HOWTO: Setup Dynamic Access based on Active Directory Groups

I’ve seen this question asked a few times. “How can I used my AD roster groups for user authentication?” I beleive I have found the solutions.

for this example I’ll be using the following:

AD domain = AD-DOMAIN.local

access group = Openfire Access Group

roster groups = _IM Group1, _IM Group2
(*note - I’ll be using _IM as part of a wildcard search, so all my groups start with _IM for that reason)

First create your security groups:

Create a Domain Local Security Group. In our example call it Openfire Access Group and place it in the user container.

Created regular security groups, in our example _IM Group1 and _IM Group2.

Make _IM Group1 and _IM Group2 members of the Openfire Access Group

Add your users to the _IM groups
(include your openfire admin account, or make it a member of the Openfire Access Group )

Next, set your system properties in openfire:

ldap.baseDN
DC=AD-DOMAIN,DC=local

ldap.groupSearchFilter
(objectClass=group)(cn=_IM*)

ldap.searchfilter
(&(objectclass=organizationalPerson)(|(memberOf:1.2.840.113556.1.4.1941:=CN=Open fire Access Group,CN=Users,DC=AD-DOMAIN,DC=local)))

That should do it. I hopes this helps someone! Please let me know if you have any problems or if I missed something!

I appreciate the extensive answer.

We’re a geographically dispersed company, so our OU’s are containers based on their site location, so I don’t have the luxury of renaming our existing OU’s.

I’ll try to look at what you’ve described and see if I can retrofit it for our environment.

Everything is based on group membership and not OUs.

Not to raise the dead, but I was searching forever before I found this and a French video that helped me with this (seemingly to me) basic OpenFire to LDAP to Groups chain. Thaks, speedy! Thanks, Gaetan!

fyi. I’ve updated my search filter so that it will not display members of the group that may be disabled.

(&(objectclass=organizationalPerson)(|(memberOf:1.2.840.113556.1.4.1941:=CN=Open fire Access Group,CN=Users,DC=domain,DC=local))(!(userAccountControl:1.2.840.113556.1.4.803 :=2)))

Hi, I don´t know where put this line

"ldap.searchfilter

(&(objectclass=organizationalPerson)(|(memberOf:1.2.840.113556.1.4.1941:=CN=Open fire Access Group,CN=Users,DC=AD-DOMAIN,DC=local)))"

Do you have a screenshot?

Many Thaks

Henriyx