I am been trying to get Wildfire to work with AD on a Windows 2003 Server connected to an SBS 2003 AD Server.
I have looked over the forums and for the most part did not find any examples that worked.
I have tried using the LDAP browser that everyone suggests and can’‘t seem to get it to show me just the users in my Wildfire group. I have tried a variety of configurations and can’‘t seem to get the Filter right. I have moved my Wildfire Securty Group and Wildfire User into several OU’'s with no luck. Only the wildfire User gets returned.
Can someone tell me where I should really place my Security Group and what OU the Wildfire user should be placed in and hopefully a working filter?
Here is the lay out of my OU:
Acitive Directory
|
|
-MyBusiness
| |
| - Computers
| | |
| | |-SBS Computers
| | | |
| | | | - OU-Accounting
| | | | |
| | | | | - Accounting Computers (OU with Computers Names)
| | | | | - Accouting Users (OU with Users in it.
| | | |
| | | | - OU Operatoins
| | | | |
| | | | | - Operations Computers (OU with Computers Names)
| | | | | - Operations Users (OU with Users in it.
| | | |
| | | | - OU Sales
| | | | |
| | | | | - Sales Computers (OU with Computers Names)
| | | | | - Sales Users (OU with Users in it.
| | | |
| | | | - OU TechSupport
| | | | |
| | | | | - TechSupport Computers (OU with Computers Names)
| | | | | - TechSupport Users (OU with Users in it.
| | | | | | | | - Security Groups | | |
| | |–SBS Servers
| | | | - Users
| | | - SBS Users (I move all the users out of this group into their respective OU Users group). Thanks in advance, Tony
Here is my config… With the obvious security stuff changed… I added some explaination for some of the key areas… hope it helps…
– Searches the entire BaseDN for users matching criteria <![CDATA[
(&
(sAMAccountName=)
(|
– Criteria = if the user is a member of group named “imusers1” the group is located in OU “IMGroups” in the root of the domain
(memberOf=CN=imusers1,OU=IMGroups,DC=domain,DC=local)
(memberOf=CN=imusers2,OU=IMGroups,DC=domain,DC=local)
)
)
]]>
I attempted to follow your example.
I created a OU off of the root domain called IMGroups.
Inside this OU I created a Security Group called WildFireServer.
Members of this group was set to two of my OU Users under OPERATIONS.
Modified my config file as follows;
cn member description <![CDATA[
(&
(cn=)
(|
(cn=*WildFireServer)
)
)
]]>
Still only wildfire user is the only user found. In the groups the WildFireServer is found.
Thanks
Tony
The thing that kept screwing me up was case sensitivity… I had to make sure that there was only lowercase characters in the “User logon name (pre-Windows 2000)” field in Active Directory… I know they are working on a fix for it but I think you still have to make sure that is lowercase… Maybe that is the issue I’‘m not sure… your config looks correct but it’'s been a while since I set that up so I might be missing something small…
Does it matter what OU the user is in.
When I run this in the LDAP browser
(& (sAMAccountName=*)(|(memberOf=CN=WildFireServer,OU=IMGroups,DC=mydomain,DC=com) ))
the only responce I get is:
CN=Wildfire,CN=Users,DC=domain,DC=com
The reset of the users in the WildFireServer group which are in a different OU do not show up.
Should’'t this above show any users listed in the WildFireServer group regardless to the OU they are listed in?
Tony
Hmmm… That’‘s a good one… Well looking at my config… I would say that it should indeed show all the usernames even if that user is in a different OU… I in fact do not have any users in the IMGroups OU… All of the users in those groups are residing in several different OU’'s…
Here’'s another Question…
Do all OU’'s have to have users in them for this to work?
Why I ask? I added users to all OU’‘s (most were blank as this is a new domain and not all users were added to it leaving empty OU’'s) and now it appears that this is working correctly.
Can I delete the wildfire user from the Users Listing in the Wildfire Admin Console? This won’'t delete that user out of the AD just from being listed as an chat user, correct?
Tony
I just got something like this running on my servers. I can’‘t remember which thread I found these filters in, but they worked like a charm. Along witht eh filters there were some instructions so I will relay those. Wildfire will only recognized top level members of security groups. So each individual user MUST be a member of the group you authenticate against. In theory, you could auth against an OU, but personally, I think thats a nightmare, since a user can only belong to ONE OU, I found it much less headache to just create a security group and add the users to it. I was sceptic at first because the search filter returned odd results in an ldap Browser, but it works for the server. I also used a similar filter to limit access to bugzilla to members of a group. I made two groups, but you could pull it off with one. I found two groups easier to deal with roster management, since you can’'t see the group you are authenticating against as a roster group unless groups are authenticated from another group.
the basic filters are:
)
(sAMAccountName=)
)
]]> cn member description <![CDATA[
(&
(objectClass=group)
(memberOf=CN=,DC=,DC=)
(member=)
)]]>
If you put that in your wildfire.conf file after the bind info, and adjust the group names and domain info, then any user that is a top level member of the group will be able to access the server with their ldap credentials. It shouldn’'t matter where the users are as long as they are visible from your baseDN and as long as you call out the entire LDAP path of the groups.
<eg. if you have a group wildfireusers in the OU Security and your domain is foo.bar.net then it should read (memberOf=CN=wildfireusers,OU=Security,DC=foo,DC=bar,DC=net) >
If you just want user auth and not groups then you can leave out the groupSearchFilter section.
Hope that helps.