property is not
set, the default value is
<tt>cn</tt></li>
<li>ldap.emailField -- the field name that holds the user's email address. If this property is not set,
<li>ldap.emailField -- the field name that holds the user's email address. If this property
is not set,
the default value is <tt>mail</tt>.</li>
<li>ldap.searchFilter -- the search filter that should be used when loading users. If this property
<li>ldap.searchFilter -- the search filter that should be used when loading users. If this
property
is not set, the default search will be for users that have the attribute specified by
ldap.usernameField.
<li>ldap.debugEnabled -- a value of "true" if debugging should be turned on. When on, trace
information about buffers sent and received by the LDAP provider is written to System.out</li>
<li>ldap.sslEnabled -- a value of "true" to enable SSL connections to your LDAP server. If you
enable SSL connections, the LDAP server port number most likely should be changed to 636.</li>
<li>ldap.initialContextFactory -- the name of the class that should be used as an initial context
factory. if this value is not specified, "com.sun.jndi.ldap.LdapCtxFactory" will be used instead.
<li>ldap.debugEnabled -- a value of "true" if debugging should be turned on. When on, trace
information about buffers sent and received by the LDAP provider is written to
System.out</li>
<li>ldap.sslEnabled -- a value of "true" to enable SSL connections to your LDAP server. If
you
enable SSL connections, the LDAP server port number most likely should be changed to
636.</li>
<li>ldap.initialContextFactory -- the name of the class that should be used as an initial
context
factory. if this value is not specified, "com.sun.jndi.ldap.LdapCtxFactory" will be used
instead.
Most users will not need to set this value.
<li>ldap.autoFollowReferrals -- a value of "true" indicates that LDAP referrals should be automatically
followed. If this property is not set or is set to "false", the referral policy used is left up to
to the provider. A referral is an entity that is used to redirect a client's request to another server.
A referral contains the names and locations of other objects. It is sent by the server to indicate
that the information that the client has requested can be found at another location (or locations),
<li>ldap.autoFollowReferrals -- a value of "true" indicates that LDAP referrals should be
automatically
followed. If this property is not set or is set to "false", the referral policy used is left
up to
to the provider. A referral is an entity that is used to redirect a client's request to
another server.
A referral contains the names and locations of other objects. It is sent by the server to
indicate
that the information that the client has requested can be found at another location (or
locations),
possibly at another server or several servers.
<li>ldap.connectionPoolEnabled -- a value of "false" disables LDAP connection pooling. If this
<li>ldap.connectionPoolEnabled -- a value of "false" disables LDAP connection pooling. If this
property is not set, the default value is "true".
<li>ldap.groupNameField -- the field name that the groupname lookups will be performed on. If this property is not set,
<li>ldap.groupNameField -- the field name that the groupname lookups will be performed on. If
this property is not set,
the default value is <tt>cn</tt></li>
<li>ldap.groupMemberField -- the field name that holds the members in a group. If this property is not set,
<li>ldap.groupMemberField -- the field name that holds the members in a group. If this property
is not set,
the default value is <tt>member</tt></li>
<li>ldap.groupDescriptionField -- the field name that holds the description a group. If this property is not set,
<li>ldap.groupDescriptionField -- the field name that holds the description a group. If this
property is not set,
the default value is <tt>description</tt></li>
<li>ldap.posixMode -- a value of "true" means that users are stored within the group by their user name alone.
A value of "false" means that users are stored by their entire DN within the group. If this property is not set,
<li>ldap.posixMode -- a value of "true" means that users are stored within the group by their
user name alone.
A value of "false" means that users are stored by their entire DN within the group. If this
property is not set,
the default value is <tt>false</tt></li>
<li>ldap.groupSearchFilter -- the search filter that should be used when loading groups. If this property is not set,
<li>ldap.groupSearchFilter -- the search filter that should be used when loading groups. If this
property is not set,
the default value is <tt>("ldap.groupNameField"={0})</tt></li>
</ul>
<p>
Below is a sample config file section:
Below is a sample config file section:
</p>
<pre><code>
&lt;jive&gt;
...
&lt;jive&gt;
...
&lt;ldap&gt;
&lt;host&gt;&lt;/host&gt;
&lt;port>389&lt;/port&gt;
......@@ -142,111 +186,182 @@ Below is a sample config file section:
&lt;className&gt;org.jivesoftware.messenger.ldap.LdapGroupProvider&lt;/className&gt;
&lt;/group&gt;
&lt;/provider&gt;
...
