Custom Group Sharing in AD Environment?

Greetings. I have a client wanting to use Openfire. In our test environment, we have ~25 users, OpenFire 3.6.0, Spark 2.5.8, Windows 2003 server hosting the OpenFire and MySQL installs and of course an Active Directory setup.

What the client needs is to have all users run Spark and ONLY see and chat with Management, not other users (due to prior abuse).

So, for example, we’d have a Managers group (in AD and thus Spark).Then we’d have a General group with everyone else in it.

The Managers group should see themselves and all in the General group.

The General group should see ONLY the Managers group.

Is this possible?

Unfortunately this is not possible. Group sharing by default shares the group with its members. You can extend that to non-members, but members will always see the shared group.

Thanks for the answer. I’m going to first try to see if I can muddle something to fit by using ‘native’ vs. AD mode and then dink with the stuff in your mysql tables. Barring that, I’ll have to search for a non OpenFire solution and 100% of them are ugly and painful (I did a fairly thorough search last week). Again, thank you. Heck, the responsiveness alone of this simple query shows OpenFire to be the definitive IM solution. Here’s hoping …

You can geek this out using the packet filter plug-in. It may take a couple of rules, but shouldn’t be difficult to setup.

For now, I created a temporary solution. Given enough time (probably in a few days or weeks), I’ll check out the packet filter as it sounds like a more elegant solution.

What I did is this (in case it helps others in a similar situation):

  1. Turned off AD sync mode.

  2. Manually entered the users and groups (I only have 2 groups and some 25 users - none are in both groups).

  3. Enabled roster sharing for all users with regards to the Managers group. Now all who login can chat with managers.

  4. Created a script (mine is ruby, use whatever you want for your situation). The script reads the mysql db, grabs the list of managers and users, inserts the whole list of normal users into a custom roster group for each manager. (I’ll share the script if anyone asks). Now each manager can see a group called “General” that contains all non-managers.

  5. I set the ruby script to run every so often. For now, once a day. Takes all of 10 seconds to run.

Now, while it was fun programming in ruby (my favorite language), it’s a bit too rough a solution for the masses.

Thanks for those who helped guide me thus far and I’ll report if I find Packet Filter a more elegant solution.

Ihingos, you hit the nail on the head. Once I had time to stop dinkin’ with the server and rushing out the installs, I tried the Packet Filter method. Worked like a charm. 1 simple rule, DENY, general group to general group and boom. Nobody could see the presense of non-managers or IM/send files/etc. It took a restart of each client to go live, but that was trivial.

I thank you (and all the devs). Kudos.