powered by Jive Software

Ldap: AlternateBaseDN

I’m trying to use AlternateBaseDN and it doesn’t appear to be working. I have my baseDN set to pickup all of our AD users, and the alternateBaseDN is set to pickup groups. Has anyone got this to work? I am trying this with openfire 3.4 beta1

Does anyone have any ideas as to why this isnt working??

Is this setting even supported and is it suppose to work? Can someone from Jive poke their head in here please?

I got it working - but by editing openfire.xml directly not by adding a property in the admin panel

<port>636</port>

<baseDN>o=xx</baseDN>

<alternateBaseDN>o=yy</alternateBaseDN>

<adminDN/>

Here’s the relevant (edited) snippet from the file:

It’s hard to know why your configuration isn’t working without configuration specifics. I.E. Openfire.xml LDAP values.

Here’s an example of how I have configured Openfire for use with AD:

<ldap>
    <host>acme.root.local</host>
    <port>636</port>
    <baseDN>DC=acme,DC=root,DC=local</baseDN>
    <!--<alternateBaseDN></alternateBaseDN>-->
    <adminDN>service_xmpp@acme.root.local</adminDN>
    <adminPassword>secret</adminPassword>
    <connectionPoolEnabled>true</connectionPoolEnabled>
    <sslEnabled>true</sslEnabled>
    <ldapDebugEnabled>false</ldapDebugEnabled>
    <autoFollowReferrals>false</autoFollowReferrals>
    <subTreeSearch>true</subTreeSearch>
    <usernameField>sAMAccountName</usernameField>
    <searchFilter><![CDATA[(&(sAMAccountName={0})(objectCategory=person)(memberOf=CN=Openfire Roles - Users,OU=Groups,DC=acme,DC=root,DC=local))\]\]\></searchFilter>
    <nameField>name</nameField>
    <emailField>mail</emailField>
    <groupNameField>cn</groupNameField>
    <groupMemberField>member</groupMemberField>
    <groupDescriptionField>description</groupDescriptionField>
    <posixMode>false</posixMode>
    <groupSearchFilter><![CDATA[(&(objectCategory=group)(DC=Openfire Roles*))\]\]\></groupSearchFilter>
</ldap>

I actually caught Gato in the chat last week. My problem as that the alternatebasedn only works for users and not groups.

Now that you mention it I do seem to recall reading that use of the alternateDN didn’t support groups. That being said, the use of the ldapDN, an alternateDN if necessary, a well constructed search filter and group search filter can fit most situations.