LDAP/AD - getting group level authentication working

Not an expert, but have the basic working fine, just need to get it work how I would like now, so any help appreciated.

CentOS 6.0 - 64bit — had to add libldb.i686 for JVM

Openfire 3.7.0

Name : mysql

Arch : x86_64

Version : 5.1.52

Release : 1.el6_0.1

Connection Settings

baseDN: dc=foo,dc=local

adminDN: cn=mrfoo,cn=Users,dc=foo,dc=local — mrfoo@foo.local also worked for me

User Mapping

Username Field: sAMAccountName

Search Fields — I left this blank

Advanced Settings > User Filter: (&(objectClass=organizationalPerson)(mail=*)) — add everybody with an email address, if they have no email address in AD they they will not be added

Group Mapping

Group Field: cn — the default

Member Field: member — the default

Description: description — the default

Advanced Settings > Group Filter: (&(objectClass=group)(cn=Access-Test_Jabber)) — I had a test group in AD created

Currently, it pulls in the entire LDAP from our server (Server 2003) using the baseDN, and using my domain account as adminDN , and then adding myself as the Openfire admin, all works fine, upon using the Openfire admin GUI I see all users, all 3500 of them.

I have Openfire up and running on the above but I’m having difficulty configuring the AD/LDAP side of things, I only what a particular group of AD users to be able to authenticate, with my current configuration any domain user, using their credentials, can login to Openfire via the Spark chat client and chat, I wish to restrict use to a certain group of users, in my case Access-Test_Jabber, I cannot get this work.

When I go to User/Groups > Groups the Access-Test_Jabber group is displayed a long with its 2 test users, who can also login using a chat client, what I want is only the users in that group to be able to login.

To only import users belonging to a group in User Mapping > Advanced Settings > User Filter add a memberOf filter

For example (modify as needed):

(&(objectClass=organizationalPerson)(mail=*)(memberOf=CN=Acess-Test_Jabber,OU=Gr oups,DC=foo))

Thank you for the reply - I’ll give that a try.

Just to clarify, in your reply you wrote ‘To only import users…’ - I didn’t seem to have a problem importing the group, just authenticating the group I imported, they authenticated with no problems at all, the problem is that everybody in the baseDN could also authenticate, and what I mean by that is that I only want a particular group to be able to authenticate - I may have been unclear about that.

Update - just tried your advice and it works fine - thank you for help, it is very much appreciated!