Openfire Logo

Separating Administrative Users Guide

Introduction

Openfire can be configured to use a variety of external sources for authentication, users and groups. This is useful when your users already have accounts in an external system, and you do not wish to duplicate those accounts. More information on this subject is available in the the Custom Database Integration Guide, as well as the LDAP guide.

This document takes the concept one step further, and provides instructions on how to configure Openfire to obtain its users from multiple backend systems. Specifically, this document describes how Openfire can be configured to get its administrative users from Openfire's internal database, while obtaining all other users from an external system. This is a configuration that will prevent administrators from loosing access to Openfire when the external system is unavailable.

Topics that are covered in this document:

Mapped providers

The integration requires that you configure Openfire to use an User Provider and an Authentication Provider that, based on a particular characteristic of a user, use different providers to perform the actual operations. Providers that delegate responsibility in this manner are referred to as mapped providers.

A mapped provider is configured with a Mapper. The Mapper will determine which secondary provider to use for a particular user. For the purpose of differentiating between administrative users and non-administrative users, Openfire provides Authorization Based Mappers, specifically:

Both Mappers are configured with exactly two Providers: a provider for administrative, and one for regular usage. In total, that makes for four Providers: two authentication providers, and two user providers.

Configuration

In order to configure your server to integrate with your custom database tables:

A third set of providers is added, that will act as a proxy: it determines for each request which of the two sets of providers mentioned above should be used. This latter set is used as the primary set of providers by Openfire.

In order to configure your server:

  1. Stop Openfire.
  2. Edit conf/openfire.xml in your Openfire installation folder as described below using your favorite editor.
  3. Restart Openfire.

The following lists each component that needs configuration:

Authentication Providers

Instead of the default authentication provider, Openfire must be configured to use the MappedAuthProvider. This is achieved by configuring the following setting in the conf/openfire.xml file:

  • provider.auth.className -- set the value to org.jivesoftware.openfire.auth.MappedAuthProvider

The Mapped Authentication Provider itself requires another settings, which tells it what Mapper is to be used. The Mapper that distinguishes between administrative and non-administartive users is AuthorizationBasedAuthProviderMapper, and is configured in by the following setting:

  • mappedAuthProvider.mapper.className -- set the value to org.jivesoftware.openfire.auth.AuthorizationBasedAuthProviderMapper

Finally, the Mapper needs configuration to define what secondary provider is to be used for each type of user:

  • authorizationBasedAuthMapper.adminProvider.className -- used for administrative users, typically: org.jivesoftware.openfire.auth.DefaultAuthProvider
  • authorizationBasedAuthMapper.userProvider.className -- used for regular users, for example org.jivesoftware.openfire.auth.JDBCAuthProvider

Note that each of the providers can require further configuration! The Default providers do not, but the JDBC-based providers, for instance, require configuration as documented in the Custom Database Integration Guide.

User Providers

Similar to the authentiation providers above, Openfire must be configured to use the MappedUserProvider instead of the default user provider. This is achieved by configuring the following setting in the conf/openfire.xml file:

  • provider.user.className -- set the value to org.jivesoftware.openfire.user.MappedUserProvider

The Mapped User Provider itself requires another settings, which tells it what Mapper is to be used. The Mapper that distinguishes between administrative and non-administartive users is AuthorizationBasedUserProviderMapper, and is configured in by the following setting:

  • mappedUserProvider.mapper.className -- set the value to org.jivesoftware.openfire.user.AuthorizationBasedUserProviderMapper

Finally, the Mapper needs configuration to define what secondary provider is to be used for each type of user:

  • authorizationBasedUserMapper.adminProvider.className -- used for administrative users, typically: org.jivesoftware.openfire.user.DefaultUserProvider
  • authorizationBasedUserMapper.userProvider.className -- used for regular users, for example org.jivesoftware.openfire.user.JDBCUserProvider

Note that each of the providers can require further configuration! The Default providers do not, but the JDBC-based providers, for instance, require configuration as documented in the Custom Database Integration Guide.

Example Configuration

Below is a sample config file section that combines the settings as described above (note: the "..." sections in the examples indicate areas where the rest of the config file would exist).

First, Openfire is configured to use the Mapped providers:

openfire.xml configuration: enable 'Mapped Providers'
<jive>
    ...
    <provider>
        <auth>
            <className>org.jivesoftware.openfire.auth.MappedAuthProvider</className>
        </auth>
        <user>
            <className>org.jivesoftware.openfire.user.MappedUserProvider</className>
        </user>
    </provider>
    ...
</jive>

Next, each MappedProvider is configured with a Mapper:

openfire.xml configuration: adding Mappers to each provider
<jive>
    ...
    <mappedAuthProvider>
        <mapper>
            <className>org.jivesoftware.openfire.auth.AuthorizationBasedAuthProviderMapper</className>
        </mapper>
    </mappedAuthProvider>
    <mappedUserProvider>
        <mapper>
            <className>org.jivesoftware.openfire.user.AuthorizationBasedUserProviderMapper</className>
        </mapper>
    </mappedUserProvider>
    ...
</jive>

Each of the Mappers is told what provider to user for administrative and regular users:

openfire.xml configuration: adding Providers to each Mapper
<jive>
    ...
    <authorizationBasedAuthMapper>
        <adminProvider>
            <className>org.jivesoftware.openfire.auth.DefaultAuthProvider</className>
        </adminProvider>
        <userProvider>
            <className>org.jivesoftware.openfire.auth.JDBCAuthProvider</className>
        </userProvider>
    </authorizationBasedAuthMapper>
    <authorizationBasedUserMapper>
        <adminProvider>
            <className>org.jivesoftware.openfire.user.DefaultUserProvider</className>
        </adminProvider>
        <userProvider>
            <className>org.jivesoftware.openfire.user.JDBCUserProvider</className>
        </userProvider>
    </authorizationBasedUserMapper>
    ...
</jive>

And finally, each of the secondary providers that are used are to be configured. In this example, Default and JDBC providers are used. The former requires no further configuration. The configuration from the JDBC providers as used here is taken from the Custom Database Integration Guide. Please refer to that guide for more information.

openfire.xml configuration: adding Secondary Providers
<jive>
    ...
    <provider>
        <auth>
            <className>org.jivesoftware.openfire.auth.JDBCAuthProvider</className>
        </auth>
        <user>
            <className>org.jivesoftware.openfire.user.JDBCUserProvider</className>
        </user>
    </provider>
    <jdbcAuthProvider>
        <passwordSQL>SELECT password FROM user_account WHERE username=?</passwordSQL>
        <passwordType>plain</passwordType>
    </jdbcAuthProvider>
    <jdbcUserProvider>
        <loadUserSQL>SELECT name,email FROM myUser WHERE username=?</loadUserSQL>
        <userCountSQL>SELECT COUNT(*) FROM myUser</userCountSQL>
        <allUsersSQL>SELECT username FROM myUser</allUsersSQL>
        <searchSQL>SELECT username FROM myUser WHERE</searchSQL>
        <usernameField>username</usernameField>
        <nameField>name</nameField>
        <emailField>email</emailField>
    </jdbcUserProvider>
    ...
</jive>