Openfire can be configured to use a variety of external sources for authentication, users and groups. This is useful when your users already have accounts in an external system, and you do not wish to duplicate those accounts. More information on this subjct is available in the the Custom Database Integration Guide, as well as the LDAP guide.
This document takes the concept one step further, and provides instructions on how to configure Openfire to obtain it's users from multiple backend systems. Specifically, this document describes how Openfire can be configured to get its administrative users from Openfire's internal database, while obtaining all other users from an external system. This is a configuration that will prevent administrators from loosing access to Openfire when the external system is unavailable.
The integration requires that you configure Openfire to use an User Provider and an Authentication Provider that, based on a particular characteristic of a user, use different providers to perform the actual operations. Providers that delegate responsibility in this manner are referred to as mapped providers.
A mapped provider is configured with a Mapper. The Mapper will determine which secondary provider to use for a particular user. For the purpose of differentiating between administrative users and non-administrative users, Openfire provides Authorization Based Mappers, specifically:
Both Mappers are configured with exactly two Providers: a provider for administrative, and one for regular usage. In total, that makes for four Providers: two authentication providers, and two user providers.
In order to configure your server to integrate with your custom database tables:
A third set of providers is added, that will act as a proxy: it determines for each request which of the two sets of providers mentioned above should be used. This latter set is used as the primary set of providers by Openfire.
In order to configure your server:
The following lists each component that needs configuration:
Instead of the default authentication provider, Openfire must be configured to use the MappedAuthProvider. This is achieved by configuring the following setting in the conf/openfire.xml file:
The Mapped Authentication Provider itself requires another settings, which tells it what Mapper is to be used. The Mapper that distinguishes between administrative and non-administartive users is AuthorizationBasedAuthProviderMapper, and is configured in by the following setting:
Finally, the Mapper needs configuration to define what secondary provider is to be used for each type of user:
Note that each of the providers can require further configuration! The Default providers do not, but the JDBC-based providers, for instance, require configuration as documented in the Custom Database Integration Guide.
Similar to the authentiation providers above, Openfire must be configured to use the MappedUserProvider instead of the default user provider. This is achieved by configuring the following setting in the conf/openfire.xml file:
The Mapped User Provider itself requires another settings, which tells it what Mapper is to be used. The Mapper that distinguishes between administrative and non-administartive users is AuthorizationBasedUserProviderMapper, and is configured in by the following setting:
Finally, the Mapper needs configuration to define what secondary provider is to be used for each type of user:
Note that each of the providers can require further configuration! The Default providers do not, but the JDBC-based providers, for instance, require configuration as documented in the Custom Database Integration Guide.
Below is a sample config file section that combines the settings as described above (note: the "..." sections in the examples indicate areas where the rest of the config file would exist).
First, Openfire is configured to use the Mapped providers:
<jive> ... <provider> <auth> <className>org.jivesoftware.openfire.auth.MappedAuthProvider</className> </auth> <user> <className>org.jivesoftware.openfire.user.MappedUserProvider</className> </user> </provider> ... </jive>
Next, each MappedProvider is configured with a Mapper:
<jive> ... <mappedAuthProvider> <mapper> <className>org.jivesoftware.openfire.auth.AuthorizationBasedAuthProviderMapper</className> </mapper> </mappedAuthProvider> <mappedUserProvider> <mapper> <className>org.jivesoftware.openfire.user.AuthorizationBasedUserProviderMapper</className> </mapper> </mappedUserProvider> ... </jive>
Each of the Mappers is told what provider to user for administrative and regular users:
<jive> ... <authorizationBasedAuthMapper> <adminProvider> <className>org.jivesoftware.openfire.auth.DefaultAuthProvider</className> </adminProvider> <userProvider> <className>org.jivesoftware.openfire.auth.JDBCAuthProvider</className> </userProvider> </authorizationBasedAuthMapper> <authorizationBasedUserMapper> <adminProvider> <className>org.jivesoftware.openfire.user.DefaultUserProvider</className> </adminProvider> <userProvider> <className>org.jivesoftware.openfire.user.JDBCUserProvider</className> </userProvider> </authorizationBasedUserMapper> ... </jive>
And finally, each of the secondary providers that are used are to be configured. In this example, Default and JDBC providers are used. The former requires no further configuration. The configuration from the JDBC providers as used here is taken from the Custom Database Integration Guide. Please refer to that guide for more information.
<jive> ... <provider> <auth> <className>org.jivesoftware.openfire.auth.JDBCAuthProvider</className> </auth> <user> <className>org.jivesoftware.openfire.user.JDBCUserProvider</className> </user> </provider> <jdbcAuthProvider> <passwordSQL>SELECT password FROM user_account WHERE username=?</passwordSQL> <passwordType>plain</passwordType> </jdbcAuthProvider> <jdbcUserProvider> <loadUserSQL>SELECT name,email FROM myUser WHERE username=?</loadUserSQL> <userCountSQL>SELECT COUNT(*) FROM myUser</userCountSQL> <allUsersSQL>SELECT username FROM myUser</allUsersSQL> <searchSQL>SELECT username FROM myUser WHERE</searchSQL> <usernameField>username</usernameField> <nameField>name</nameField> <emailField>email</emailField> </jdbcUserProvider> ... </jive>