KB Article #100995

How to set up Secure Messenger to work with more than one LDAP directory

Summary

The article contains instructions for setting up Secure Messenger to work with more than one LDAP directory. The procedure is tested and working.

Details

Follow the procedure below:

  1. Create an LDAP source and LDAP query for each LDAP directory you are going to use via the admin interface. Let's call them source1, query1 and source2, query2.
  2. Associate source1/query1 pairs with Secure Messenger enterprise users through the admin interface. This will give you the database entries to work from later on.
  3. Once you've done this, you need to go to the database and make some modifications to a few rows in the MessengerConfigValues table. Below you can find details about each row/value and what you should set them to:

    UserDirectory.Services
    This row defines the services we are going to use when looking for users. This is a series of names, which later on we will define exactly what it means to use the services with that name. The default value says first use the Messenger service and if you don't find the user here, use the Enterprise service. If you are using one LDAP directory, the Enterprise service is the one that does this. We are using two, so we will introduce an Enterprise2 service as well. The default value is Messenger, Enterprise. The modified value is Messenger, Enterprise, Enterprise2.

    UserDirectory.Messenger.ProviderClass
    For each of the services defined in UserDirectory.Services, you have to have a row which defines which java class is going to be used to actually do the lookup and authentication. This one is the default Secure Messenger internal user/password database, so we don't need to change it. The default value is com.tumbleweed.messenger.server.userdirectory.messenger.MessengerUserDirectory. The modified value is com.tumbleweed.messenger.server.userdirectory.messenger.MessengerUserDirectory.

    UserDirectory.Enterprise.ProviderClass
    This is the basic/first LDAP setup. We don't need to change this. The default value is com.tumbleweed.messenger.server.userdirectory.ldap.LDAPUserDirectory. The modified value is com.tumbleweed.messenger.server.userdirectory.ldap.LDAPUserDirectory.

    UserDirectory.Enterprise2.ProviderClass
    This is a new row we are adding to define that the Enterprise2 service will also use LDAP. There is no default value. The modified value is com.tumbleweed.messenger.server.userdirectory.ldap.LDAPUserDirectory.

    UserDirectory.Enterprise.LDAPSource
    Defines which of the LDAP sources we are going to use to lookup users for the Enterprise service. We don't need to modify this assuming we set it in the admin interface. The default value is source1. The modified value is source1.

    UserDirectory.Enterprise.FilterQueryName
    Defines which of the LDAP queries to use for the Enterprise service. We don't need to modify this assuming we set it in the admin interface. The default value is query1. The modified value is query1.

    UserDirectory.Enterprise2.LDAPSource
    Defines which of the LDAP sources we are going to use to lookup users for the Enterprise2 service. We need to add this row. There is no default value. The modified value is source2.

    UserDirectory.Enterprise2.FilterQueryName
    Defines which of the LDAP queries we are going to use to lookup users for the Enterprise2 service. We need to add this row. There is no default value. The modified value is query2.

  4. Open the login-config.xml file in the messengersdk\default\config directory and update it.
    • For versions of Secure Messenger up to 6.3:
      First, locate the following lines:
      <login-module code = "com.tumbleweed.messenger.server.security.jboss3.LdapLoginModule" flag = "sufficient">
      <module-option name = "userDirectoryName">Enterprise</module-option>
      </login-module>
      Then add below them the following:
      <login-module code = "com.tumbleweed.messenger.server.security.jboss3.LdapLoginModule" flag = "sufficient">
      <module-option name = "userDirectoryName">Enterpise2</module-option>
      </login-module>
    • For versions of Secure Messenger after 6.3:
      Locate the following lines:
      <!--
      Login module for authenticating users when resetting the password.
      This login module attempts to perform login for the user with the reset password PURL attributes
      -->
      <login-module code = "com.tumbleweed.messenger.server.security.jboss3.ResetPasswordLoginModule" flag = "sufficient">
      <module-option name = "dataSource">java:/DefaultDS</module-option>
      </login-module>
      Then add below them the following:
      <login-module code = "com.tumbleweed.messenger.server.security.jboss3.LdapLoginModule" flag = "sufficient">
      <module-option name = "userDirectoryName">Enterprise2</module-option>
      <module-option name = "dataSource">java:/DefaultDS</module-option>
      </login-module>
    This configures Secure Messenger try to login to the second LDAP directory as well as the first.
  5. Run build deploy from the messengersdk\default directory.

This way Secure Messenger will be set up to work with more than one LDAP directory. Your Secure Messenger will now first look for a user in the Secure Messenger internal username/password database. If it doesn't find them there, it will look in the LDAP directory defined by source1/query1 and if it doesn't find them there it will go on to look in the second directory defined by source2/query2. In theory you can have as many directories as you like defined.

Still need help?

If this information wasn't helpful to you, just drop us a line. We'll get back to you as soon as possible.