Skip navigation
Up to Discussions in Openfire Support
4122 Views 10 Replies Latest reply: Feb 22, 2010 7:13 AM by selble RSS
selble Bronze
selble
10 posts since
Feb 12, 2010
Currently Being Moderated

Feb 12, 2010 11:44 AM

Shared Roster Groups Between Two Domains

Hi all,

 

I'm currently piloting an Openfire installation, and one of our goals with this system is to deploy it in two different office locations, with two different domains, along with allowing users to chat between the two locations. In testing, I've been able to get this going without any problems. Except one.

 

In addition to allowing the users to be able to chat, we'd also like all users in both locations to see all users throughout the company. This is the problem. We're using an LDAP backend for our user groups (filtering on objectClass=posixGroup), and this works fine in each location, with memberUids simply being a user name. However, when we want to throw users from another domain in that system (i.e., memberUid: "fullusername@domain.com"), Openfire does not pick up that user name. I can put any name I want in as a memberUid for a group, and as long as it's a short user name (i.e., "fullusername"), they get added to the SRG, but as soon as I put a full user name in, it doesn't work.

 

When setting up Openfire without LDAP, I can add a full user name from a different domain to a SRG, which leads me to believe this should be a one or few line change in the source, but I thought it'd be best to ask if there's a legitimate reason for not doing this via LDAP, or if this could even be a bug.

 

If anyone has any ideas, that'd be appreciated. Thanks, in advance.

Tags: ldap, roster, settings, configure
  • selble Bronze
    selble
    10 posts since
    Feb 12, 2010
    Currently Being Moderated
    Feb 12, 2010 1:32 PM (in response to selble)
    Re: Shared Roster Groups Between Two Domains

    I was looking through the logs when I came across this:

     

    2010.02.12 15:52:58 LdapManager: User DN based on username 'testuser@test.example.com' not found.                 
    2010.02.12 15:52:58 LdapManager: Exception thrown when searching for userDN based on username 'testuser@test.example.com'                 
    org.jivesoftware.openfire.user.UserNotFoundException: Username testuser@test.example.com not found
    at org.jivesoftware.openfire.ldap.LdapManager.findUserDN(LdapManager.java:711)
    at org.jivesoftware.openfire.ldap.LdapManager.findUserDN(LdapManager.java:637)
    at org.jivesoftware.openfire.ldap.LdapUserProvider.loadUser(LdapUserProvider.java: 80)
    at org.jivesoftware.openfire.user.UserManager.getUser(UserManager.java:213)
    at org.jivesoftware.openfire.ldap.LdapGroupProvider.processGroup(LdapGroupProvider .java:381)
    at org.jivesoftware.openfire.ldap.LdapGroupProvider.getGroup(LdapGroupProvider.jav a:95)
    at org.jivesoftware.openfire.group.GroupManager.getGroup(GroupManager.java:278)
    at org.jivesoftware.openfire.group.GroupManager.getGroup(GroupManager.java:257)
    at org.jivesoftware.openfire.group.GroupCollection$UserIterator.getNextElement(Gro upCollection.java:103)
    at org.jivesoftware.openfire.group.GroupCollection$UserIterator.hasNext(GroupColle ction.java:66)
    at org.jivesoftware.openfire.admin.group_002dsummary_jsp._jspService(group_002dsum mary_jsp.java:211)

     

    I took a look at the code, and other than just checking to see if the user's DN exists, I don't see any particular reason why this check needs to occur. Any downside to removing it, or altering it to allow this condition by any other means?

    • spulikon Bronze
      spulikon
      14 posts since
      Oct 8, 2009
      Currently Being Moderated
      Feb 15, 2010 10:24 PM (in response to selble)
      Re: Shared Roster Groups Between Two Domains

      I think this has to do with the server setting "ldap.posixMode".

       

      -> If this is enabled, the groups' members are short user names in Active Directory. So openfire won't try to find the corresponding username again.

      -> If this is not enabled, the groups' members are Full DNs (instead of short user names). In this case, openfire tries to find the short username based on the Full DN (by extracting the user's CN part etc.).

       

      Is this setting enabled in your environment? If this is not enabled, could you try adding just short user names (instead of USER@DOMAIN) as members of Active directory groups? We just use single domain in our environment, so not really sure if that helps.

      • selble Bronze
        selble
        10 posts since
        Feb 12, 2010
        Currently Being Moderated
        Feb 16, 2010 6:14 AM (in response to spulikon)
        Re: Shared Roster Groups Between Two Domains

        Thanks for the reply. We're currently syncing with OpenLDAP instead of Active Directory, though I don't think that would make any difference with this particular problem. As far as the difference between short names and long names go, I think the difference between short and long names is not the difference between "test" and "test@example.com", but rather "test" and "uid=test,ou=People,ou=Webapps,dc=example,dc=com". That said, it's mostly a difference in syntax rather than concept, so it may be quite beneficial to try out. Thanks for the helpful reply!

