powered by Jive Software

LDAP/Active Directory Authentication using Nested groups

I have WIldfire server up and running perfectly with LDAP integration. It uses a filter to authenticate users against Active Directory. Only those users in the JABBERACCESS security group are granted access.

What I want to do is this:

Sample of Active Directory objects:


User A

User B

User C

User D

User E


Group F


If I add users A,B,C,D and E to the JabberAccess group, they can access Wildfire server with their client.

However, if users A, B, C, D and E are already part of a Group F, I’'d like to be able to just add GroupF as a member of the JabberAccess group thereby granting access to all of the GroupF members.

As of now, this does not work when I try it.

Feature Request or do I need to Enable something somewhere?

Thanks in advance.


Any ideas?

There’'s nothing you can do to make that work.

The MemberOf attribute isn’‘t what you want. Won’'t help at all.

The only group that would[/i] work is tokenGroups, and it won’'t work for another reason altogether.

You can beat your head against LDAP all day, and you won’‘t be able to do this. Does it suck? Yeah. Can the Wildfire devs do anything about it? Yeah. But it’‘d be cumbersome, IMO, and I don’‘t know if they’'re gonna chew off that hunk of work.

Sorry for the bad news. I’‘ve plumbed this one into the depths myself, and as an A/D admin I have to tell you I’‘m a bit miffed at how Microsoft failed to offer an attribute we could use for this. In fairness, some of this is LDAP, and some of it’'s Microsoft.


I’'m having problems to make it work like you did. I want to authenticate users that belong to a specified group, can you send me a sample of you config files? Sanitized of course.

Thanks in advance.


I could be mistaken, but I suspect this will help you:


I can send the whole file though, yes, if you like.


I’‘ll try it, but LDAP and Microsoft AD aren’’ t my strength, can you explain this filter in detail?

I wrote my problem in this thread:


Thanks in advance,


this I believe filters out the disabled users


this (!(sAMAccountName=$)) I believe will filter out account names with a $ sign in them…

I’‘m newbie to LDAP/AD as well, so if I’'m wrong somebody let us know!

sAMAccountName is specifying “any” – the (0) is a peculiarity of how Wildfire needs “*” specified – but only in some cases, apparently; the wildcard * works just dandy further on.

I’‘m not even sure I need objectClass. The userAccoiuntControl is checking the “disabled” bit – I don’'t want disabled accounts returned. I want no computer accounts, so the sAMAccountName not equalling $ takes care of that (note the ! negator out front of several of these clauses).

FInally, I list some security groups by distinguished name. In this case, I’'m eliminating users (see the ! again) who are members of these groups.

I actually have a parent group that all of these groups are members of (Users.AllSites, let’‘s say), but this system doesn’‘t understand nesting. Well, better put, LDAP doesn’‘t check nestings for you (that’‘s only possible with the tokenGroups attribute, which we can’‘t check with these methods, alas). We’'re stuck with memberOf.

Hmm. Checking your thread, maybe you could profit from me posting the config. Will do. I’'ll get back with you (dashing out for a commute just now).