Overview
This article is a gathering of the most common FAQs in regards the LDAP integration.
Information
About LDAP
What is LDAP?
Lightweight Directory Access Protocol is an open, vendor-neutral, industry-standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.
What are the benefits of Jive's integration with LDAP?
There are three main benefits:
Authentication |
|
Access Control Lists (ACLs) |
|
Federated Identity |
|
What does federated mean?
In Jive terms, a federated user or group is one that is synchronized from LDAP. For more information, please read this article.
Is LDAP SSO (Single Sign-On)
No. SSO implies that a user can authenticate to a single Identity Provider (IDP) and be granted access to all applications that respect that IDP without being prompted for their credentials. Jive's LDAP integration requires users to authenticate to the Jive application regardless of other applications they've accessed recently. It is best described as delegated authentication because f Jive "delegates" to LDAP the responsibility of authenticating principals.
What are the differences between syncing with LDAP and syncing with SAML SSO?
Please read this article.
Can federated and non-federated users exist in the same system
Yes, and this is a typical configuration. We usually recommend that customers keep at least one non-federated admin account, as this may be the only way that admins will be able to access and modify the Jive instance if the LDAP connection fails
What is the difference between Active Directory and LDAP
Short answer:
Active Directory (and others) is a directory services database, and LDAP is one of the protocols you can use to talk to it.
Long answer:
- Active Directory is a database-based system that provides authentication, directory, policy, and other services in a Windows environment
- LDAP (Lightweight Directory Access Protocol) is an application protocol for querying and modifying items in directory service providers like Active Directory, which supports a form of LDAP.
What is an LDIF
All LDAP directories can read and write to a file format called LDIF (LDAP Data Interchange Format - Wikipedia). An LDIF can tell you just about all we'll need to know to configure the instance's LDAP settings to properly extract user and group records from LDAP.
How can I ask questions about LDAP integration to Jive's subject matter experts
Create a support case or visit this site for information.
How Jive's LDAP integration works
How does user synchronization work?
Users are synchronized to Jive based on the value of the attribute mapped to the ldap.usernameField
system property. Think of this as the "primary key" of the synchronization. This value will map to the user's Jive username.
If enabled profile synchronization will happen at login. Username, name (or first & last names), email, type_z (regular or partner), and enabledness are synced at login regardless of whether profile synchronization is enabled. User type_z is determined by the ldap.userTypeField
setting in Jive's LDAP configuration. When a user logs in to an LDAP enabled Jive installation the web app will attempt to authenticate against the directory server with the credentials provided by the user. If successful the users' authentication session with the Jive installation begins. In this scenario, a Jive user will be created if one matching the provided credentials doesn't already exist. If enabled, security/permission groups will also be synchronized at login.
If enabled profile synchronization will happen nightly. This task updates or creates users in the Jive installation for corresponding user accounts in the directory server. If the last modified field in Jive's user mapping configuration is set only those users with directory accounts that have been modified recently will be updated.
User records in LDAP must contain an email address which does not already exist in Jive in order to be synchronized.
How does group synchronization work
When configured, group synchronization will occur only when a user logs in. There is no group synchronization performed with the nightly batch synchronization and as of Jive 5.0.x, there is no way to perform a batch synchronization of groups. This is referred to as lazy-loading because groups are only loaded when needed.
For testing purposes, there is a "backdoor" for testing group sync. Viewing a user's profile in the admin console will also trigger a group synchronization for that user. Keep this in mind if you ever need to test the LDAP group sync settings without asking the user to log in.
How does the sync task disable users?
If you have enabled the "Disable non-administrative user accounts not found in source during synchronization " option (jive.sync.auto.disable=true
system property), the batch LDAP sync process will disable any federated users which cannot be found in the Jive search filter. This ensures that if a user is removed from access on the LDAP side it is also disabled in Jive.
