LDAP Over port 3268 versus 389 - Avatars are affected

I have configured Openfire to query over port 3268 so that all child domains (entire forest) can be searched by the Openfire server. When 389 is set, only one domain in the forest can be supported.

Over the past few months, I have beat my head against the wall trying to figure out why Avatars in AD would not work… Long story short, when using LDAP over 3268 the jpegPhoto and thumbnailPhoto fields in AD do not return a value. When I configured my Openfire server to use 389, the avatars begin to work again.

So, this should help clear up some issues in the future if you have a similar problem.

Now to my question - I want to allow avatars, and with port 3268, it is obvious that I can not use AD to keep the images. I am willing to turn on the ability to keep avatars on the Openfire server, but I want to make sure that users DO NOT have the ability to upload their own. It needs to be a corporate approved photo.

How can I enable VCard / Avatar storage on the server and allow only (specified) IT members to manage the photos for all Openfire users? By default, when enabling VCards/Avatars on the Openfire server, people are able to upload their own images… The openfire server is connected to a SQL 2000 backend on a seperate server (not sure if you need to know that to provide a solution)

I do not believe what you are trying to do can be done. Are there any errors in the openfire server debug logs with regard to retrieving the avatars. It may be an issue with openfire not AD.

Based on MS Information:

  • **Port 3268. **This port is used for queries specifically targeted for the global catalog. LDAP requests sent to port 3268 can be used to search for objects in the entire forest. However, only the attributes marked for replication to the global catalog can be returned. For example, a user’s department could not be returned using port 3268 since this attribute is not replicated to the global catalog.
  • **Port 389. **This port is used for requesting information from the local domain controller. LDAP requests sent to port 389 can be used to search for objects only within the global catalog’s home domain. However, the requesting application can obtain all of the attributes for those objects. For example, a request to port 389 could be used to obtain a user’s department.
    The Schema Manager is used to specify additional attributes that should be replicated to each global catalog server. The attributes included in the global catalog are consistent across all domains in the forest.

I am going to see if I can use Schema Manager to add ‘thumbnailPhoto’ as a required attribute. Hopefully this will allow the attribute (avatar) to appear for the users.

Anyone with experience doing this, please share your knowledge. Otherwise I will post my findings.

BINGO!

Adding the Schema Manager in an MMC, I was able to locate the thumbnailPhoto (and jpegPhoto) attributes and force them to replicate to the Global Catalogs. This now allows the Avatars to appear in Spark when queurying over port 3268! Oh happy days…

Just a warning - be careful on the size of the pics that you upload, I imagine this could add some replication latency when pictures change often or a lot are updated at a given time.

regards,
Chris