ADAM / LDS

By | July 30, 2012

A recent project has been to configure an ADAM instance to allow Openfire (homepage) to allow users from multiple domains to connect to it. It has been interesting and at times frustrating. I wanted to sync to two domains, both in the same forest and create userProxy objects in the ADAM instance to allow for binding.

There is a source document for using ADAM with Openfire at this link

The first thing I tried wasn’t ADAM running on Server 2003 – it was Lightweight Directory Services running on Server 2008. This worked for the most part – I set up two domains and my adamsync XML files to sync them to the domainDNS objects that I had created. They synced without any problems. Then I tried to use Openfire with the root partition object and immediately found 0 users.

The root cause of this issue is that when you create a domainDNS object in LDS, the instanceType attribute has a value of 5 – this indicates it is writeable and at the top of the partition. So by creating two domainDNS objects I had created two additional partitions in my instance and Openfire does not appear to be able to traverse partitions when looking for users.

Fair enough. I tore the instance down and started again from scratch, thinking “I’ll just put all the users in the one partition I create”. This didn’t work either – adamsync in LDS will only sync to the top of a partition, and you can only have one adamsync configuration per partition. So I could sync one domain and nothing else – leaving me in exactly the same situation as I am if I point Openfire to a single domain.

There was only one thing for it  – going back to ADAM on Server 2003. This worked ! How come ?

– domainDNS objects have instanceType set to 4 (writeable) and because they do not have the “top of partition” bit set, they do not represent a new partition.
– adamsync can sync to these domainDNS objects, which aren’t at the top of a partition, without a complaint. I didn’t try syncing to CN’s or OU’s though 😉

Hence I can put the users from two domains into one ADAM instance. So, if you are looking at using Openfire with multiple domains and you decide to go the ADAM route – ignore LDS, stick to 2003 !