ok thanks so are you saying if I change the ldap.GroupSearchFilter by ANDing the result together the result will be to only allow logins from that group?
This means that you can only log in if you’re a member of the “SHARE-STAFF” or “JABBER-MANUAL” groups in our AD. “SHARE-STAFF” is dynamically populated to include all active staff members, and the other is manual assignment for temp workers and visitors.
Since we allow all staff to log in, we separate them in groups by geographical location using ldap.groupSearchFilter.
This example gives us 5 different groups. All I did here was reference the already existing distribution lists in AD to decide who belongs to what group once logged in.
I must be missing something here. This is what my ldap.groupSearch looks like
ldap.groupSearchFilter
(&(objectClass=group)((CN=GG-SFOJABBER))
This group resided under my base DN
I am still not able to log in with a member of that group?
I have also changed my strategy to where I dont want to restrict access to just that group. I want everyone in my base DN to log in and then also allow user who are members of the group but reside in an OU that is not part of the base DN. I cant seem to get that to work?
shouldnt anyone i put in the groupSearchFilter be able to log in regardless of the OU?
Note - the above Search Filter property is configured to filter everyone in the Access-Test_Jabber group, so Openfire only “sees” persons in this group, if you change the (cn=) part of the filter to (mail=), you still filter everyone in the Access-Test_Jabber group, but this time they need an email address entry in AD/LDAP to be seen in Openfire. I elected to use (cn=*) as it catches everyone in the appropriate group regardless if they have an email address or not, however, in the future, you may only want users with a email address, using the above will enable you to do this.
No idea why it didn’t work. You said “*Then I set the search to:”…*which search? There is SearchFilter and GroupSearchFilter. SearchFilter decides who can login, GroupSearchFilter is what places them in different groups once they are logged in.
Also, you should not need to restart the service. Any changes you make should take effect automatically after a few minutes.