Different DN for Users and Groups

Yehuda_Katz · April 7, 2009, 2:02pm

My current active directory structure is the following:

Users: CN=Users,DC=test,DC=local

Distribution Groups: OU=DistGroups,DC=test,DC=local

etc.

We would like to have several chat related groups for contact sharing purposes:

Security Group: Chat - All users that can use the chat system

Security Group: TechSupport

Security Group: CustService

Security Group: Managers

etc.

We would like to put these security groups in: OU=ChatGroups,DC=test,DC=local and to filter out groups from other places, each will be a member of CN=ChatServices,OU=ChatGroups,DC=test,DC=local

It seems that OpenFire will only read group information from the same DN as the users.

Is there a way to set up the requested behavior?

I should add:

ldap.alternateBaseDN = OU=ChatGroups,DC=test,DC=local

ldap.baseDN = CN=Users,DC=test,DC=local

ldap.searchFilter = (&(sAMAccountName={0})(memberOf=CN=chat,OU=ChatGroups,DC=test,DC=local))

ldap.groupSearchFilter = (?(objectClass=group)(memberOf=CN=ChatServices,OU=ChatGroups,DC=test,DC=local))

The above only lists groups in the baseDN, but not the alternateBaseDN

Message was edited by: yakatz

NO_MESSAGES_OR_FRIEN · April 7, 2009, 2:39pm

I know this is something you do not want to here, but I would move your users to an OU (except default AD created accounts). This is a good time to consider a better structure for your tree. Here is my LDAP friendly tree structure (Note the Users OU and ChatGroups OU are nested together):

That being said you could point your Openfire basDN to the root of the tree (dc=domain,dc=com). This will capture all OUs. You can then use filters to limit the search results.