Limit Openfire access to specific Active Directory Security Groups

Hello,

I install Openfire 3.7.1 to Authenticate to my Active Directory domain.

The issue is I see all of the users under my base DN.

I only want to allow access from users of a particular security group.

I have set the ldap.groupSearchFilter

(objectClass=group)(CN=MYJABBERGROUP)

This however doesnt seem to restrict access so that only members of this group can authenticate.

Is there another property I need to set. Would it perhaps be this: ldap.searchFilter

Is there a description or all the properties somewhere?

You need to AND the results together. (&(objectClass=group)(CN=MYJABBERGROUP))

You will also get better performance with objectCategory=group instead of objectCategory… well at least we do on our AD.

ok thanks so are you saying if I change the ldap.GroupSearchFilter by ANDing the result together the result will be to only allow logins from that group?

What is the ldap.SearchFilter for?

The ldap.GroupSearchFilter value filters groups according to the ldap structure.

So if you have

Group1

Group2

Group2A

Group2B

Group12

And you use a filter like this (objectClass=group)(cn=Group1*)

The structure on Openfire will be

Group1

Group12

If you want to filter users, you need to use the ldap.SearchFilter

Here’s some examples on the sintax for filters http://www.tek-tips.com/faqs.cfm?fid=5667

Here you go.

http://community.igniterealtime.org/message/204068#204068

ldap.SearchFilter is what you want to use. As an example, here’s what I use to filter who can log in:

(&(objectClass=organizationalPerson)(|(memberOf=CN=SHARE-STAFF,OU=Groups,OU=Peop le,DC=xxx-ad,DC=aks,DC=edu)(memberOf=CN=JABBER-MANUAL,OU=Groups,OU=People,DC=xxx -ad,DC=aks,DC=edu)))

This means that you can only log in if you’re a member of the “SHARE-STAFF” or “JABBER-MANUAL” groups in our AD. “SHARE-STAFF” is dynamically populated to include all active staff members, and the other is manual assignment for temp workers and visitors.

Since we allow all staff to log in, we separate them in groups by geographical location using ldap.groupSearchFilter.

(&(objectClass=group)(|(CN=IT)(CN=Benning)(CN=Breboro)(CN=Middlebury)(CN=NewYork )

This example gives us 5 different groups. All I did here was reference the already existing distribution lists in AD to decide who belongs to what group once logged in.

I must be missing something here. This is what my ldap.groupSearch looks like

ldap.groupSearchFilter

(&(objectClass=group)((CN=GG-SFOJABBER))

This group resided under my base DN

I am still not able to log in with a member of that group?

I have also changed my strategy to where I dont want to restrict access to just that group. I want everyone in my base DN to log in and then also allow user who are members of the group but reside in an OU that is not part of the base DN. I cant seem to get that to work?

shouldnt anyone i put in the groupSearchFilter be able to log in regardless of the OU?

You’re using the wrong setting. That one is to pull the groups from ldap, but to pull users you need to define ldap.SearchFilter

This works well for me, after adviced recieved from these very forums.

**ldap.searchFilter **

(&(objectClass=organizationalPerson)(CN=*)(memberOf=CN=Access-Test_Jabber,OU=Gro ups,DC=abc,DC=local))

Note - the above Search Filter property is configured to filter everyone in the Access-Test_Jabber group, so Openfire only “sees” persons in this group, if you change the (cn=) part of the filter to (mail=), you still filter everyone in the Access-Test_Jabber group, but this time they need an email address entry in AD/LDAP to be seen in Openfire. I elected to use (cn=*) as it catches everyone in the appropriate group regardless if they have an email address or not, however, in the future, you may only want users with a email address, using the above will enable you to do this.

I then filter the group

**ldap.groupSearchFilter **

(&(objectClass=group)(cn=Access-Test_Jabber))

fishface does this configuration mean that only members of the Access-Test_Jabber group can authenticate?

Also im not clear about how I should enter these filters in the GUI.

Do I need the & format…so

(&(objectClass=group)(cn=Access-Test_Jabber))

or in the GUI can I just enter this

(objectClass=group)(cn=Access-Test_Jabber)

so I kind of figured this out.

Firstly the syntax used above with the (&…) did not work for me. I tried that, rebooted and then had to redo the entire configuration.

I ran the setup again and set the base DN to the root of my domain and se the group like this:

(objectClass=group)(cn=Jabber-Group)

Then I set the search to:

(objectClass=organizationalPerson)(memberOf=CN=GG-Jabber-Group,OU=Groups,OU=anot herOU,DC=my,DC=domain,DC=local)

This worked for me and now anyone in that group can log in but nobody not in that group.

I guess every time you change one of these parameters you need to restart the service as well?

I’m a little confused about the syntax above with the (& as it clearly didnt work.

No idea why it didn’t work. You said “*Then I set the search to:”…*which search? There is SearchFilter and GroupSearchFilter. SearchFilter decides who can login, GroupSearchFilter is what places them in different groups once they are logged in.

Also, you should not need to restart the service. Any changes you make should take effect automatically after a few minutes.

i set the ldap.searchfileter to my group so I guess thats the one I wanted. I don’t really care what group they appear in.

to the openfire client so maybe I dont need the ldap.Groupsearchfileter?

All I know is when i used the notation with the (&… it didnt work. And after I restarted the service I couldnt log in.

I went through the setup again without the (&… and now I have the desired affect where only people in a particular group can log in.

I’m doing all of this from the admin console…not sure if there a text file i can edit. The openfire.xml doesnt seem to have anything in it?