Active Directory Security Groups Not Showing Up As OpenFire Groups

I’‘m so sorry if this has been posted before, but I feel like I’‘ve done my due diligence and read enough posts to think the answer to my problem isn’'t listed.

Stats:

Ubuntu Linux 2.6.x kernel.

Sun JRE 6 (1.6.0)

OpenFire 3.3.0

MySQL5 DB

AD Integration

server home: /opt/openfire

I have been able to get Active Directory authentication working with no problem. My issue is with groups. I want to configure OpenFire to pull Active Directory security groups living in a specific OU and use those security groups as the “Groups” in the OpenFire system. This would allow me to populate instant messaging groups with users via Active Directory.

In my groups summary in the OpenFire admin console, I see no groups. But I do have a security group in that OU in Active Directory. It has a few users in it. If I specifically search for the security groups name, I don’'t see the group listed but my total groups changes from 0 to 1.

My AD setup (Win2K3):

mydomain.local (DC=mydomain,DC=local)

----My Enterprise (CN=My Enterprise,DC=mydomain,DC=local)

**----


IM Groups** (CN=IM Groups,OU=My Enterprise,DC=mydomain,DC=local)

**----


My Test Group** (CN=My Test Group,OU=IM Groups,OU=My Enterprise,DC=mydomain,DC=local)

**----


My Office** (CN=My Office,OU=My Enterprise,DC=mydomain,DC=local)

**----


Users** (CN=Users,OU=My Office,OU=My Enterprise,DC=mydomain,DC=local)

**----


My Test Account** (CN=My Test Account,OU=Users,OU=My Office,OU=My Enterprise,DC=mydomain,DC=local)

**----


Another Office** (CN=Another Office,OU=My Enterprise,DC=mydomain,DC=local)

**----


Users** (CN=Users,OU=Another Office,OU=My Enterprise,DC=mydomain,DC=local)

My Test Group is an Active Directory security group populated with a few Active Directory users from the Users OU.

My Test Account is an Active Directory user that is a member of the My Test Group Active Directory security group.

My XML config file:

<?xml version=“1.0” encoding=“UTF-8”?>

<jive>

<adminConsole>

<port>9090</port>

<securePort>9091</securePort>

</adminConsole>

<admin>

<authorizedUsernames>myADAccount</authorizedUsernames>

</admin>

<locale>en</locale>

<connectionProvider>

<className>org.jivesoftware.database.DefaultConnectionProvider</classNa me>

</connectionProvider>

<database>

<defaultProvider>

<driver>com.mysql.jdbc.Driver</driver>

<serverURL>jdbc:mysql://xxx.xxx.xxx.xxx:3306/openfire</serverURL>

<username>mySQLAccount</username>

<password>mySQLPassword</password>

<minConnections>5</minConnections>

<maxConnections>15</maxConnections>

<connectionTimeout>1.0</connectionTimeout>

</defaultProvider>

</database>

<ldap>

<host>domaincontroller.mydomain.local</host>

<port>389</port>

<baseDN>OU=My Enterprise,DC=mydomain,DC=local</baseDN>

<adminDN>CN=Administrator,OU=My Company Management Accounts,OU=My Company Contacts,OU=My Company Address Lists,DC=mydomain,DC=local</adminDN>

<adminPassword>domainAdminPassword</adminPassword>

<connectionPoolEnabled>true</connectionPoolEnabled>

<sslEnabled>false</sslEnabled>

<ldapDebugEnabled>false</ldapDebugEnabled>

<autoFollowReferrals>false</autoFollowReferrals>

<usernameField>sAMAccountName</usernameField>

<searchFilter>(objectClass=organizationalPerson)</searchFilter>

<vcard-mapping><![CDATA[

<vCard xmlns=“vcard-temp”>

<N>

<GIVEN></GIVEN>

</N>

<EMAIL>

<INTERNET/>

<USERID></USERID>

</EMAIL>

<FN></FN>

<ADR>

<HOME/>

<STREET></STREET>

<PCODE></PCODE>

<CTRY></CTRY>
</ADR> <ADR>
<WORK/> <STREET></STREET> <LOCALITY></LOCALITY> <REGION></REGION> <PCODE></PCODE> <CTRY></CTRY>

