Can't add administrator account

Eric_McClendon · October 8, 2009, 8:08pm

Hello Everybody,

This looks like a great app to try, however I’m having a couple of problems. Below is my config and a little play by play as I ran the wizard. I’ve checked your knowledge base and remedied most of my issues from there but I’m stuck now. Any help would be greatly appreciated.

OpenFire Config:

**embedded database settings
**

**Directory Server (LDAP)
**

**Server Type - Active Directory
**

**Host = (domain controller netbios name)
**

**Base DN = CN=INSTANT MESSAGING - SECURITY,OU=SECURITY GROUPS,OU=GROUPS,DC=PBTRUCK,DC=COM
**

Administrator DN = CN=ADMINISTRATOR,OU=ADMINS,DC=PBTRUCK,DC=COM

I get a “status success” So far so good.

**Username Field = sAMAccountName
**

**Search Fields =
**

User Filter =

When I “Test Setting” it gives me the Group (INSTANT MESSAGING - SECURITY) that I’m pointing at but none of the users contained in that group. Now I’ve dinked with this and if I pull an actual user account into the OU where this group resides it’s sees it. However, for obvious reasons this is not going to be acceptable with all users.

Even though I’m pretty sure there is something wrong here I’m moving on since it’s thinks it had a successful test.

**Group Field = cn
**

**Member Field = member
**

Description = description

When I test these settings it actually sees that there are 4 users in the Group (which is correct). So I save and continue and try to add an administrator. NO JOY. I can however add an administrator if I put a user directly into the OU I’ve specified for my BASE DN. Again, this will not work domain wide. I have to many group policies dependent on OU location.

Anybody see what the dumb mistake is I’m making?

Thanks for the help

Eric

One other thing worth mentioning. If I do place a user in the said OU and then add it that way, it will not let me login with that user.

Eric_McClendon · October 8, 2009, 8:14pm

edited

Message was edited by: AlphaTwin

NO_MESSAGES_OR_FRIEN · October 9, 2009, 11:17am

Your base DN should not have a CN for a group in it. It should stop at the OU level. The only valid CN for the baseDN is the default Users CN in Active Directory.

Eric_McClendon · October 9, 2009, 12:59pm

Ok,

So it sounds like I need to isolate my Instant Messaging group in it’s own OU. Right now I have it in an ou with all of my other Security Groups. I’ll give that a try.

Eric

Eric_McClendon · October 9, 2009, 1:19pm

Well cool I’m in,

I still have the other problem however. Maybe it’s not a problem just the way it works.

Let me explain:

I had to make a special account (openfire) and drop it in the same OU as the Instant Messaging group. It won’t let me use the usernames in the Group as an admin. It will only let me use actual users that are sitting in the OU I’m pointing at in my BASE DN.

Hope that makes sence.

Thanks

Eric

Eric_McClendon · October 9, 2009, 1:40pm

Also, I can only login with the OpenFire acount through sparks, but none of my accounts in the group I’ve created in active directory will login.

I’m pretty sure something is wong here:

**Username Field = sAMAccountName
**

**Search Fields =
**

User Filter =

Just not sure what.

Eric_McClendon · October 9, 2009, 3:59pm

Ok,

I tried this:

((objectCategory=Person)(memberOf=CN=INSTANT MESSAGING - SECURITY,OU=INSTANT MESSAGING,OU=SECURITY GROUPS,OU=GROUPS,DC=PBTRUCK,DC=COM)

as my User Filter, no joy.

Thought for sure I had it.

Eric

Eric_McClendon · October 9, 2009, 8:34pm

Shoot,

Here’s the latest string I’ve tried with no luck. I have to be close.

(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556. 1.4.803:=2))(samaccountname=$logon)(memberOf=CN=INSTANT MESSAGING - SECURITY,OU=INSTANT MESSAGING,OU=Security Groups,OU=Groups,dc=pbtruck,dc=com))

BigBrain_IT · October 9, 2009, 9:23pm

I meant to add to my follow up in http://www.igniterealtime.org/community/thread/38835 that I used the default administrator settings. If you can wait a couple of days, I can get my install settings for you to compare.

Brian

Eric_McClendon · October 9, 2009, 9:30pm

Cool,

Any help would be greatly appreciated.

Thanks

Eric_McClendon · October 12, 2009, 4:21pm

Ok,

I’m now convinced my problem is the user filter. I just can’t seem to get the LDAP syntax correct to allow it to look into the group rather than at it or at the accounts in the OU where this group resides.

Here is my Group:

CN=INSTANT MESSAGING - SECURITY,OU=INSTANT MESSAGING,OU=SECURITY GROUPS,OU=GROUPS,DC=pbtruck,DC=com

My base DN:

OU=INSTANT MESSAGING,OU=SECURITY GROUPS,OU=GROUPS,DC=pbtruck,DC=com

And my administrator DN:

CN=Administrator,OU=ADMINS,DC=pbtruck,DC=com

So again, I just need to a have the proper userfilter string. I’ve seached this site and Google for days now with no luck.

Anybody got an idea?

Thanks for all the help so far.

Eric

BigBrain_IT · October 13, 2009, 1:29am

Havn’t been feeling 100% so hardly done anything. Here are the settings I used for the MS AD install.

ldap.adminDN Administrator@company.local
ldap.baseDN dc=company,dc=local
ldap.connectionPoolEnabled true
ldap.debugEnabled false
ldap.emailField mail
ldap.groupDescriptionField description
ldap.groupMemberField member
ldap.groupNameField cn
ldap.groupSearchFilter (&(objectClass=group)((memberof=CN=XMPP_Users,OU=Applications,OU=Security Groups,OU=company Pty Ltd,DC=company,DC=local)))
ldap.host server.company.local
ldap.ldapDebugEnabled false
ldap.nameField cn
ldap.override.avatar true
ldap.port 389
ldap.posixMode false
ldap.searchFilter (&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=XMPP_Users,OU=Applica tions,OU=Security Groups,OU=company Pty Ltd,DC=company,DC=local)(!(userAccountControl:1.2.840.113556.1.4.804:=2))(!(cn= service*)))
ldap.sslEnabled false
ldap.usernameField sAMAccountName
xmpp.domain jabber.company.local

Note the ldap.baseDN as the root of the AD. This install is purely for internal use there fore the company.local references. If it was public, the xmpp.domain would need to be changed.

I also added a CNAME for the xmpp.domain into my domain DNS. The server openfire is on has 2 network cards and I only wanted traffic on 1 IP.

Brian

Eric_McClendon · October 14, 2009, 4:04pm

Wooo Hooo I finally got it working,

Here’s what finally worked for me:

BASE DN

OU=INSTANT MESSAGING,OU=SECURITY GROUPS,OU=GROUPS,DC=pbtruck,DC=com

ADMINISTRATOR DN

CN=Administrator,OU=ADMINS,DC=pbtruck,DC=com

USER FILTER

(&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=INSTANT MESSAGING - SECURITY,OU=INSTANT MESSAGING,OU=SECURITY GROUPS,OU=GROUPS,DC=pbtruck,DC=com)(!(userAccountControl:1.2.840.113556.1.4.804 :=2)))

I had 2 things wrong. I had to point my base DN just at the Domain Root, not all the way to the OU where the Group was. And Obviously my USER FILTER was horked.

I’m going to have to do a little research on those strings of numbers in my LDAP syntax, I suspect they are a kind of pre-configured setting built into windows that I was unaware of to make the implantation of an LDAP string a little easier but I’ll have to look into it to be sure.

Anyway thanks a ton Brian, I can remove the tape from my head now.

Eric