        • selble Bronze
          selble
          10 posts since
          Feb 12, 2010
          Currently Being Moderated
          Feb 17, 2010 7:36 AM (in response to selble)
          Re: Shared Roster Groups Between Two Domains

          This worked better, but still did not have the desired effect. I could add memberUids using full DNs, but if I added a DN that was outside of the base DN set in Openfire, Openfire would still add that user to a SRG, and it would also assume that the user was in the local IM domain. So it's one step forward in adding the user to a SRG, but one step backward in that it doesn't acheive my objective, hah.

           

          Any other thoughts? Comments on just not throwing an exception if a user cannot be found in LDAP?

          • spulikon Bronze
            spulikon
            14 posts since
            Oct 8, 2009
            Currently Being Moderated
            Feb 18, 2010 1:33 AM (in response to selble)
            Re: Shared Roster Groups Between Two Domains

            Is this what you are looking for: http://www.igniterealtime.org/issues/browse/ OF-162

            • selble Bronze
              selble
              10 posts since
              Feb 12, 2010
              Currently Being Moderated
              Feb 18, 2010 5:56 AM (in response to spulikon)
              Re: Shared Roster Groups Between Two Domains

              Thanks, but that's not quite what we're looking for. Essentially, we want to have two separate servers, each running its own instance of Openfire with its own XMPP domain (each backed by LDAP), with server-to-server communications setup between them. This is easy enough to do, and I already have it setup in a test environment.

               

              The tricky part comes with providing the ability for users of one domain to easily send IMs to users in the other domain, as well as providing presence notifications between domains. The Subscription plugin works well enough for allowing userABC@domain1.com to send a message to userDEF@domain2.com without requiring any "authorization" from userDEF@domain2.com, but presence data doesn't work that way.

               

              The one possible workaround I've found to this--which seems to work in my test environment--is to setup the two servers with the Subscription plugin, and then manually manipulate the ofRoster and ofRosterGroups table in the MySQL backend to add external users to the appropriate roster groups of the internal users. We're expecting to have ~400 users in one location, and ~60 in another, so we're looking at 24,000 entries in the ofRoster table alone in each location. It's ugly (really ugly), but I don't think it should be that big a deal, though I'm not sure of the impact it'll have when all those users start signing on...

               

              Thanks for the feedback so far, I appreciate it.

              • spulikon Bronze
                spulikon
                14 posts since
                Oct 8, 2009
                Currently Being Moderated
                Feb 18, 2010 7:01 PM (in response to selble)
                Re: Shared Roster Groups Between Two Domains

                I think now I understand your requirement correctly. As far as I know, IM b/w the users of different XMPP domains should be possible - which is actually working in your case. But, I am not sure whether it's possible to have users from different XMPP domains as part of shared roster groups. In short, I think developers may need to chime in.

                • selble Bronze
                  selble
                  10 posts since
                  Feb 12, 2010
                  Currently Being Moderated
                  Feb 19, 2010 5:47 AM (in response to spulikon)
                  Re: Shared Roster Groups Between Two Domains

                  Oh, it's definitely possible to have IM users in one domain be a member of shared roster groups on an IM server of a different domain, it's just that Openfire is making that process far more difficult than I'd like it to be.

                   

                  In short, I think you're right in that a developer's word(s) might be tremendously helpful here. Barring that, I think I'll evaluate using just one active IM server, with a backup ready to go against a replicated MySQL database and a replicated LDAP backend...

                • pavel Bronze
                  pavel
                  2 posts since
                  Feb 19, 2010
                  Currently Being Moderated
                  Feb 20, 2010 7:13 AM (in response to spulikon)
                  Re: Shared Roster Groups Between Two Domains

                  Hello!

                  This works fine in ejabberd project  (http://www.ejabberd.im).

                  I have the same problem then migrate from ejabberd to openfire :-(

                  • selble Bronze
                    selble
                    10 posts since
                    Feb 12, 2010
                    Currently Being Moderated
                    Feb 22, 2010 7:13 AM (in response to pavel)
                    Re: Shared Roster Groups Between Two Domains

                    <Sigh>

                     

                    We're looking to move away from ejabberd. As well as it seems to scale for some people, we have plenty of non-scaling-related issues that leave us wanting something (seemingly) substantially more polished (i.e., Openfire). We're still trying to determine whether shared roster groups across multiple XMPP domains is a big deal for us, but I'm hoping we'll be able to stick with Openfire.

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points