I was able to configure SSO for users. This required a keytab, etc. as described in the documentation. However, AD search requires an AD account, password, etc.
How to setup openfire that it uses the existing keytab to search the AD? … I guess it can be configured using the ldap.initialContextFactory, but I can not find the right function…