</ADR>

<TEL>

<HOME/>

<VOICE/>

<NUMBER></NUMBER>

</TEL>

<TEL>

<HOME/>

<CELL/>

<NUMBER></NUMBER>
</TEL> <TEL>
<WORK/> <VOICE/> <NUMBER></NUMBER>
</TEL> <TEL>
<WORK/> <CELL/> <NUMBER></NUMBER>

</TEL>

<TEL>

<WORK/>

<FAX/>

<NUMBER></NUMBER>

</TEL>

<TEL>

<WORK/>

<PAGER/>

<NUMBER></NUMBER>

</TEL>

<TITLE></TITLE>

<ORG>

<ORGUNIT></ORGUNIT>

</ORG>

</vCard>]]></vcard-mapping>

<nameField>cn</nameField>

<emailField>mail</emailField>

<groupNameField>cn</groupNameField>

<groupMemberField>member</groupMemberField>

<groupDescriptionField>description</groupDescriptionField>

<posixMode>false</posixMode>

<groupSearchFilter><![CDATA[($(objectClass=group)(memberOf=CN=IM Groups,OU=My Enterprise,DC=mydomain,DC=local))]]></groupSearchFilter>

</ldap>

<provider>

<vcard>

<className>org.jivesoftware.openfire.ldap.LdapVCardProvider</className& gt;

</vcard>

<user>

<className>org.jivesoftware.openfire.ldap.LdapUserProvider</className&g t;

</user>

<auth>

<className>org.jivesoftware.openfire.ldap.LdapAuthProvider</className&g t;

</auth>

<group>

<className>org.jivesoftware.openfire.ldap.LdapGroupProvider</className& gt;

</group>

</provider>

<setup>true</setup>

</jive>

The server runs fine. Users can login and instant message one another. MySQL connection is fine as I can see data populating the tables. I’'ve cleared the caches and restarted the server daemon. Nothing works. The only thing that is screwy is the groups. Can anyone help me out?

Thanks in advance!

The way I have it setup, is that I have a group called “wildfire” i

have all my users and my department groups as members of the “wildfire”

group. Each user is a member of a department group. Below is my AD LDAP

settings

Base DN: dc=company,dc=local

Username Field: sAMAccountName

Userfilter: ((objectCategory=Person)(memberOf=CN=wildfire,ou=company Security Groups,DC=company,DC=local))

Group Field: cn

Member Field: member

Description Field: description

Group Search Filter: (&(objectClass=Group)(memberOf=CN=wildfire,ou=company Security Groups,DC=company,DC=local))

To have contacts automatically show up on login, I had to share each

group to all the users. You do this by logging into the admin console

and clicking on the “user/groups” tab and then click on “Group Summary”

on the left menu.

Thanks for the reply papawu.

My problem is that I can’‘t see any of the groups listed in the Group Summary page. It says 0 available even though that filtered OU has a security group in it. When I search for the name of that security group in OpenFire, the total groups available changes from 0 to 1, but no group names are listed. It’‘s like it found the group, it just isn’'t showing it in the admin console. If the groups could appear, then I could share them to the users.

I don’‘t think you can filter by OU’'s.

The filter is really just providing a base DN for the group search.

It will only look for objects that are groups and members of the IM Groups OU. I’‘ve read many other posts of people doing this, but read only two posts where the admin couldn’'t see his AD groups but the system says they are there.

Read this post:

http://www.igniterealtime.org/forum/thread.jspa?messageID=145063&#145063

Or this one:

http://www.igniterealtime.org/forum/thread.jspa?messageID=141309&#141309

Cheers!

Hello tjpile, I have the same setup which used to work ok in Wildfire. upgrading to openfire seems to have broken this (see http://www.igniterealtime.org/forum/thread.jspa?threadID=26029&tstart=25) so its probably not something you are doing wrong, but a problem with Openfire. I’'m hoping someone will read the other thread and hopefully this will get fixed!

I’'ve reverted back to Wildfire 3.0.1 for now.

Ben

Thanks benwillcox! I wonder if a bug report has been filed (if possible) or if the developers check the forums enough to catch issues like this.

I guess I’'ll have to download the older version as well.

Thanks!

According to the Support page we are supposed to report bugs in the forums. Normally the developers are pretty good about reading the forums and picking these up, so I hope this will be solved soon!

Cheers,

Ben

One last question benwillcox,

I’‘ve been looking for plugins that will work with Wildfire 3.0.1 but haven’'t found pre-compiled ones. Short of downloading and installing a JDK, Apache ANT, pulling the source from a code repo, and compiling, can I find the normal plugins (broadcast, userpresence, etc) for Wildfire 3.0.1 for download? Should be seven *.JAR files.

Thanks a lot!

*Update: Nevermind. I downloaded J2SE5u11, Ant 1.6.5, and the openfire 3.0 branch and compiled them myself. Worked like a charm.

I decided to have another go with Openfire 3.3.0 and I’'ve now got this working OK. In Active Directory I have users in various groups, named departments-it, departments-accounts etc etc, and these are then grouped within Wildfire/Spark. The problem appears to have been with the groupSearchFilter field.

In Wildfire, the groupSearchFilter was as follows:

and it now works as before.

Cheers,

Ben

benwillcox, thank you, thankyou! I had the same problem with groups migrating from Wildfire to Openfire. Group count was there, but no groups listed. Your solution worked!