powered by Jive Software

Can't add administrator account

Hello Everybody,

This looks like a great app to try, however I’m having a couple of problems. Below is my config and a little play by play as I ran the wizard. I’ve checked your knowledge base and remedied most of my issues from there but I’m stuck now. Any help would be greatly appreciated.

OpenFire Config:

**embedded database settings

**Directory Server (LDAP)

**Server Type - Active Directory

**Host = (domain controller netbios name)



I get a “status success” So far so good.

**Username Field = sAMAccountName

**Search Fields =

User Filter =

When I “Test Setting” it gives me the Group (INSTANT MESSAGING - SECURITY) that I’m pointing at but none of the users contained in that group. Now I’ve dinked with this and if I pull an actual user account into the OU where this group resides it’s sees it. However, for obvious reasons this is not going to be acceptable with all users.

Even though I’m pretty sure there is something wrong here I’m moving on since it’s thinks it had a successful test.

**Group Field = cn

**Member Field = member

Description = description

When I test these settings it actually sees that there are 4 users in the Group (which is correct). So I save and continue and try to add an administrator. NO JOY. I can however add an administrator if I put a user directly into the OU I’ve specified for my BASE DN. Again, this will not work domain wide. I have to many group policies dependent on OU location.

Anybody see what the dumb mistake is I’m making?

Thanks for the help


One other thing worth mentioning. If I do place a user in the said OU and then add it that way, it will not let me login with that user.


Message was edited by: AlphaTwin

Your base DN should not have a CN for a group in it. It should stop at the OU level. The only valid CN for the baseDN is the default Users CN in Active Directory.


So it sounds like I need to isolate my Instant Messaging group in it’s own OU. Right now I have it in an ou with all of my other Security Groups. I’ll give that a try.


Well cool I’m in,

I still have the other problem however. Maybe it’s not a problem just the way it works.

Let me explain:

I had to make a special account (openfire) and drop it in the same OU as the Instant Messaging group. It won’t let me use the usernames in the Group as an admin. It will only let me use actual users that are sitting in the OU I’m pointing at in my BASE DN.

Hope that makes sence.



Also, I can only login with the OpenFire acount through sparks, but none of my accounts in the group I’ve created in active directory will login.

I’m pretty sure something is wong here:

**Username Field = sAMAccountName

**Search Fields =

User Filter =

Just not sure what.


I tried this:


as my User Filter, no joy.

Thought for sure I had it.



Here’s the latest string I’ve tried with no luck. I have to be close.

(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556. 1.4.803:=2))(samaccountname=$logon)(memberOf=CN=INSTANT MESSAGING - SECURITY,OU=INSTANT MESSAGING,OU=Security Groups,OU=Groups,dc=pbtruck,dc=com))

I meant to add to my follow up in http://www.igniterealtime.org/community/thread/38835 that I used the default administrator settings. If you can wait a couple of days, I can get my install settings for you to compare.



Any help would be greatly appreciated.



I’m now convinced my problem is the user filter. I just can’t seem to get the LDAP syntax correct to allow it to look into the group rather than at it or at the accounts in the OU where this group resides.

Here is my Group:


My base DN:


And my administrator DN:


So again, I just need to a have the proper userfilter string. I’ve seached this site and Google for days now with no luck.

Anybody got an idea?

Thanks for all the help so far.


Havn’t been feeling 100% so hardly done anything. Here are the settings I used for the MS AD install.

ldap.adminDN Administrator@company.local
ldap.baseDN dc=company,dc=local
ldap.connectionPoolEnabled true
ldap.debugEnabled false
ldap.emailField mail
ldap.groupDescriptionField description
ldap.groupMemberField member
ldap.groupNameField cn
ldap.groupSearchFilter (&(objectClass=group)((memberof=CN=XMPP_Users,OU=Applications,OU=Security Groups,OU=company Pty Ltd,DC=company,DC=local)))
ldap.host server.company.local
ldap.ldapDebugEnabled false
ldap.nameField cn
ldap.override.avatar true
ldap.port 389
ldap.posixMode false
ldap.searchFilter (&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=XMPP_Users,OU=Applica tions,OU=Security Groups,OU=company Pty Ltd,DC=company,DC=local)(!(userAccountControl:1.2.840.113556.1.4.804:=2))(!(cn= service*)))
ldap.sslEnabled false
ldap.usernameField sAMAccountName
xmpp.domain jabber.company.local

Note the ldap.baseDN as the root of the AD. This install is purely for internal use there fore the company.local references. If it was public, the xmpp.domain would need to be changed.

I also added a CNAME for the xmpp.domain into my domain DNS. The server openfire is on has 2 network cards and I only wanted traffic on 1 IP.


Wooo Hooo I finally got it working,

Here’s what finally worked for me:






(&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=INSTANT MESSAGING - SECURITY,OU=INSTANT MESSAGING,OU=SECURITY GROUPS,OU=GROUPS,DC=pbtruck,DC=com)(!(userAccountControl:1.2.840.113556.1.4.804 :=2)))

I had 2 things wrong. I had to point my base DN just at the Domain Root, not all the way to the OU where the Group was. And Obviously my USER FILTER was horked.

I’m going to have to do a little research on those strings of numbers in my LDAP syntax, I suspect they are a kind of pre-configured setting built into windows that I was unaware of to make the implantation of an LDAP string a little easier but I’ll have to look into it to be sure.

Anyway thanks a ton Brian, I can remove the tape from my head now.