&lt;/jive&gt;
...
&lt;/jive&gt;
</code></pre>
<p>You'll most likely want to change which usernames are authorized to login to the
admin console. By default, only the user with username "admin" is allowed to login. However,
you may have different users in your LDAP directory that you'd like to be administrators. The
list of authorized usernames is controlled via the <tt>adminConsole.authorizedUsernames</tt>
property. For example, to let the usersnames "joe" and "jane" login to the admin console:</p>
admin console. By default, only the user with username "admin" is allowed to login. However,
you may have different users in your LDAP directory that you'd like to be administrators. The
list of authorized usernames is controlled via the <tt>adminConsole.authorizedUsernames</tt>
property. For example, to let the usersnames "joe" and "jane" login to the admin console:</p>
<pre><code>
&lt;jive&gt;
...
&lt;jive&gt;
...
&lt;adminConsole&gt;
...
&lt;authorizedUsernames&gt;joe, jane&lt;/authorizedUsernames&gt;
&lt;/adminConsole&gt;
...
&lt;/jive&gt;
...
&lt;/jive&gt;
</code></pre>
<p><a name=""><h2>Custom Search Filter</h2></a></p>
<p>By default, Jive Messenger will load all objects under the baseDN that
have the attribute specified by <tt>ldap.usernameField</tt>. In the
case that the username field is set to "uid", the search for all users
would be "(uid=*)". However, there are cases when this logic does
not work -- for example, when a directory contains other objects besides
users but all objects share "uid" as a unique identifier field. In that
case, you may need to specify a custom search filter using
<tt>ldap.searchFilter</tt>. As an example, a search filter for all users
with a "uid" and a "cn" value of "joe" would
be:</p>
have the attribute specified by <tt>ldap.usernameField</tt>. In the
case that the username field is set to "uid", the search for all users
would be "(uid=*)". However, there are cases when this logic does
not work -- for example, when a directory contains other objects besides
users but all objects share "uid" as a unique identifier field. In that
case, you may need to specify a custom search filter using
<tt>ldap.searchFilter</tt>. As an example, a search filter for all users
with a "uid" and a "cn" value of "joe" would
be:</p>
<pre>(&(uid={0})(cn=joe))</pre>
<p>The "{0}" value in the filter above is a token that should be present in
all custom search filters. It will be dynamically replaced with "*" when
loading the list of all users or a username when loading a single user.</p>
all custom search filters. It will be dynamically replaced with "*" when
loading the list of all users or a username when loading a single user.</p>
<p>Some custom search filters may include reserved XML entities such as
"&". In that case, you must enter the search filter into the jive-messenger.xml
file using CDATA:
"&". In that case, you must enter the search filter into the jive-messenger.xml
file using CDATA:
<pre>&lt;searchFilter&gt;&lt;![CDATA[(&(sAMAccountName={0})(|(givenName=GEORGE)(givenName=admin)))]]&gt;&lt;/searchFilter&gt;</pre>
<pre>&lt;searchFilter&gt;&lt;![CDATA[(&(sAMAccountName={0})(|(givenName=GEORGE)(givenName=admin)))]]&gt;&lt;/searchFilter&gt;</pre>
<p><a name="ctxFactory"><h2>Custom Inital Context Factory</h2></a></p>
<p><a name="ctxFactory"><h2>Custom Inital Context Factory</h2></a></p>
<p>
Some LDAP servers or application servers may require that a different LDAP
initial context factory be used rather than the default (com.sun.jndi.ldap.LdapCtxFactory).
You can set a custom initial context factory by adding the following to jive_config.xml:
<p>
Some LDAP servers or application servers may require that a different LDAP
initial context factory be used rather than the default (com.sun.jndi.ldap.LdapCtxFactory).
