Overview

This guide will show a convenient way in which a medium-sized organization could use Active Directory (AD) to work with Jive Messenger''s LDAP authentication and groups.  After completing this guide, you will be able to control from AD which users are allowed to access Jive Messenger (JM) and which security or distribution groups will show up in JM, although group sharing will still need to be configured in the JM Admin Console.

Some of these principles may be useful for non-AD systems, but I focus solely on AD for this guide.

Laying The Groundwork

For this guide, I will use the following AD Organizational Unit (OU) structure:

  dc=example,dc=com
  |-> ou=Groups
  `-> ou=Persons
      |-> ou=HR
      |-> ou=IT
      `-> ou=Sales

Note that I don''t use the Users container that AD uses by default.  The reason is that I like to have my AD tree structure match my corporate tree structure, and the Users container is really not an OU, so you can''t create OUs underneath it.  If you organization is small enough that creating all those extra containers is more trouble that it''s worth, then don''t feel like you need to complicate things.  This general setup will work with everything left in the Users container.

In the Groups OU, we will use the following groups:

  JabberAccess - group members will be shown in JM
  HR - members of the Human Resources department
  IT - members of the Information Technology department
  Sales - members of the Sales department

JM XML Configuration

For this guide, we will use the following example XML configuration segments in JM:

  <ldap>
    <!-- General Settings -->
    <host>myservername</host>
    <port>389</port>
    <baseDN>cn=Persons,dc=example,dc=com</baseDN>
    <adminDN>cn=jiveldap,cn=Users,dc=example,dc=com</adminDN>
    <adminPassword>supersecret</adminPassword>
    <debugEnabled>false</debugEnabled>
    <!-- Auth Settings -->
    <usernameField>sAMAccountName</usernameField>
    <nameField>displayName</nameField>
    <emailField>mail</emailField>
    <searchFilter><![CDATA[
      (&
        (objectCategory=Person)
        (memberOf=cn=JabberAccess,ou=Groups,dc=example,dc=com)
        (!(userAccountControl:1.2.840.113556.1.4.803:=2))
        (sAMAccountName={0})
      )
    \]\]\></searchFilter>
    <!-- Group Settings -->
    <groupSearchFilter><![CDATA[
      (&
        (objectClass=group)
        (memberOf=cn=JabberAccess,ou=Groups,dc=example,dc=com)
        (member={0})
      )
    \]\]\></groupSearchFilter>
  </ldap>
  <provider>
    <user>
      <className>org.jivesoftware.messenger.ldap.LdapUserProvider</className>
    </user>
    <auth>
      <className>org.jivesoftware.messenger.ldap.LdapAuthProvider</className>
    </auth>
    <group>
      <className>org.jivesoftware.messenger.ldap.LdapGroupProvider</className>
    </group>
  </provider>

Let me take a moment to explain the search filters.  The authentication search filter (searchFilter) reads like this:

  if (the LDAP object is of type Person) and
     (the user is a member of the JabberAccess group) and
     (the user account is not disabled) and
     (the sAMAccountName, ie. the username, is equal to the given username)
  then give this user access to JM

The group search filter (groupSearchFilter) similarly reads as:

  if (the LDAP object is a Group) and
     (the group is a member of the JabberAccess group) and
     (the given user is a member of this group)
  then show this group with whatever members are listed in the member fields

The other thing to note is that I leave the user that JM uses to connect to AD in the Users container in AD.  This is a personal preference, so feel free to put it anywhere you please.

Enabled Jabber Access In AD

Once JM is configured as shown above, we are ready to start enabled access within AD.  To give users access to JM, simply add them to the JabberAccess group.  Once you have given your users access to JM, add the security or distribution groups you wish to display in JM to the same JabberAccess group that you added your users to.

Note that users who are not members of the JabberAccess group but are members of their department group will NOT show up in JM.  The only members of a departmental group that will show up in JM are users who are also members of JabberAccess.

Enabling Group Sharing in JM

Once your users and groups show up the JM Admin Console, you simply need to enable group sharing for each group and decide who should see the shared groups. It''s that easy!

Looking Forward

One useful feature that may be implemented in the future is automatic sharing of groups.  If we could setup JM to share new groups automatically, there would be no need to login to the JM Admin Console at all in order to create new shared groups.  If a JIRA issue is created for such a feature or if the feature is implemented, I''ll update this post.

If you find any errors in this guide, please speach up.  Thanks

--

Cameron