Alternatively, you can also configure the jive.sync.auto.disable.att.name
and jive.sync.auto.disable.att.value
attributes to specify an attribute-value pair which, if present, triggers the LDAP synchronization to disable the user in Jive. For example, if you wished to restrict access for anyone in the IT group, you could set up something like this:
jive.sync.auto.disable.att.name=memberOf
jive.sync.auto.disable.att.value=IT
Note: This would disable all users who are members of the IT group in LDAP when the batch sync process runs.
Will disabled users be re-enabled during an LDAP sync?
As of Jive Custom 7 and newer, Yes. User accounts that are present in the LDAP User Search Filter, but disabled in Jive, will get re-enabled upon the next sync.
If you're using Jive 6 or older, then No. If a user is disabled in Jive they will not be re-enabled by an LDAP sync even if the account is enabled in LDAP.
What does {0}
mean in the ldap.searchFilter
If you look at the default ldap.searchFilter
property you'll see something like this: ldap.searchFilter = (&(sAMAccountName={0})(objectClass=User))
The {0}
is placeholder text which is replaced with a specific username when running a search for one user. It is therefore important that a clause like sAMAccountName={0}
or userID={0}
always exists in the default search filter. Removing this clause can cause some issues such as preventing the sync task from disabling users.
Does Jive store LDAP passwords in the database
No, Jive does not persist in user passwords in the database. Each record in the jiveuser
table stores a value in the passwordhash
column as a placeholder, but for federated users, this is a dummy value which is not used for authentication. Before 4.5.7 it was actually possible to authenticate using this passwordhash
. We do store the password for the admin DN (bind account) in the jiveproperty
table. However, this is stored in encrypted form.
Configuring LDAP Integration
How do I configure my search filter to only allow a subset of users to access the Jive system?
There are two main ways of doing this:
- Restrict the user DN to point to an Organizational Unit (OU) that contains a subset of the user base you'd like to sync to Jive (i.e.
ldap.userDN = OU=Jive_Users
). This assumes that there is a "structural" division in the directory that can be mapped to the Jive user base.
- Restrict the search filter based on logical rules mapped to attributes of the user accounts you'd like to sync to Jive.
ldap.searchFilter = (&(sAMAccountName={0})(memberOf=Jive_Users))
ldap.searchFilter = (&(uid={0})(jiveenabled=true))
ldap.searchFilter = (&(sAMAccountName={0})(objectClass=Person)(userAccountControl:1.2.840.113556.1.4.803:=2))
How do I separate account provisioning from authentication?
You'll need to be on 5.0.6, 6.0.3, or a later version, and then you can specify a filter for authentication via the ldap.authFilter
property. If you set an auth filter, it will need a placeholder in it to match the username, like:
ldap.authFilter = (&(value of ldap.searchFilter)(memberOf=dn of a specific group)(sAMAccountName={0})
What time does the nightly sync task run Can I change this
It runs at midnight every night by default. The task (userDataSynchronizationTask) is defined in spring-taskContext.xml with the cron expression, "0 0 0 * * " (second minute hour day-of-month month day-of-week). If this does need to be configured, the cron expression can be defined as the following system property, spring.userDataSynchronizationTask.cronExpression. This will require a restart to take effect. Here is an example of a 5 AM sync:
spring.userDataSynchronizationTask.cronExpression = 0 0 5 * *
How do I configure the base DN and user DN?
The "base DN" (ldap.baseDN
) is the root of all LDAP searches performed by Jive. The "user DN" (ldap.userDN
) is a relative path from the base DN which you can use to point to a specific organization unit (OU) from which you would like to perform your user searches. Since the user DN is relative to the base DN, it should not contain the base DN components. For example, you may want to integrate your Jive instance to LDAP and pull in only users from OU=Jive_Users,DC=support,DC=jive,DC=com
. In this case, you should configure your DN settings as follows:
ldap.baseDN = DC=support,DC=jive,DC=com
ldap.userDN = OU=Jive_Users
It is important to keep in mind that the ldap.baseDN
property should ONLY contain a path that includes dc components. If you add an OU to your ldap.baseDN
property it may cause errors with Group Synchronization. You will likely see errors in the logs like this:
25 Aug 2011 08:51:15,202 [Task Engine Worker 0] [:] ERROR ldap.LdapGroupManager - javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of: 'OU=internal,DC=corp,DC=acme,DC=com' ]; remaining name 'cn=zzMsgEngGAL,ou=Messaging,ou=InfraServers,dc=corp,dc=acme,dc=com'
Can I use LDAP group sync with SAML authentication?