You can set a custom initial context factory by adding the following to jive_config.xml:
<pre>&lt;ldap&gt;
<pre>
&lt;ldap&gt;
... other ldap settings here
&lt;initialContextFactory&gt;com.foo.factoryClass&lt;/initialContextFactory&gt;
&lt;/ldap&gt;</pre>
</p>
&lt;/ldap&gt;</pre>
</p>
<p><a name="connectionPool"><h2>Connection Pooling</h2></a></p>
<p><a name="connectionPool"><h2>Connection Pooling</h2></a></p>
The default LDAP provider (Sun's) support pooling of connections to the LDAP
server. Connection pooling can greatly improve performance, especially on
systems with high load. Connection pooling is enabled by default, but can
be disabled by setting the Jive property <tt>ldap.connectionPoolEnabled</tt>
to <tt>false</tt>:
The default LDAP provider (Sun's) support pooling of connections to the LDAP
server. Connection pooling can greatly improve performance, especially on
systems with high load. Connection pooling is enabled by default, but can
be disabled by setting the Jive property <tt>ldap.connectionPoolEnabled</tt>
to <tt>false</tt>:
<pre>&lt;ldap&gt;
<pre>&lt;ldap&gt;
... other ldap settings here
&lt;connectionPoolEnabled&gt;false&lt;/connectionPoolEnabled&gt;
&lt;/ldap&gt;</pre></p>
&lt;/ldap&gt;</pre></p>
<p>
You should set several Java system properties to change default pool settings.
For more information, see the following pages:
<ul>
You should set several Java system properties to change default pool settings.
For more information, see the following pages:
<ul>
<li> <a href="http://java.sun.com/products/jndi/tutorial/ldap/connect/pool.html">
http://java.sun.com/products/jndi/tutorial/ldap/connect/pool.html</a>
<li> <a href="http://java.sun.com/products/jndi/tutorial/ldap/connect/config.html">
http://java.sun.com/products/jndi/tutorial/ldap/connect/config.html</a>
<li><a href="http://java.sun.com/products/jndi/tutorial/ldap/connect/pool.html">
http://java.sun.com/products/jndi/tutorial/ldap/connect/pool.html</a>
<li><a href="http://java.sun.com/products/jndi/tutorial/ldap/connect/config.html">
http://java.sun.com/products/jndi/tutorial/ldap/connect/config.html</a>
</ul>
</ul>
</p>
<p>Note that if you turn on LDAP debugging, connection pooling will not be enabled.
If SSL LDAP mode is enabled, you must set a system property to enable pooling of
SSL LDAP connections.</p>
If SSL LDAP mode is enabled, you must set a system property to enable pooling of
SSL LDAP connections.</p>
<p><a name="vcard"><h2>LDAP vCard Integration</h2></a></p>
<p>The LDAP vCard provider will expose LDAP profile information as vCard data for XMPP
clients that support the XMPP vCard extension. First, enable the provider:</p>
<pre>
&lt;provider&gt;
...
&lt;vcard&gt;
&lt;className&gt;org.jivesoftware.messenger.ldap.LdapVCardProvider&lt;/className&gt;
&lt;/vcard&gt;
...
&lt;/provider&gt;
</pre>
<p>Next, you must add mappings between LDAP fields and vCard fields in the jive-messenger.xml file.
The vcard attributes are configured by adding an attrs="attr1,attr2" attribute to the vcard
elements. Arbitrary text can be used for the element values as well as MessageFormat style
placeholders for the ldap attributes. For example, if you wanted to map the LDAP attribute
displayName to the vcard element FN, the XML snippet would be:
&lt;FN attrs="displayName"&gt;{0}&lt;/FN&gt;</p>
<p>The vCard XML must be escaped in CDATA and must also be well formed. It is the exact
XML this provider will send to a client after after stripping attr attributes and populating
the placeholders with the data retrieved from LDAP. This system should be flexible enough to
handle any client's vCard format. An example mapping follows.</p>
<pre>
&lt;ldap&gt;
&lt;vcard-mapping&gt;
&lt;![CDATA[
&lt;vCard xmlns='vcard-temp'&gt;
&lt;FN attrs=&quot;displayName&quot;&gt;{0}&lt;/FN&gt;
&lt;NICKNAME attrs=&quot;uid&quot;&gt;{0}&lt;/NICKNAME&gt;
