Help with AD implementation

Joey_Prewett · May 23, 2011, 8:18pm

Hey all,

Working on getting Openfire going in my domain. Using the guides provided, I was easily able to get it installed and hooked up to AD (which was awesome). Since then I have been struggling to figure out how to do some stuff with AD groups, and I’m not getting a clear picture of how to proceed from the various postings on the forums (I’m actually surprised you guys don’t have a documentation wiki or something). Rather than search all day (because the powers that be wanted this done “yesterday”), I figured I’d just post what I have and what I need and let the community point me to precisely where I need to go. Prepare to be inundated with questions in 3… 2… 1…

So, in my domain, I employ nested groups quite a bit. In general, all of my users are in an OU called “Domain Users”. I assume this should be the base DN for my install (which it is). However, I’m not rolling this out to the entire domain, only a few groups for now and maybe others later. So the first question is, how can I accomplish this using security groups? Can I create a group, make that my base DN, and then throw in the groups I want to grant access to?

Assuming the answer to the previous question is “yes,” can I make the individual groups that I throw into the access group automatically become their own roster groups, or do I have to do that manually (and if so, how)?

Is there a way to restrict search access to just other users inside a given roster group (or, should I just disable search altogether in this setup)?

Also, how do I restrict access to the broadcast feature to just 1 user in each roster group?

I guess thats it for now on the server side. The rest of my questions are about the spark client, so I’ll post those in the appropriate forum…

Thanks all!

BigBrain_IT · May 24, 2011, 12:22pm

Its the same scenrio I started with, http://community.igniterealtime.org/message/196870 . As for roster group limiting and that, I havn’t had a need to look at so I couldn’t say.

Brian

Joey_Prewett · May 24, 2011, 2:46pm

Thanks Brian! Here’s what I’ve done:

In regards to my first question, I’ll write out my structure just like you did in your post so its clear:

compnay.local (dc)

–Domain Users (ou)

----OpenFireUsers (security group)

------IT (securoty group)

So…

ldap.baseDN = ou=domain users,dc=company,dc=local

ldap.groupSearchFilter = (&(objectClass=group)(memberOf:1.2.840.113556.1.4.1941:=CN=OpenFireUsers,OU=Dom ain Users,DC=company,DC=local))

ldap.searchFilter = (&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=OpenFireUsers,OU=Doma in Users,DC=company,DC=local))

This gives me a limited list of users and groups, which is what I wanted. If any of this isn’t technically correct, please let me know. These results bring up other questions, though, so let me get those out of the way…

First, does this actually limit who can log on to the server and access the service, or just who appears in the groups and searches? I want the OpenFireUsers group to serve both purposes.

Second, the groups summary now shows an exploded view of all nested groups as well. For instance, the IT group is shown, and because that group contins the CIO group, that group appears also. Is this normla/favorable?

Lastly, is there a way to exclude certain users that are members of the AD groups from showing up as OpenFireUsers? For instance, I have a few service accounts that aren’t actually flesh and blood users in the IT group. However, they show up as users and also as roster users if I make the IT group a roster group also. How and where do I filter out these user accounts? **UPDATE: **Changed (objectClass=user) to (objectClass=organizationalPerson) in my ldap.searchFilter and that seemed to help a bit. Not sure why. I still have some “false” users in there though, and just locking them out doesn’t take them off of the roster list…

Thanks so much for the help! I think I’m really going to like this service (and so are my superioirs)…

Joey_Prewett · May 24, 2011, 4:41pm

Okay, so I’ve been playing around with this stuff quite a bit, and I’m dissappointed to see that Openfire doesn’t appear to support nested groups. Either that, or I’m not doing my LDAP queries correctly. If I create a group called “IM_Doctor’s Staff” and put other groups in it, the users in the nested groups don’t show up as being part of the “IM_Doctor’s Staff” group, which makes administration awkward. Surely I’m doing something wrong, right?

BigBrain_IT · May 24, 2011, 10:00pm

Yes the filter does limit who can log in and who is visible.

As for not showing the groups, you may be able to come up with a filter for the groups based on an AD attribute check. I would need to check my work system for possible ideas.

With the users, you need to also check for not being a disabled user.

Brian

Joey_Prewett · May 27, 2011, 7:19pm

Okay, I’ve made some big strides and actually have this thing working pretty well. I’ve noticed something strange though. I have a network with several subnets, and I can access the admin console from within the subnet that hosts the sever. From another subnet, which is not firewalled, I can’t get to it. Its weird. I can get to the webmin interface of the server, and the client still connects over 5222, but the admin console just won’t work. Any idea why?

I know under Server > Server Settings > Registration and Login, I set the “Restrict all Logins” to our aggregate IP of 172.16.*, but that shouldn’t matter. Plus, I can’t find a way to edit that feild to see what I put in there and make sure I didn’t screw it up. Any suggestions?

BigBrain_IT · May 27, 2011, 10:57pm

Sorry, not an area I have had to look at.

Russell_Howe · May 31, 2011, 3:32pm

Correct, it doesn’t. See this bug from 2006:

OF-168