Integrating Openfire 3.7 with Active Directory

Christopher_Adams2 · March 29, 2011, 7:20pm

I have been able to integrate Openfire with Active Directory, but in order to consolidate an OU and my Users, I created a new OU and then added a Security Group to it. Within that Security Group, I added all domain users.

So, when setting up Openfire, I used the following:

Base DN: CN=sparkers,OU=spark,DC=my,DC=domain,DC=name

The Admin DN works, so I won’t specify it here.

I test the connection and it works.

When I go to Section 2/User Mapping, I leave the defaults, and click ‘Save and Continue’. This results in this:

Test: User Mapping

A random profile is selected for you to review. Bold fields with no value mean that an error may have been found. To view another profile click ‘Next random profile’. When you are finished close this window.

Status: Error

No users were found using the specified configuration. Try changing the base DN, user filter or username field.

I have tinkered a bit with the base DN, but not sure what else to do. I had tested this with just the Users and it worked. However, I can’t get it to connect with the new base DN.

Any tips are most appreciated.

Joe23 · March 29, 2011, 9:15pm

Try the following:

BaseDN: DC=my,DC=domain,DC=name

User Filter: (memberOf=CN=OpenFireUsers,CN=Users,DC=my,DC=domain,DC=name)

Group Filter: (memberOf=CN=OpenFireGroups,CN=Users,DC=my,DC=domain,DC=name)

Christopher_Adams2 · March 29, 2011, 11:40pm

Thanks. That is helpful. I was able to get close to what I want by using this:

CN=Users,DC=my,DC=domain,DC=name

I used filters to remove objects that I don’t want. I retained all users and distribution lists. We don’t have other groups that I would want to display for IM purposes.

The problem that I am still having is that there is an OU that includes the IT group. This OU is at the same hierachical level as the Users container, but is an OU because it has special permissions. So, by using CN=Users, I have all users except the IT group. Since creating a special OU to contain all domain users didn’t work as expected, I thought that I could utilize two Base DNs, one with CN=Users (removing objects with filters) and one with OU=IT.

Based on the Openfire documation, I should be able to do this with an alternateBaseDN in the openfire.xml file. I added stopped the server, edited the file and restarted. Looking in the Admin-Server Settings, it only shows the Base DN CN=Users.

Here is what I added:

my.domain.name

389

cn=Users;dc=my,dc=domain,dc=name

OU=IT;dc=my,dc=domain,dc=name

cn=Directory Administrator

I am a bit confused about what the openfire.xml file is used for, as the documentation says that version 3.7 mostly uses the embedded database to retain settings. That seems obvious, as when I make changes in the admin, they mostly work, but don’t show up in the openfire.xml file. It seems that the admin-server settings only allows me to add one baseDN. All other configuration needs to be made in the openfire.xml file?

So, I would appreciate some clarification on this. I am almost to where I want to be, though it is probably not the best way to get there. I would have to do some AD work.

oiram · March 29, 2011, 11:48pm

Shouldn’t that

OU=IT;dc=my,dc=domain,dc=name

be rather

CN=IT,dc=my,dc=domain,dc=name

Christopher_Adams2 · March 30, 2011, 12:06am

Is that a comma or a dot(period). In your example, you use CN=IT.dc=my . I saw the semi-colon throughout the Openfire documentation and wondered if it should be a comma instead.

oiram · March 30, 2011, 12:26am

Yea, it was a dot, my bad, but should be a comma. I misread your post so it actually should be

OU=IT,dc=my,dc=domain,dc=name

since IT is OU (not CN type of object)

Christopher_Adams2 · March 30, 2011, 12:28am

Thanks, but that change doesn’t bring in the the IT OU into the list of users. Is there something else that I am missing? Obviously, yes.

oiram · March 30, 2011, 12:52am

Tbh I tried once or twice without success and gave up then, since it was small installation, like 20 users. But I have it on my to-do list to get hands on experience with OF-AD integration. So, sorry for the moment.

Christopher_Adams2 · March 31, 2011, 11:22pm

I am getting a bit closer on this. I took the advice of someone on this forum and created an OU called ‘spark’, with two groups inside it named “sparkusers” and “sparkgroups”. I added users that I want to use Spark/Openfire to “sparkusers” and groups that I want to show in Spark to “sparkgroups”.

I then created Custom Search Filters for each.

BaseDN: DC=my,DC=domain,DC=name

User Filter:(memberOf=CN=sparkusers,OU=spark,DC=my,DC=domain,DC=name)

Group Filter:(memberOf=CN=sparkgroups,OU=spark,DC=my,DC=domain,DC=name)

Okay, so I see all the correct users and groups in Openfire Admin. However, when I log into Spark from two different user accounts, there are no users or groups. What else am I missing?

It took awhile to get to this point, but thanks to those who have made good suggestions.