Overview

You can use LDAP (Lightweight Directory Access Protocol) to store data related to users. By default, Jive Forums stores all user data in a database and performs authentication using database lookups. When you use LDAP, you replace that functionality so that Jive Forums can:

This document will guide you through setting up Jive Forums to use LDAP. These instructions assume that you're a competent LDAP user, and that you're familiar with Jive Forums setup issues. The iPlanet Directory Server 5.0 LDAP server was used for development and testing, but any LDAP compliant server should also work.

Configuring for LDAP During Setup

You use the setup tool to configure Jive Forums' use of LDAP. If you've already completed the setup process and need to use the tool again to configure LDAP, you should:

  1. Stop your application server.
  2. Edit jiveHome/jive_startup.xml and delete the <setup>true</setup> line.
  3. Restart your application server and go to the setup tool in your browser.

Once you've entered the setup tool and are on the second setup step, choose LDAP as the authentication and user mode.

LDAP Setup

Next, you'll then be taken to a page to configure the LDAP settings for your server. Here's a summary of the settings, their description and default values (if any):

Note: Some of these are required and must have values.

Name Description Default Value
LDAP Host (Required) LDAP server host; for example, localhost or machine.example.com.
LDAP Port LDAP server port number. 389
SSL Enabled Enable SSL connections to your LDAP server. If you enable SSL connections, the LDAP server port number most likely should be changed to 636.
Note: SASL authentication is not supported.
No
Base DN (Required) The starting distinguished name (DN) with which to perform searches for users. The entire subtree under the base DN will be searched for user accounts.
Admin DN (Required) A directory administrator's DN. All directory operations will be performed with this account. For normal usage of the module, the admin should have full administrative controls over the directory.
Admin Password The directory administrator password.
Username Field The field name on which to perform username lookups. uid
Name Field The field name that holds the user's name. cn
Email Field The field name that holds the user's email address. mail

Group integration

If you want, you can configure the LDAP module to load group information from your LDAP directory. Group integration requires setting system properties (Admin Console -> System -> System Properties), as described below:

Debugging

You can get verbose debugging information from Jive Forums. The Jive Forums LDAP module has a fair amount of debug messages available. To enable this, turn on debug messages via the Log viewer in the admin console (you'll need to restart the appserver for this to take effect). In the console, click System > Logs > Debug tab, then click Enabled for the debug log.

Try to run this only in a debug or test environment because the potentially large number of messages generated might impact performance.

Once debug messages are enabled watch the jive.debug.log (visible on the tab where you enabled debug messages); it should list the steps it's going through to load users and authenticate them as well as any errors it encounters.

Custom Inital Context Factory

Some LDAP servers or application servers may require that a different LDAP initial context factory be used rather than the default (com.sun.jndi.ldap.LdapCtxFactory). You can set a custom initial context factory by adding the following to jive_startup.xml:

<ldap>
    ... other ldap settings here 
    <initialContextFactory>com.foo.factoryClass</initialContextFactory>
</ldap>

Connection Pooling

The default LDAP provider (Sun's) supports pooling of connections to the LDAP server. Connection pooling can greatly improve performance, especially on systems with high load. Connection pooling is enabled by default, but can be disabled by setting the Jive property ldap.connectionPoolEnabled to false:

<ldap>
    ... other ldap settings here 
    <connectionPoolEnabled>false</connectionPoolEnabled>
</ldap>

You should set several Java system properties to change default pool settings. For more information, see the following pages:

Note that if you turn on LDAP debugging, connection pooling will not be enabled. If SSL LDAP mode is enabled, you must set a system property to enable pooling of SSL LDAP connections.