Openfire

What is Wildfire?

Wildfire is an enterprise instant messaging (EIM) server dual-licensed under the Open Source GPL and commercially. It uses the leading open protocol for instant messaging, XMPP (also called Jabber). Wildfire is incredibly easy to setup and administer, but offers rock-solid security and performance.

From:http://www.jivesoftware.org/wildfire/

Wildfire is another Jabber server. According to http://www.jabber.org/software/servers.shtml it is the most feature-full one enbled. It is also very pretty, easy to set up (bar a few 'gotchas') and comfortable to use. However the documentation is lacking and the help forums are horrible - flooded with Windows and AD info, with the general level of intelligence that implies.

Pre-requisites

Java: Necessary

You must have a java-1.5 environment set up and working properly (I used sun-jdk-1.5.0_08).

Database: Optional

The embedded database works fine for a small (~50 users) local install, but if you have a large number of users or wish to make it public you should probably go for MySQL (or Postgres, Oracle, etc. if you prefer). Make sure your DB is set up and working with jdbc.

LDAP: Optional

To authenticate against LDAP make sure it is set up and working. No special setup initially, we will add attributes later. I'll assume you have a working knowledge of ldap schema syntax.

Install

Wildfire 3.1.0 is now in portage, albeit masked. Works fine for me. Unmask it and

# emerge -vat wildfire

Prepare Database

If you are going to use the embedded database skip this step.

MySQL

Create the database for Wildfire:

# mysqladmin -u root -p create wildfire

Import the proper tables:

# cat /opt/wildfire/resources/database/wildfire_mysql.sql | mysql -u root -p wildfire;

Add a user account for the database:

# mysql -u root -p wildfire
mysql> GRANT ALL PRIVILEGES ON wildfire.* TO jabber@localhost IDENTIFIED BY 'passwd';
mysql> exit

Other Databases

I don't use them, check out http://www.jivesoftware.org/builds/wildfire/docs/latest/documentation/database.html

Configure Wildfire

First you need to copy the sample config file to the actual file:

# cd /opt/wildfire/conf
# cp wildfire.xml.sample wildfire.xml
# chown jabber:jabber wildfire.xml

Now start up the server:

# /etc/init.d/wildfire start

And then go to the web setup wizard at http://host.domain.net:9090

Language

Choose your preferred language

Server Settings

Domain: For a LAN installation just the hostname is sufficient, and gives the benefit of all user jabber id's being much shorter (user@hostname). For a public or internet routable server put the FQDN in - this makes the jabber id's user@hostname.domain.net

Admin Console Port / Secure Admin Console Port: Leave as default unless you have a good reason not to.

Database Settings

Embedded Database: Just select this option and the DB is set up.

Standard Database Connection: Chose this option to get set up an external database

Database Driver Presets: Pick your database type
JDBC Driver Class: Should be automatically filled in depending on your DB selection. If you have a non-standard install and need to change it you should know the value
Database URL: Will be mainly automatically filled in, edit hostname and databasename fields to suit.
MySQL example: jdbc:mysql://hostname:3306/wildfire
Username / Password: Fill in as per settings earlier for the jabber DB user. If you get a connection error try to use the mysql root user to narrow down the issue.

Profile Settings

Default: Store users in the wildfire DB.
Directory Server (LDAP): Integrate into your LDAP directory

LDAP Settings

Server Type: OpenLDAP
Host: hostname.domain.net
Port: Default is 389. ldaps uses 636
Base DN: dc=domain,dc=net
Administrator DN: cn=Manager,dc=domain,dc=net (this can be a different user, as long as it has read permissions to the directory)

Advanced Settings: Enable SSL for ldaps. Other options up to you.

I hit a problem at this point using ldaps. It appears it tried to use port 636 but didn't actually enable SSL to test the connection. If this is a problem just use port 389 and change it in the config file later.

User and Group Mapping: These pages depend entirely on your own LDAP schema. If you have not modified the default Openldap schemas the default options here should work. If you have changed the schema you should know what fields you used.

User Mapping:
The only important one to get right straight off is the Username field (default uid). If this works you can confirm LDAP connectivity and sort out problems later.

Group Mapping:
Member Field is likely to be needed to be changed to memberUid.
Switch Posix Mode to On

Add Administrator

Add a user that is in your ldap directory as an administrator.

Now it is set up and you should be able to log in to the Admin Console.

Troubleshooting

If you can't log in to the Admin console edit /opt/wildfire/conf/wildfire.xml
Doublecheck all your ldap <baseDN> and <adminDN> settings. Simple typos ( . instead of , )will break it.
Ensure your user can actually log in using ldap authenitcation elsewhere.
Ensure the <usernameField> value exists in your schema.
Ensure you can connect to the LDAP host and that your port setting is correct.

