Groups in OpenLDAP

Openfire Openfire Support
1

Hi,

I’'ve installed Openfire with OpenLDAP and everything is working just fine.

Authentication, people talking, transfering files, you name it.

I just can’'t figure how to make groups.

I’‘ve searched the forum all over and I couldn’'t find an answer.

I’'m ok with LDAP.

What I miss is what i need to do to have a group.

Let’'s say I want to have a group made of user1, user2 and user3.

What do i have to insert in LDAP ?

And in openfire.xml ?

Any help would be appreciated.

Warm Regards,

Mário Gamito

2

What I did is created another organisational unit at the same level as people, called groups, and then added children to that where the object class was ‘‘groupOfNames’’:

dn: dc=mydomain,dc=com,dc=au
objectClass: organization dn: ou=people, dc=mydomain,dc=com,dc=au
ou: people
objectClass: organizationalUnit dn: ou=groups, dc=mydomain,dc=com,dc=au
ou: groups
objectClass: top
objectClass: organizationalUnit dn: cn=developers,ou=groups, dc=mydomain,dc=com,dc=au
objectClass: top
objectClass: groupOfNames
member: uid=myuserA,ou=people,dc=mydomain,dc=com,dc=au
member: uid=myuserB,ou=people,dc=mydomain,dc=com,dc=au
cn: developers

The member attribute of the group indicates who is a member and can have multiple values. Note that Active Directory seems to use a MemberOf attribute as part of the user instead.

Then in OpenFire I defined the groupMemberFilter as:

(objectclass=groupOfNames)

It should be noted that the filter corresponds to LDAP query syntax.

Quick edit by ajmas: I don’'t have things 100%, since my group list in OpenFire lists entries such as uid=myuserA,ou=people,dc=mydomain,dc=com,dc=au@mydomain.com.au for the groups!? Not sure why.

3

I’'ve just upgraded to 3.3.1 from 3.1.1.

I’'m using openldap 2.3.24-r1 as the directory to store my users in. I have a number of groups set up already to e used with other applications that authenticate off LDAP.

I need two different groups to be defined on the server. I therefore imported the following ldif into openldap:

dn: cn=ComputerTech,ou=Groups,dc=worldpc,dc=COM

objectclass: groupOfNames

cn: ComputerTech

description: Computer Tech Members

  1. add the group members all of which are

  2. assumed to exist under people

member: uid=iain,ou=Computertech,dc=worldpc,dc=COM

member: uid=carol,ou=Computertech,dc=worldpc,dc=COM

member: uid=gary,ou=Computertech,dc=worldpc,dc=COM

member: uid=james,ou=Computertech,dc=worldpc,dc=COM

member: uid=trevor,ou=Computertech,dc=worldpc,dc=COM

member: uid=sam,ou=Computertech,dc=worldpc,dc=COM

member: uid=robert,ou=Computertech,dc=worldpc,dc=COM

member: uid=seb,ou=Computertech,dc=worldpc,dc=COM

There was another copy the same as above, but with different members and different group attributes.

To get this to work with ldap - you need to set group member ou to be member (rather than memberUid). If you have all your members in ou=Users,dc=worldpc,dc=COM then you can use a different approach, suing memberUid rather than member.

Then you need to log in to the admin console, and under Users/Groups, click ‘‘Group Summary’’ Then search for your previously defined group. Then click “Enable contact list group sharing” and then define a name for the group.

Once your users have logged in once - they will be added to the group. However, I have identified a bug, in that if say (using the ldif above) sam was already online then he’‘d show up in the group in seb logged in - but seb wouldn’'t show up in the group until sam had logged out and back in. Could anyone point me in the direction of a configuration where all the users would show in the roster right from the start?