Jabber for Android and IOS Active Directory not Integrating Correctly

Adamferrell89 · ‎09-18-2015

Good evening,

I am working on my jabber-config.xml file and am having problems with Android and IOS clients getting attributes from LDAP onto the mobile client. The Windows one is working fine. When I login, I see the UPN/email address of the users instead of their Display Name like in the Windows client. None of the attributes such as their telephone number and photo show up. When I look up a contact's phone number, I get "No phone numbers". I store all users' photos to the thumbnailPhoto attribute in AD. Those show up fine in the Windows client.after I disabled the "Use UDS for Contact Resolution" in the Service Profile.

I have been searching around on the forums for a couple of days now and have come across some very helpful information with the jabber-config.xml file, but sadly, none of these posts have led me in the right direction. I have created a website to host the users' photos to see if that would help. I am testing it out with one user's photo and it correctly shows up in Windows, but not the Android client. Here is what my xml file currently has: (note I have tried port 3268 as well since the DCs are all GCs and I modified the schema to have the thumbnailPhoto replicating through the GC.)

<?xml version="1.0" encoding="utf-8"?>

<PrimaryServerName>IP Address of DC</PrimaryServerName>

<ConnectionUsername>domainusername</ConnectionUsername>

<ConnectionPassword>password</ConnectionPassword>

<SearchBase1>DC=domain,DC=edu</SearchBase1>

<PhotoUriSubstitutionToken>sAMAccountName</PhotoUriSubstitutionToken>

        <PhotoUriWithToken>http://website.edu/sAMAccountName.jpg</PhotoUriWithToken>

        <DirectoryServerType>BDI</DirectoryServerType>

<BDIPrimaryServerName>IP Address of DC</BDIPrimaryServerName>

<BDIEnableTLS>False</BDIEnableTLS>

<BDIPresenceDomain>domain.edu</BDIPresenceDomain>

<BDIConnectionUsername>CN=domainusername,OU=Service Accounts,DC=domain,DC=edu</BDIConnectionUsername>

<BDIConnectionPassword>password</BDIConnectionPassword>

<BDISearchBase1>DC=domain,DC=edu</BDISearchBase1>

<BDIPhotoUriSubstitutionToken>sAMAccountName</BDIPhotoUriSubstitutionToken>

<BDIPhotoUriWithToken>http://website.edu/sAMAccountName.jpg</BDIPhotoUriWithToken>

</Directory>

</config>

Any assistance would be greatly appreciated.

Thanks,

Adam

Jonathan Schulenberg · ‎09-19-2015

The bdiconnectionusername is sAMAccountName or possibly UPN, not an LDAP DN value so try fixing that.

if that doesn't work I suggest running a Wireshark from the DC or pulling a Problem Report from Jabber with detailed logging turned on so you can see what is failing in the LDAP bind operation.

Adamferrell89 · ‎09-22-2015

I tried changing it to the sAMAccountName and UPN, but neither worked. I will try running wireshark on the DC and see what info I can find. Thanks for your help.

Jaime Valencia · ‎09-22-2015

You can also use the PRT from the client to confirm it's properly getting all the BDI entries and if it's properly accepting them, or if it's finding some error.

HTH

java

if this helps, please rate

Adamferrell89 · ‎09-22-2015

I did find this line in the jabber.log file when I sent the diagnostics over.

[sendSearchQuery] - Cancelling sending search query to LDAP server; not bound because of bad credentials
2015-09-22 09:25:44

I know the credentials are correct, so maybe some syntax issue? I will try to investigate the log file further to see if I can find anything else that stands out.

Thanks!

Amit Kumar · ‎09-27-2015

from what you have mentioned above; can you try the following format for BDIConnectionUsername;

<BDIConnectionUsername>admin@test.com</BDIConnectionUsername>

Where "admin" is the userid of the LDAP binding user and "test.com" is the domain name of the LDAP.

Adamferrell89 · ‎10-07-2015

Sorry for just now getting back to you on this. I have tried it with both the UPN and sAMAccountName in the BDIConnectionUsername section, but neither are allowing the mobile devices to see the LDAP info. I am at a loss at this point. We have LDAP enabled on CUCM and that has been working fine, but would there be some setting on the LDAP configuration on CUCM that I need to add/modify for the mobile clients to work?

Adamferrell89 · ‎10-07-2015

Also would like to mention that the AD domain structure is ad.test.com, but the email addresses are username@test.com. So, the IM and Presence server was setup to use test.com as the domain instead of ad.test.com. Could that potentially throw off the values of BDIPresenceDomain and BDISearchBase1?

Adamferrell89 · ‎10-08-2015

Just wanted to let everyone know that I figured out the issue. I ended up changing back to UDS as the Directory Server Type instead of BDI. I didn't get the thumbnailPhoto attribute to sync, but I just uploaded all of the photos to a web server. The directory part of the config looks like this. The %%uid%% variable was what I was missing the first time. I was using sAMAccountName as the variable and that wasn't working, but this works perfectly!

<Directory>
   <DirectoryServerType>UDS</DirectoryServerType>
   <UdsServer>IP of CUCM Server</UdsServer>
   <UdsPhotoUriWithToken>http://abc.xyz/photos/%%uid%%.jpg</UdsPhotoUriWithToken>
</Directory>

Thanks for everyone's help and suggestions!