If you had problems with enabling ldaps during the wizard setup now you can also change the <port> value to 636 and <sslEnabled> to true.

Confirmation

Now you should log in to your Admin console at https://hostname.domain.net:9091 . On the Users/Groups tab you should now see all your LDAP users and groups listed. You can use your favourite client to connect to the server using your ldap password (don't try to 'register new account', it will fail). Remember the syntax is ldapusername@jabberdomainvalue

LDAP Filtering

It is quite likely you will not want to give every user in your directory a jabber account. You can use the <searchFilter> and <groupSearchFilter> options to limit the users that get accounts. One way is to give every jabber user an objectClass attribute of jabber. Or you can create any attribute you want. The syntax is:

<searchFilter><![CDATA[(&(objectClass=person)(objectClass=jabber))]]></searchFilter>

This will only give accounts to users who have the objectClass=jabber attribute in their entry.

<groupSearchFilter><![CDATA[(&(objectClass=group)(objectClass=jabber))]]></groupSearchFilter>

This will do the same for groups. You can filter on any attributes contained within your schema.

Automatically Populate Groups

Look at your wildfire.xml file and find the <groupMemberField> tag.

<groupMemberField>memberUid</groupMemberField>

Any group included in the <groupSearchFilter> should be populated with memberUid entries. Wildfire will then recognise the group membership, enabling you to have shared contact lists, permissions and other management goodies.

SSL Setup

SSL will work by default with wildfire's own self-signed certificates. If you would like to generate your own, get a CA signed certificate or import an existing one check out this document http://www.jivesoftware.org/builds/wildfire/docs/latest/documentation/ssl-guide.html

Example Config

This is a scrubbed working config using the integrated database:

<?xml version="1.0" encoding="UTF-8"?>

<jive>
  <adminConsole>
    <!-- Disable either port by setting the value to -1 -->
    <port>9090</port>
    <securePort>9091</securePort>
  </adminConsole>
  <admin>
    <authorizedUsernames>myuser</authorizedUsernames>
  </admin>
  <locale>en</locale>
  <connectionProvider>
    <className>org.jivesoftware.database.EmbeddedConnectionProvider</className>
  </connectionProvider>
  <ldap>
    <host>jabber.domain.net</host>
    <port>636</port>
    <baseDN>dc=domain,dc=net</baseDN>
    <adminDN>cn=Manager,dc=domain,dc=net</adminDN>
    <adminPassword>secret</adminPassword>
    <connectionPoolEnabled>true</connectionPoolEnabled>
    <sslEnabled>true</sslEnabled>
    <debugEnabled>true</debugEnabled>
    <autoFollowReferrals>false</autoFollowReferrals>
    <usernameField>uid</usernameField>
    <searchFilter><![CDATA[(&(objectClass=person)(phpgwAccountType=u))]]></searchFilter>
    <vcard-mapping><![CDATA[
<vCard xmlns="vcard-temp">
  <N>
    <GIVEN>{cn}</GIVEN>
  </N>
  <EMAIL>
    <INTERNET/>
    <USERID>{mail}</USERID>
  </EMAIL>
  <FN>{cn}</FN>
  <NICKNAME>{uid}</NICKNAME>
  <ADR>
    <HOME/>
  </ADR>
  <ADR>
    <WORK/>
  </ADR>
</vCard>]]></vcard-mapping>
    <nameField>cn</nameField>
    <emailField>mail</emailField>
    <groupNameField>cn</groupNameField>
    <groupSearchFilter><![CDATA[(&(objectClass=phpgwAccount)(phpgwAccountType=g))]]></groupSearchFilter>
    <clientSideSorting>true</clientSideSorting>
    <groupMemberField>memberUid</groupMemberField>
    <groupDescriptionField>description</groupDescriptionField>
    <posixMode>true</posixMode>
  </ldap>
  <provider>
    <vcard>
      <className>org.jivesoftware.wildfire.ldap.LdapVCardProvider</className>
    </vcard>
    <user>
      <className>org.jivesoftware.wildfire.ldap.LdapUserProvider</className>
    </user>
    <auth>
      <className>org.jivesoftware.wildfire.ldap.LdapAuthProvider</className>
    </auth>
    <group>
      <className>org.jivesoftware.wildfire.ldap.LdapGroupProvider</className>
    </group>
  </provider>
  <setup>true</setup>
</jive>

Clients

If you are authenticating via LDAP ensure "Allow Plaintext Login" is set on the clients. Kopete had it turned on by default, Psi didn't and I was very grumpy for about 10 minutes until I figured it out.

That should get you up and working with an LDAP integrated Jabber server that supports just about every feature I can think of. If you need further clarification please ask here.