powered by Jive Software

LDAP AD Support - Test Settings and disabled Accounts


I’ve installed openfire 3.8.1 for testing purposes on Windows 7 64bit.

I Try to connect it to my Active Directory.

During the initial Setup on the “Profile Settings” Page, I chose “Directory Server (LDAP)”.

On the “Profile Settings: Connection Settings” I enter the correct connection properties.

I click on “Test Settings” an nothing happens!

I have an old 3.5 Openfire Installation on another internal Server. When I click “Test Settings” there, I get a Conenction Successfull Alert.

It seems other people have this Problem too:


What exactly can I do for testing my connection?

I tried Openfire 3.7.1 as this seems to do the connection test.

On Page “Profile Settings: User Mapping” I enter Username as “sAMAccountName”.

What I want to do is to filter out disabled accounts.

The correct LDAP Filter seems to be “(&(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=2))”

I’ve checked it with an native LDAP Client. It works, the filter is correct.

But openfire does not show any Users!

I’ve traced the connection to my AD with wireshark. If I click on “Test Settings” I get a LDAP bindRequest and after a successfull bind followed directly with an unbind. It seems no ldapsearchrequest was done.

Maybe openfire cannot handle the logical NOT in my LDAP-Filter?

I’ve searched through the forum an found this thread from 2006:


Even if I just click next, OK, Continiue and so on and after the settings should be written my openfire.xml is nearly empty so I cannot add the lines for an negative filter manually.

How can I test my LDAP Connection on Openfire 3.8.1?

How can I filter out disabled Users on Openfire 3.8.1?

How can I add a Userfilter with a logical NOT on Openfire 3.8.1?

Any help would be nice?


Here is the ldap filter I am using - Identifies disabled users appropriately.

(&(objectCategory=user)(|(&(memberOf=CN=Instant Messaging Users,OU=Global SECURITY Groups,DC=domain,DC=local)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))(sA MAccountName=imldap)(sAMAccountName=esunixldap)))

There is some extra stuff in there you don’t need, but this should work too.

(&(objectCategory=user)(&(memberOf=CN=Instant Messaging Users,OU=Global SECURITY Groups,DC=domain,DC=local)(!(userAccountControl:1.2.840.113556.1.4.803:=2))))

One more pair of braces…

Thank you David! It works!