Separating Administrative Users Guide
Introduction
Openfire can be configured to use a variety of external sources for authentication, users and groups. This is useful when your users already have accounts in an external system, and you do not wish to duplicate those accounts. More information on this subject is available in the the Custom Database Integration Guide, as well as the LDAP guide.
This document takes the concept one step further, and provides instructions on how to configure Openfire to obtain its users from multiple backend systems. Specifically, this document describes how Openfire can be configured to get its administrative users from Openfire's internal database, while obtaining all other users from an external system. This is a configuration that will prevent administrators from loosing access to Openfire when the external system is unavailable.
Topics that are covered in this document:
Mapped providers
The integration requires that you configure Openfire to use an User Provider and an Authentication Provider that, based on a particular characteristic of a user, use different providers to perform the actual operations. Providers that delegate responsibility in this manner are referred to as mapped providers.
A mapped provider is configured with a Mapper. The Mapper will determine which secondary provider to use for a particular user. For the purpose of differentiating between administrative users and non-administrative users, Openfire provides Authorization Based Mappers, specifically:
org.jivesoftware.openfire.auth.AuthorizationBasedAuthProviderMapper
-- for a mapped authentication providerorg.jivesoftware.openfire.user.AuthorizationBasedUserProviderMapper
-- for a mapped user provider
Both Mappers are configured with exactly two Providers: a provider for administrative, and one for regular usage. In total, that makes for four Providers: two authentication providers, and two user providers.
Configuration
In order to configure your server to integrate with your custom database tables:
- an user provider and an authentication provider for the administrative users
- an user provider and an authentication provider for the regular users
A third set of providers is added, that will act as a proxy: it determines for each request which of the two sets of providers mentioned above should be used. This latter set is used as the primary set of providers by Openfire.
In order to configure your server:
- Stop Openfire.
- Edit
conf/openfire.xml
in your Openfire installation folder as described below using your favorite editor. - Restart Openfire.
The following lists each component that needs configuration:
Authentication Providers
Instead of the default authentication provider, Openfire must be configured to use the MappedAuthProvider
.
This is achieved by configuring the following setting in the conf/openfire.xml
file:
- provider.auth.className -- set the value to
org.jivesoftware.openfire.auth.MappedAuthProvider
The Mapped Authentication Provider itself requires another settings, which tells it what Mapper is to be used. The
Mapper that distinguishes between administrative and non-administartive users is AuthorizationBasedAuthProviderMapper
,
and is configured in by the following setting:
- mappedAuthProvider.mapper.className -- set the value to
org.jivesoftware.openfire.auth.AuthorizationBasedAuthProviderMapper
Finally, the Mapper needs configuration to define what secondary provider is to be used for each type of user:
- authorizationBasedAuthMapper.adminProvider.className -- used for administrative users, typically:
org.jivesoftware.openfire.auth.DefaultAuthProvider
- authorizationBasedAuthMapper.userProvider.className -- used for regular users, for example
org.jivesoftware.openfire.auth.JDBCAuthProvider
Note that each of the providers can require further configuration! The Default
providers do not, but the
JDBC-based providers, for instance, require configuration as documented in the
Custom Database Integration Guide.
User Providers
Similar to the authentiation providers above, Openfire must be configured to use the MappedUserProvider
instead of the default user provider. This is achieved by configuring the following setting in the
conf/openfire.xml
file:
- provider.user.className -- set the value to
org.jivesoftware.openfire.user.MappedUserProvider
The Mapped User Provider itself requires another settings, which tells it what Mapper is to be used. The Mapper
that distinguishes between administrative and non-administartive users is AuthorizationBasedUserProviderMapper
,
and is configured in by the following setting:
- mappedUserProvider.mapper.className -- set the value to
org.jivesoftware.openfire.user.AuthorizationBasedUserProviderMapper
Finally, the Mapper needs configuration to define what secondary provider is to be used for each type of user:
- authorizationBasedUserMapper.adminProvider.className -- used for administrative users, typically:
org.jivesoftware.openfire.user.DefaultUserProvider
- authorizationBasedUserMapper.userProvider.className -- used for regular users, for example
org.jivesoftware.openfire.user.JDBCUserProvider
Note that each of the providers can require further configuration! The Default
providers do not, but the
JDBC-based providers, for instance, require configuration as documented in the
Custom Database Integration Guide.
Example Configuration
Below is a sample config file section that combines the settings as described above (note: the "..." sections in the examples indicate areas where the rest of the config file would exist).
First, Openfire is configured to use the Mapped providers:
Next, each MappedProvider is configured with a Mapper:
Each of the Mappers is told what provider to user for administrative and regular users:
And finally, each of the secondary providers that are used are to be configured. In this example, Default
and JDBC
providers are used. The former requires no further configuration. The configuration from the
JDBC
providers as used here is taken from the Custom Database
Integration Guide. Please refer to that guide for more information.