This does not work in 5.0.x out of the box, but will work in 6.0
What is the Global Catalog Why does it matter?
The Global Catalog is essentially a "proxy server" for Active Directory that hides much of the complexity of an Active Directory data infrastructure from the clients that interact with it. For a complete definition, please reference What Is the Global Catalog: Active Directory.
Most AD implementations take advantage of the Global Catalog. Because the GC contains references to all objects in an AD forest it is far preferable to have Jive bind to the GC than to the standard LDAP interface. This avoids a very common referral problem described here Active Directory Referral Timeouts | Jive Community. Usually binding to the Global Catalog is as straightforward as connecting to a domain controller on port 3268. Most AD admins should know exactly how to do this; if your contact doesn't know about the GC it might be a sign that you need to help the customer find the right person to speak with.
Can Jive connect to more than one AD forest?
No, not directly. Fronting multiple directories with a virtual directory and connecting Jive to that is an option, albeit a challenging one to implement.
Can Jive connect to more than one AD domain?
Yes, Jive is forest-aware. For example, if a company has 3 sub-domains: ams.worldcorp.com, eur.worldcorp.com
and pac.worldcorp.com
, the base DN on the first LDAP configuration page would be "dc=worldcorp,dc=com". Be sure to connect to the global catalog.
How do I troubleshoot an LDAP configuration?
Turn on the logging:
- TRACE:
com.jivesoftware.community.aaa.JiveLdapAuthenticationProvider
- DEBUG:
com.jivesoftware.base.ldap
- DEBUG:
org.springframework.security.ldap.authentication
- DEBUG:
org.springframework.security.ldap.search
- DEBUG:
org.springframework.security.ldap.SpringSecurityLdapTemplate
Use a tool such as OpenLDAP to validate connection properties. When installed on the web app host it'll provide several utilities on the command line including ldapsearch which can be used to validate the base DN, relative DNs, connection properties, and search filters.
Maybe something can be gleaned from the TCP traffic on the web app host with tcpdump (e.g. tcpdump -X -i any dst port 389
).
Why is LDAP authentication still not working
Common causes include:
- There's more than one account in the directory with the same username. (The debug output in the application log will indicate this.)
- The account in the directory does not have an email attribute. (The default AD user search filter,
(&(sAMAccountName={0})(mail=*))
, will filter out directory accounts without an email attribute.
Notable LDAP configuration points
Lazy Loading and Jive 6 (pre 6.0.2)
In Jive 5 and 6 you can toggle if group members are lazy-loaded into the Jive system using a system property. This means that if Lazy Load is turned off and a user logs in when his groups sync it will pull in all other users who are members of this group. This means that every time a user logs It is highly suggested that you don't change this but it is there so that if people want to pull in all users before going live they can.
Something to note is that in Jive 6.0.0 and 6.0.1 there is a bug in the code where this property is turned off by default and the system property to toggle this does not take change anything. This bug was fixed in 6.0.2 and a fix pack has been created to address this issue
Default Read Timeout Change for Jive 6
In Jive 6 the engineering team has set the default read timeout to 5000ms this means that if a read of the LDAP system takes more than 5 seconds the system will time that read out and move on. In some cases, for example, if a user has 200 permission groups to sync, this would timeout and the user would not sync.
To resolve this we can either increase the timeout or set it to 0 which means that a read will never timeout. To do this we set the system property ldap.read.timeout
Comments
0 comments
Please sign in to leave a comment.