Authenticating users by group membership?


I’‘m trying to setup Wildfire 3.0.0 using LDAP authentication. I’'ve followed the LDAP guide and have set up simple authentication for any user in the directory, but I would really like to restrict authenticated users to members of a particular group.

I’‘ve tried adding a searchFilter entry, checking that the user is a “memberOf” the particular group, but it doesn’‘t seem to work. Has anyone tried to do this before? I’'m using OpenDirectory (OpenLDAP) on MacOS X Server 10.4, if that makes any difference.



Hi! Nice to see a fellow Mac user!

I’‘ve got my LDAP setup using a group for Wildfire users, and it’'s been working smoothly for some time now. You probably want your searchFilter to look something like this:


Hope this is helpful!

Timothy Collett

Hi Timothy,

Thanks for the tip. I added a searchFilter entry with something similar to what you supplied, and no logins in the specified group worked.

Here’‘s the LDAP config I’'m using:

org.jivesoftware.wildfire.ldap.LdapUserProvider org.jivesoftware.wildfire.ldap.LdapAuthProvider --- I''ve tried a number of variations on the search filter, but none seem to work: <![CDATA[(&(uid=)(memberOf=cn=tlaf-staff,cn=Groups,dc=theli

ttleappfactory,dc=com))]]> <![CDATA[(&(uid=)(memberOf=cn=tlaf-staff,cn=Users,dc=theli



Looking at the LDAP directory with another browser (JXplorer), the actual dn of the group I want to have access is "cn=tlaf-staff,cn=groups,dc=theli

ttleappfactory,dc=com", which doesn’'t appear to work (as above).

Is there anything I’'m missing here?

Thanks for the help!



You need to add the following to the <![CDATA[(&(uid=)(memberOf=cn=tlaf-staff,cn=groups,dc=thelittle


This won’'t work because OpenDirectory on OS X does not use the memberOf attribute.

I’'ve just set up the same thing on our xserve. The problem is that OpenDirectory has a somewhat non-standard way of representing group membership.

My workaround is to set a specific primary group for users who should have access to jabber. You need to edit each user individually and change their primary group. Then you can use the filter


where gidNumber is the Group ID of the primary group you have set (you can see this ID in Workgroup Manager).

I don’‘t know how to create a filter that will work with groups other than the primary group, but it might be possible, I’'m not very experienced with LDAP.

Gah… that’‘s a bit nasty. I’‘ve had a look around and it doesn’‘t look like there’'s an easy way to do this, short of grabbing the members of a group and iterating over them when a user tries to log in. (Something which I doubt I could hook into Wildfire?)

Does anyone have any other suggestions on how to achieve this? I’‘m pretty stumped… I plan on using the same LDAP directory to authenticate JIRA and Confluence users, so I suspect I’'ll run into the same problem then…

Thanks for your help!

Not sure if the OP is still watching this thread, but i have a halfway solution for them.

I use OpenDirectory also so i spent some time being frustrated

Since memberOf doesnt work I created a group in OD for each of my offices with the name prefixed with “jabber”, such as '‘JabberSanJose". Then as you can see in my search filter for groups I filter out all groups that don’'t start with “jabber”. Now in my admin console I see only groups that start with the jabber name, from there i can edit the group and give it a nice display name and set which users have the group.

As for access, you can also see that i am currently allowing all my users access, I really don’'t want this. So my thinking in the search filter would be to only allow users that have the apple-imhandle attribute (which is defined in the workgroup manager, info page, chat) that has a value that begins with JABBER as if i fill this value in the user should have access.

For example, the value for my account is

But here is the halfway part, cannot seem to get wildcards to work in the search filter for user accounts

I have tried…


Yes, I am still watching this post… That method sounds alright, but I think it still requires manually modifying the LDAP records in order to provide access, which is a bit annoying. One other way of doing it might be to put in a search filter for the domain that is being served by the Wildfire server.


However… while a workaround, it would be much better to be able to get authentication via group membership working on OpenDirectory.