AD Groups - Are these functions incompatible?

We are testing OpenFire/Spark for possible deployment in our company.

Management wanted to know if we could limit logins to certain users so we did what was described in this thread:

which is setting a filter to limit logins to a specific AD group. This worked as expected.

Now we want to pre-populate user’s Friends lists with the members of various AD groups as described here:

This only seems to work if we share the group that was specified in the login filter created in the step noted above. If we share any other group the members do not appear in the lists of other members.

Is this to be expected due to the specification of a group in the login filter? Are these two functions not compatible with each other?

If you have limited openfire to specific groups via filters then only those groups can be shared. All other users would be offline so their groups would not show or would be empty.

Conversely you should be able to share any groups that valid users are members of as long as they are contained within the baseDN.

My original concept was one large organizational group as the login filter with many smaller groups used for the pre-population (the members of the smaller groups would also be members of the large group). If I understand your comments correctly I should be able to create the departmental groups and share them and then also specify each of those groups in a login filter to create the login limitation management desires (the sum of the departmental groups would equal the result of the one large group). Is that correct?

If so does that imply I can specify the multiple groups in one filter or do I need to create a separate filter entry for each group? I’ve been working on this with the assumption (perhaps incorrect) that we could only create one such login filter.

Thanks so much for the help.

you can use multiple groups in the filter. you need to write your java filter to include each group dn separated by an and command.