powered by Jive Software

Groups & Users using AD LDAP


I’m new with Openfire. I use AD.

The LDAP configuration has me a bit confused. It takes a very simplistic look. From the various online comments I see that I can’t point to different OU’s for users and groups. I also see that it’s not easy to use a group to control access.

I have a couple of basic questions to get me over the understanding hump.

What method can I use to control who has access to the Openfire server?

Do I use AD/LDAP groups to organize the user lists?

Can a user be a member of more than one group?

Do the users use the Spark client to organize their own contacts in personal groups?

Depending on the above answers, can I just point Openfire to an OU with Groups containing my authorized users? No user objects in this OU.

Basically my goal is:

Control Access to Openfire.

Present users with predefined groups organized by Office and Departments. (Therefore users will belong to multiple groups.)

Any suggestions or how to’s will be greatly appreciated.

Thank you.

PS. My AD Structure separates Groups and Users. It also separates user objects by employee, software service, supplier, etc… I can’t point Openfire to the top of that structure without complicated LDAP search filtering. In fact, I don’t believe it’s possible. And of course I can’t re-organize my AD because of limitations within Openfire. Forgive me if I’m wrong in my conclusion. Feel free to correct me.

I wrote this up a while ago, and this is how I handle my groups.



Let me re-write my comment.

Looking at your example carefully let me see if I have this right.

You point your BaseDN to your AD domain.

The Group Search Filter finds all the Groups that are the Roster Groups.

The Search Filter finds all users that belong to the Access Group.

You mention putting the Groups in the same OU as the Users.

But since the BaseDN is the AD domain, does it matter?

Can I use your solution but simply place my Access and Roster groups in an alternate OU?

I will try it, it looks real promissing.

Thank you.

yes…as long as your base dn is at the root of your AD, it doesn’t matter where you groups and users are.

Can a user belong to more than one roster group?

Thank you so much for your quick answer.



I implemented your solution. Openfire shows the users and shows the groups. But Spark doesn’t. Am I missing something?


within openfire, you’ll need to then go into roster groups and enable the groups to be roster groups.