JBuddy^TM LDAP Gateway version 1.1.120227 README

For organizations with existing LDAP or Active Directory deployments, the JBuddy LDAP Gateway greatly simplifies account management. The JBuddy LDAP Gateway runs as a separate service and proxies LDAP Bind requests using simple auth (uid & password) to an LDAP or Active Directory Service on behalf of a JBuddy Message Server. The LDAP or AD service must support 'simple' auth in order to use the JBuddy LDAP Gateway. With this in mind, carefully review the Security sections below.

Client Security

Because the JBuddy LDAP Gateway uses simple LDAP bind requests, the user credentials (username and password) are passed unencrypted over the network. It is strongly advised that the JBuddy Message Server be setup to only accept SSL/TLS client requests. See the JBuddy Message Server User Guide for further details.

Server to Server Security

There are two server to server connections that should be secured in order to provide optimum user credential security.

Between JBuddy Message Server to JBuddy LDAP Gateway
The JBuddy LDAP Gateway (as well as all the other optional JBuddy Message Server Gateways) locates and connects to the JBuddy Message Server through a Java service called RMI. As part of the JBuddy Message Server installation, a Java RMI service is launched and it typically listens on port 1099 on the same machine as the JBuddy Message Server. Typically optional JBuddy Message Server Gateways will be deployed on the same server as the JBuddy Message Server. Thus the server itself would need to be compromised in order for the communication between the server and gateway to be at risk. The JBuddy LDAP Gateway is provided as a separate installer and therefore could quite possibly be installed on another server, perhaps the server hosting LDAP or Active Directory. Since the JBuddy LDAP Gateway also communicates with the JBuddy Message Server via the Java RMI service the communications path between these services should be as secure as possible. As stated earlier, if they are on the same server, this is generally considered secure unless the machien is compromised.

Between JBuddy LDAP Gateway and LDAP or Active Directory Service
The JBuddy LDAP Gateway connects to the LDAP or Active Directory Service over the network. Since a simple LDAP Bind request is the only available authentication scheme in version 1.0 of the JBuddy LDAP Gateway, this network connection should be secured. Ideally the JBuddy LDAP Gateway will connect to the LDAP or Active Directory Service over a SSL/TLS secure channel. A second option to secure communication between these services would be to install the JBuddy LDAP Gateway on the same machine as the LDAP or Active Directory server. In this way, the communication would be secure as long as the server was not compromised. The preferred method is of course to connect using a SSL/TLS secure channel to the LDAP or Active Directory Service.

System Requirements

Service Requirements

Java (J2RE 1.4+ or J2SDK 1.4+)
LDAP or Active Directory Service supporting 'Simple' Auth Bind requests.

Current Features

Allows JBuddy Message Server to authenticate users using an LDAP or AD service

Versions & License Limitations

JBuddy LDAP Gateway is governed by the JBuddy Message Server License in use (whether it is a 30 day trial license, an extended but limited user license, or a production / licensed version of JBuddy Message Server.

Installation Directory Layout

The following subdirectories may appear after the successful installation of JBuddy LDAP Gateway:

bin - contains the core executables and launch scripts for the operating system installed on
conf - contains the config files for launching the services from the shell scripts
lib - contains the core library components and resources
logs - contains the log files as generated by the JBuddy LDAP Gateway
docs - contains documentation describing configuring and operating the JBuddy LDAP Gateway
Uninstaller - contains the executable jar for uninstalling the product