&lt;BDAY attrs=&quot;dob&quot;&gt;{0}&lt;/BDAY&gt;
&lt;ADR&gt;
&lt;HOME/&gt;
&lt;EXTADR&gt;Ste 500&lt;/EXTADR&gt;
&lt;STREET&gt;317 SW Alder St&lt;/STREET&gt;
&lt;LOCALITY&gt;Portland&lt;/LOCALITY&gt;
&lt;REGION&gt;Oregon&lt;/REGION&gt;
&lt;PCODE&gt;97204&lt;/PCODE&gt;
&lt;CTRY&gt;USA&lt;/CTRY&gt;
&lt;/ADR&gt;
&lt;TEL&gt;
&lt;HOME/&gt;
&lt;VOICE/&gt;
&lt;NUMBER attrs=&quot;telephoneNumber&quot;&gt;{0}&lt;/NUMBER&gt;
&lt;/TEL&gt;
&lt;EMAIL&gt;
&lt;INTERNET/&gt;
&lt;USERID attrs=&quot;mail&quot;&gt;{0}&lt;/USERID&gt;
&lt;/EMAIL&gt;
&lt;TITLE attrs=&quot;title&quot;&gt;{0}&lt;/TITLE&gt;
&lt;ROLE attrs=&quot;&quot;&gt;{0}&lt;/ROLE&gt;
&lt;ORG&gt;
&lt;ORGNAME attrs=&quot;o&quot;&gt;{0}&lt;/ORGNAME&gt;
&lt;ORGUNIT attrs=&quot;&quot;&gt;{0}&lt;/ORGUNIT&gt;
&lt;/ORG&gt;
&lt;URL attrs=&quot;labeledURI&quot;&gt;{0}&lt;/URL&gt;
&lt;DESC attrs=&quot;uidNumber,homeDirectory,loginShell&quot;&gt;
uid: {0} home: {1} shell: {2}
&lt;/DESC&gt;
&lt;/vCard&gt;
]]&gt;
&lt;/vcard-mapping&gt;
&lt;/ldap&gt;
</pre>
<h2>LDAP FAQ</h2>
<p>
<b>Can I create new users through Jive Messenger when using LDAP?</b>
<ul>No, Jive Messenger treats LDAP directories as read-only. Therefore, it's
not possible to create or edit users through the application.</ul>
<b>Can I create new users through Jive Messenger when using LDAP?</b>
<ul>No, Jive Messenger treats LDAP directories as read-only. Therefore, it's
not possible to create or edit users through the application.</ul>
<b>Why is the list of usernames not sorted in the admin console when using LDAP?</b>
<ul>Several popular LDAP servers such as OpenLDAP do not support server-side
sorting of search results. On those servers, users will appear out of order.
However, you can enable client-side sorting of search results by setting
<tt>ldap.clientSideSorting</tt> to true in the XML configuration file.</ul>
<b>Why is the list of usernames not sorted in the admin console when using LDAP?</b>
<ul>Several popular LDAP servers such as OpenLDAP do not support server-side
sorting of search results. On those servers, users will appear out of order.
However, you can enable client-side sorting of search results by setting
<tt>ldap.clientSideSorting</tt> to true in the XML configuration file.</ul>
<b>I switched to LDAP and now cannot login to the admin console. What happened?</b>
<ul>If you can no longer login to the admin console after switching, one of two
things most likely happened:<ol>
<b>I switched to LDAP and now cannot login to the admin console. What happened?</b>
<ul>If you can no longer login to the admin console after switching, one of two
things most likely happened:<ol>
<li>By default, only the username "admin" is allowed to login to the
admin console. Your directory may not contain a user with a username
of "admin". In that case, you should modify the list of usernames authorized
......@@ -254,12 +369,12 @@ things most likely happened:<ol>
<li>You may have set the baseDN to an incorrect value. The LDAP module
recursively searches for users under the node in the directory specified
by the baseDN. When the baseDN is incorrect, no users will be found.
</ol>
You can also enable debugging to get more information from the LDAP module. To
do this, add &lt;log&gt;&lt;debug&gt;&lt;enabled&gt;true&lt;/enabled&gt;&lt;/debug&gt;&lt;/log&gt;
to your <tt>conf/jive_messenger.xml</tt> file. Log statements will be written
to the <tt>logs/debug.log</tt> file.
</ul>
</ol>
You can also enable debugging to get more information from the LDAP module. To
do this, add &lt;log&gt;&lt;debug&gt;&lt;enabled&gt;true&lt;/enabled&gt;&lt;/debug&gt;&lt;/log&gt;
to your <tt>conf/jive_messenger.xml</tt> file. Log statements will be written
to the <tt>logs/debug.log</tt> file.
</ul>
</body>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Technounit-GROUP 2023