Adding more users from Active Directory

Hello,

I hav e just installed Openfire 3.7 to test in our environment / network. Having selected the BaseDN it has imported these users from AD successfully. All looks great.

Open problem is that we have separate OU’s for different users / departments. How can I add these other users to the ones already listed ?

I believe I can use a CSV, but would really like Openfire to update the users from all out OU’s.

Is this possible? If so, how do I go about this?

Many thanks

Alan

The easiest way is to setup your BaseDN as high as possible… For example:

OU=Users,OU=Users and Computers,DC=Domain,DC=com

Then use ldap.searchFilter to only add members from a specific group. In my example below the users are a member of Sec-Openfire in my Security OU. Add anyone you want to have access to Openfire to the group you specify.

((objectClass=organizationalPerson)&(memberOf=CN=Sec-Openfire,OU=Security,DC=Dom ain,DC=com))

You may also want to use the groupSearchFilter to limit what groups show up in search within Spark and other clients. Just add any groups you want to display in search to this group.

((objectClass=group)&(memberOf=CN=Sec-OpenfireGroups,OU=Security,DC=Domain,DC=co m))

Hello,

many thanks for very prompt response. Will look at this .Thanks

Alan

Hello,

still can’t get this to work. I am editing the USER MAPPING (step 2 of 3) and am getting an error when testing settings. So, am having a little difficulty.

I have the following setup:

BaseDN

DC=domain,DC=mydom,DC=uk

Admin DN

CN=Administrator,OU=Admin Accounts,OU=System Accounts,OU=- BSU - Privileged Users,DC=domain,DC=mydom,DC=uk

I have a security group called OPENFIRE_users located at the following in AD:

CN=OPENFIRE_users,OU=OPENFIRE,OU= -GROUPS - Standard,dc=domain,dc=mydom,dc=uk)

I am at a loss here as to what to put in the fields SEARCH FIELDS and USER FILTER.

Sorry to be so thick with LDAP ! Can you help here ?

Alan

Based on what you said, here is what you should have on your user mappings:

BaseDN: DC=“domain”,DC=“mydom”,DC=“uk”

AdminDN: CN=“Administrator”,OU=“Admin Accounts”,OU=“System Accounts”,OU="- BSU - Privileged Users",DC=“domain”,DC=“mydom”,DC=“uk”

  • Leave the search stuff alone for now and save that

  • Then click the “Server Manager” tab at the top and then the “System Properties” option on the left.

  • Scroll down until you find “ldap.searchFilter”

  • Click the little edit icon

  • Enter this:

((objectClass=organizationalPerson)&(memberOf=CN=OPENFIRE_users,OU=OPENFIRE,OU= -GROUPS - Standard,dc=domain,dc=mydom,dc=uk))

For example here is what I have:

On the “Server Settings” -> “Profile Settings” page under “Directory Server (LDAP)” (tweaked slightly for security, but general idea)

Host:
controller1.domain.com, controller2.domain.com
Port:
636
Base DN:
OU=“Users”,OU=“Users and Computers”,DC=“domain”,DC="com"
Administrator DN:
CN=“openfireldap”,OU=“Service Accounts”,DC=“domain”,DC=“com”


On the “Server Manager” tab -> “System Properties” for “ldap.searchFilter” I have:

****((objectClass=organizationalPerson)&(memberOf=CN=Sec-Openfire,OU=Security,DC=dom ain,DC=com))


Hi,

thanks for your prompt reply. However, still not working.

Maybe I’m not doing this correct. I’m hoping to get ANY user that is a member of a group to be listed int he USERS within the OPenfire application.

The users we have are spread across AD in several dirrectly OU’s , hence wanting to use a gorup .

Entering the details as above, the USERS panel is not showing new users that I’ve added to my OPENFIRE_users group. If I now log out ot eh admin panel, it doesn;t recognise my details as it can no longer see me… because it can;t find the group. Must be doing something really stupid here !

Alan

A couple possibilities:

  • If you are using nested groups it won’t work. For example:

Openfire_Users

-> HR_Users

–> Bob

–> Cindy

-> IT_Users

–> Frank

–> Kathy

that won’t work, all of your users need to be directly inside of “OPENFIRE_Users”

  • Make sure that under “System Properties” in Openfire that ldap.usernameField is set to sAMAccountName

  • Make sure that if you are using an SSL port to connect to your domain controllers that ldap.sslEnabled is set to true unless you are not using an SSL port in which case it should be set to FALSE.

I think I may have screwed up your ldap.searchFilter string as well:

It should be:

((objectClass=organizationalPerson)&(memberOf=CN=OPENFIRE_users,OU=OPENFIRE,OU=- GROUPS - Standard,dc=domain,dc=mydom,dc=uk))

Provided that your group is indeed at:

** -Groups - Standard

*** OPENFIRE

**** OPENFIRE_users

(are you sure your container is called “-Groups - Standard”? Is that first hyphen really in the container name?)

Oh and one other thing to try:

  • Create a group in the same OU as your OPENFIRE_Users group and call it OPENFIRE_Groups

  • If you have an “All Staff” or “All Members” type group add it as a member.

  • Set the following in the “Server Properties” on Openfire:

ldap.groupMemberField : member

ldap.groupNameField : cn

ldap.groupSearchFilter : ((objectClass=group)&(memberOf=CN=OPENFIRE_Groups,OU=OPENFIRE,OU= -GROUPS - Standard,dc=domain,dc=mydom,dc=uk))

NOTE: for both ldap.SearchFilter and ldap.groupSearchFilter the brackets are important you should have two (( at the start and two )) at the end.

Also Note: Obviously dc=domain,dc=mydom,dc=uk will need to be changed to whatever your domain actually is.

It may also be worth capitalizing the DC= although it shouldn’t make a difference.

Hi,

I’m not using nested groups. All my test users are in the one group (OPENFIRE_users), that is in the OU called OPENFIRE.

I’m going to remove it and start again.

Thanks

Alan

Hi,

thanks again. I’m going to remove the hyphen OU and move my group out for simplicity and start again with your instructions above.

Will let you know how I get on.

Thanks

alan

Hi,

done that. Started from scractch and this time, before editing the group filters, was able to see ALL items in AD. USers, groups and PC’s.

Although, after editing the search filters, it still shows all entries from AD. So far, this is better than nothing. I will check over the instruction you have given me and discuss this with a colleague.

MAny thanks so far.

Alan

HI,

after my removal and re-install on Friday, and following your instructions, my users are now listed in OPenfire correctly. Many thanks for your help in this matter. Most appreciated.

Alan