powered by Jive Software

AD user/groups choices?

Hi there

We currently have Openfire configured to use AD authentication. It works well, only one problem though, it pulls in every user/group/pc/server into the Users section. Is there a way that i can only choose certain OU’s that i want Openfire to pull in? I only want to see users from the groups.

I really hope this is possible.



Yes it is. Just modify ‘user search filter’ in ldap settings according to your needs. Also you can try to search forum and documents section for more examples.

Hi Milan

Would that be the field under Server Manage, System Properties, ldap.searchFilter? Currently it is set to (objectClass=organizationalPerson). How would i go about editing this and what kind of custom fields could i add?

I will check the forums and document sections for more help.



The ldap.searchFilter setting is the correct setting to edit for the users. What I ended up doing was I setup 1 new OU under our Security Groups OU with a name of OpenFire. Then inside of the OU OpenFire we created a security group named openfire-users. Then I added the users that were going to use IM in the new openfire-users security group. Once you have your OU’s and security group ready you can then edit the ldap.searchFilter section.

Here is an example of my OU Tree:

Root: mydomain.local

OU: Security Groups

OU: OpenFire

SG: openfire-users

This is what the filter would look like to list the users in the openfire-users security group.

(memberOf=CN=openfire-Users,OU=OpenFire,OU=Security Groups,DC=mydomain,dc=local)

Hope this helps.


Would that be the field under Server Manage, System Properties, ldap.searchFilter?

Yes. And also ldap.groupSearchFilter if your plans include groups integration.

I suppose any field in your ldap schema

as AD example: only members of Group1 (should work - not checked by me)


or in my case: only users with email field in AD filled in


Basically you have 2 approaches:

  1. edit ldap.baseDN to include only path to particular OU


  1. edit search filter

Please try browsing your ldap server either by freely available JXplorer, or by adsiedit included in windows administration tools(cd2). You will find more easily answers to your questions once you realize how simple ldap actually is.


Hi there

Thanks a lot for the responses. Really appreciate it.