LDAP Advice - 9000 Person Organization - Multiple Domains

Andrew_DeBratto · December 4, 2009, 8:11pm

Currently we are using Openfire in a sub-domian of a parent forest with multiple domains. We want to allow other staff from another domain to use our Openfire services, but I really dont want 9000 people + all the groups in our Openfire system. Not even sure if I pointed the LDAP at the parent domain if it would travese the sub-domains.

Can we create a security group in our domain and use that as the base for the LDAP call and allow all the users in the specific group to have access to Spark and Openfire?

Are there any other suggestions that anyone would have to solve this issue?

Thank you all

BigBrain_IT · December 5, 2009, 10:51am

You could try setting a security group in one domain with the members from other domain where appropriate, either direct members of inherited through group membership. Provided you make valid cross domain permissions and set you base dn and ldap ad search criteria correctly to iterate group membership, I would expect it to work.

Something along the lines of;

base dn being the root of your domain

search : (&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=openfire_Users,OU=App l ications,OU=Security Groups,OU=CompanyA,DC=Company,DC=local))

The memberOf check is MS AD causing a resursive membership check. (http://msdn.microsoft.com/en-us/library/aa746475(VS.85).aspx)

Brian

Andrew_DeBratto · December 5, 2009, 8:01pm

Scrathc that - Looking at the MS article now, I see what you are telling me.

Brian,

Thanks for the response.

I see in your LDAP string where you call the group you have what looks like a SID in there. “(memberOf:1.2.840.113556.1.4.1941”. Is that necessary?

Also, do you know of any documentation that would explain what my options are in this case?

Andrew

Andrew_DeBratto · December 6, 2009, 5:08am

I get the following error when trying to call to a groupusing the following syntax:

(&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=US-Spark-Users,OU=Grou ps,OU=US,DC=US,DC=Company,DC=COM))

Test: Connection Settings

Status: Error

Invalid DN syntax or naming violation.

Any ideas?

BigBrain_IT · December 7, 2009, 11:48am

Couple of things based on what you have shown.

1 - is the domain us.company.com AND is the first ou US also? There are a couple of different tools that would allow you to browse the directory and get the values you need.

2 - have you set the base dn to us.company.com ?

3 - Did you wait more than 5 minutes between getting the prompt and entering the details ? I found out that some installaion option have a background timeout that will erro what you go Next. If it is a test install, rerun the install.

Brian