Big Brother In 3.5.0

In Openfire 3.5.0, we have added two new features to address security concerns! One of these features is security auditing. We’ve had packet auditing in Openfire for quite some time now, but that only addresses communication amongst users of your Openfire server. What the security auditing functionality provides is logging of administrative activities performed via the Admin Console. Any action you perform that changes the server’s configuration, adds, removes, or edits users and groups, or any number of things, will be logged into the security auditor database. On top of that, we’ve implemented this via provider functionality just like the user providers. What this means is that if you have a custom place you’d like to be logging audit events, or perhaps wanted to write some sort of sms event triggering implementation, you can do that and plug it into the existing infrastructure.

Beyond the security auditing, we have implemented the ability to lock out (disable) accounts. By default, you can lock out accounts for certain periods of time, use delayed starts, or lock them out until manually unlocked. You will find the option to lock out a user while viewing their account in the admin console. Just like with the security auditor, the implementation uses a provider, so that you can implement whatever source you might have for disabled accounts.

The APIs should be pretty flexible and enable developers to build whatever solutions they might need around these two concepts! I will be posting some more details in the Openfire Dev forum in the near future to go over some of the details and other API improvements. We hope that you will enjoy the new functionality when 3.5.0 is released!

What this “locking feature” will do? Will it just forbid logging in? Would be great to automatically hide locked accounts from shared groups. And they should be again visible when unlocking them. Right now i’m deleting such users from shared groups.

It forbids logging in. Personally I wouldn’t want locked out people to be hidden from shared groups. I’d still like to know they’re in a group, and even be able to IM them. I haven’t heard anyone else ask for this functionality so I elected not to work it in. Given my belief that not many would want that capability, I bet it could be accomplished with a simple plugin that used the lockout manager’s database and compared roster loads and pulled things out of the roster as needed.

Will this work for systems using AD and LDAP? If so, that will be a nice addition.

Sure will! It works independently of the user provider. Also part of my logic behind building a provider structure for it was in case there’s a field in active directory that folk might want to use for locking people out, we could actually offer that.

Well 3.5 is looking great with this and invisibility. Looking forward to it.

Hi everyone,

It looks great but what about the multiple accounts adding thing (adding more than one yahoo/msn/gtalk accounts for a openfire user.

Gunjan

That’s an IM Gateway plugin issue (not Openfire), and that functionality is something that’s far more complicated than it may seem. =) So I don’t have a timeframe on it as of yet.

Openfire provides a packet auditing function out of the box. The Enterprise plugin logs and monitors conversations as well as the Open Archive plugin, which can be found in the igniterealtime.org Community section. That’s all that I’m aware of at present.