powered by Jive Software

Active Directory computers showing up as users

Basically I am just trying to filter out my computers from the user summary in openfire.

My user summary has 1,000+ “users” since it has caught all the computers as well and treating them as though they were users.

Ah! Unfortunately, unless samba just “does it wrong”, there’s no special identifier for computers — sort of. Part of the problem with Openfire’s LDAP support at the moment is there’s no way to say groups are here, users are here, etc. This makes it so you can’t say all users are inside the container ou=Users,dc=example,dc=org. So what can be done about this for now? (Note that I have plans on doing some serious improvements to the LDAP support, I worked with LDAP for a number of years before coming to Jive) I can only go by my own AD like setup, which is using samba and openldap, but in mine, the description field is set to “Computer” for all computers. So for your user filter string, you could do something like:

(!(description=Computer))

If that isn’t the case with your setup … all computers in my setup were given a dollar sign ($) at the end of their name, so you could do something with the filter like:

(!(cn=*$))

Please let me know if these work for a “real” active directory setup. IMO it would be nice to set these filters automatically for AD, since it’s a known way AD sets up hosts.

What part of the openfire XML file would I put this in?

and yes all computers are created with the name ##-#####$ so I believe the second method might work

<ldap> ... <searchFilter>whatever</searchFilter>
</ldap>

You could also set it by going to the admin console, going to Profile Settings, clicking the edit button, working your way to the User setup step (2nd step), the advanced options tab, and setting it there.

I tried both (!(description=Computer)) and the other filter in the search fields, is that where it needs to be entered?

Is there a way to tell it to exclude ‘computer’ from the list of user summary if it is found in the values section?

It turns out when the computers come up in the user summary they have a $ at the end, but this is not the naming scheme in AD.

edit: or would it affect anything if I took organizationalPerson out of the computers values in AD? Then it would be skipped correct?

I believe AD’s own interfaces hide the $ from you. In “standard LDAP queries” they show up with $'s at the end.

Did you restart your server after changing those settings btw? (just making sure) If you didn’t, you probably need to do that it updates the various caches.

If you took organizationalPerson out of the computers, you could then set up a filter to eliminate them:

(!(objectclass=organizationalPerson))

I think the dollar sign thing -should- work. (it’s worked on my own tests) So maybe something else is going on.

Not to be nit picky but could we start a new thread for this issue as this one is already marked as answered?

mtstravel wrote:

Not to be nit picky but could we start a new thread for this issue as this one is already marked as answered?

Happy? =P

(I branched the discussion to a new thread)

Duplicate…I started a new topic so anyone that can answer it can get the right answer points.

http://www.igniterealtime.org/community/thread/31697?tstart=0