Ldap: AlternateBaseDN

Aaron_Axelsen · October 18, 2007, 8:52pm

I’m trying to use AlternateBaseDN and it doesn’t appear to be working. I have my baseDN set to pickup all of our AD users, and the alternateBaseDN is set to pickup groups. Has anyone got this to work? I am trying this with openfire 3.4 beta1

Aaron_Axelsen · October 20, 2007, 4:21pm

Does anyone have any ideas as to why this isnt working??

Aaron_Axelsen · December 10, 2007, 2:53am

Is this setting even supported and is it suppose to work? Can someone from Jive poke their head in here please?

Ben_Biggie · December 17, 2007, 8:12pm

I got it working - but by editing openfire.xml directly not by adding a property in the admin panel

Here’s the relevant (edited) snippet from the file:

Robert_Eckdale · December 17, 2007, 9:05pm

It’s hard to know why your configuration isn’t working without configuration specifics. I.E. Openfire.xml LDAP values.

Here’s an example of how I have configured Openfire for use with AD:

<ldap>
    <host>acme.root.local</host>
    <port>636</port>
    <baseDN>DC=acme,DC=root,DC=local</baseDN>
    <!--<alternateBaseDN></alternateBaseDN>-->
    <adminDN>service_xmpp@acme.root.local</adminDN>
    <adminPassword>secret</adminPassword>
    <connectionPoolEnabled>true</connectionPoolEnabled>
    <sslEnabled>true</sslEnabled>
    <ldapDebugEnabled>false</ldapDebugEnabled>
    <autoFollowReferrals>false</autoFollowReferrals>
    <subTreeSearch>true</subTreeSearch>
    <usernameField>sAMAccountName</usernameField>
    <searchFilter><![CDATA[(&(sAMAccountName={0})(objectCategory=person)(memberOf=CN=Openfire Roles - Users,OU=Groups,DC=acme,DC=root,DC=local))\]\]\></searchFilter>
    <nameField>name</nameField>
    <emailField>mail</emailField>
    <groupNameField>cn</groupNameField>
    <groupMemberField>member</groupMemberField>
    <groupDescriptionField>description</groupDescriptionField>
    <posixMode>false</posixMode>
    <groupSearchFilter><![CDATA[(&(objectCategory=group)(DC=Openfire Roles*))\]\]\></groupSearchFilter>
</ldap>

Aaron_Axelsen · December 17, 2007, 9:07pm

I actually caught Gato in the chat last week. My problem as that the alternatebasedn only works for users and not groups.

Robert_Eckdale · December 18, 2007, 2:40pm

Now that you mention it I do seem to recall reading that use of the alternateDN didn’t support groups. That being said, the use of the ldapDN, an alternateDN if necessary, a well constructed search filter and group search filter can fit most situations.