AD user/groups choices?

Bradley_Marks · April 19, 2010, 10:07am

Hi there

We currently have Openfire configured to use AD authentication. It works well, only one problem though, it pulls in every user/group/pc/server into the Users section. Is there a way that i can only choose certain OU’s that i want Openfire to pull in? I only want to see users from the groups.

I really hope this is possible.

Regards

BazzieB

Milan_Enev · April 19, 2010, 10:40am

Yes it is. Just modify ‘user search filter’ in ldap settings according to your needs. Also you can try to search forum and documents section for more examples.

Bradley_Marks · April 19, 2010, 11:02am

Hi Milan

Would that be the field under Server Manage, System Properties, ldap.searchFilter? Currently it is set to (objectClass=organizationalPerson). How would i go about editing this and what kind of custom fields could i add?

I will check the forums and document sections for more help.

Regards

Jason_White · April 19, 2010, 11:45am

Hi,

The ldap.searchFilter setting is the correct setting to edit for the users. What I ended up doing was I setup 1 new OU under our Security Groups OU with a name of OpenFire. Then inside of the OU OpenFire we created a security group named openfire-users. Then I added the users that were going to use IM in the new openfire-users security group. Once you have your OU’s and security group ready you can then edit the ldap.searchFilter section.

Here is an example of my OU Tree:

Root: mydomain.local

OU: Security Groups

OU: OpenFire

SG: openfire-users

This is what the filter would look like to list the users in the openfire-users security group.

(memberOf=CN=openfire-Users,OU=OpenFire,OU=Security Groups,DC=mydomain,dc=local)

Hope this helps.

Seudo

Milan_Enev · April 19, 2010, 11:53am

Would that be the field under Server Manage, System Properties, ldap.searchFilter?

Yes. And also ldap.groupSearchFilter if your plans include groups integration.

I suppose any field in your ldap schema

as AD example: only members of Group1 (should work - not checked by me)

(&(objectClass=organizationalPerson)(memberOf=Group1))

or in my case: only users with email field in AD filled in

(&(objectClass=organizationalPerson)(mail=*))

Basically you have 2 approaches:

edit ldap.baseDN to include only path to particular OU

ou=someOU,dc=my,dc=company,dc=com
or
ou=someOtherOU,ou=someOU,dc=my,dc=company,dc=com

edit search filter

Please try browsing your ldap server either by freely available JXplorer, or by adsiedit included in windows administration tools(cd2). You will find more easily answers to your questions once you realize how simple ldap actually is.

Cheers.

Bradley_Marks · April 19, 2010, 12:34pm

Hi there

Thanks a lot for the responses. Really appreciate it.

Regards

BazzieB