LDAP and AD - Limiting Users

After my initial problem with using firefox to configure openfire, I’m now trying to limit the users returned from AD that can use openfire.

Current AD:

company.local (dc)



—company1 (ou)

—users (ou)

—dept_1 (ou)

user_a (cn)

user_b (cn)

—dept_2 (ou)

user_c (cn)

user_d (cn)

user_e (cn)

—dept_3 (ou)

user_f (cn)

—dept_4 (ou)

user_g (cn)

—dept_5 (ou)

user_h (cn)

—dept_6 (ou)

user_i (cn)

—security groups (ou)

—applications (ou)

xmpp_users (cn) - a security group

The xmpp_users group contains dept_1 and dept_2.

How can I limit the user list to only those users who resolve to members of xmpp_users? Setting BaseDN to dc=company,dc=local gives me all accounts including computers. I have tried this filter

(&(objectClass=organizationalPerson)(memberof=CN=XMPP_Users,OU=Applications,OU=S ecurity Groups,OU=Company1,DC=company,DC=local)) but it means I can’t add any administrators.

I can filter the groups to only show dept_1 and dept_2 using a similar filter.

Is also possible to have a group that contains openfire admins?

The following is what I did to limit the users and groups that were returned from Active Directory into Openfire:

  1. Create security group called, “Openfire Users”

  2. Create security group called, “Openfire Groups”

  3. Add users in AD to the “Openfire Users” security group that you want to have access

  4. Add security groups in AD (such as: IT, Accounting, Department1, Department2, etc…) that define the users in step 3 to the “Openfire Groups”

  5. Configure Openfire Setup with the following:

base dn: DC=company,DC=local

user filter: (memberOf=CN=Openfire Users,CN=Users,DC=company,DC=local)

group filter: (memberOf=CN=Openfire Groups,CN=Users,DC=company,DC=local)


  • I had to setup my “Openfire Groups” security group as a “Domain Local” type, so that other security groups (Global) could be properly added as members.

  • I recommend setting up a few users into “Openfire Users” and a few groups into “Openfire Groups” and testing the configuration within the Openfire Setup to verify that everything is working properly, before you spend too much time doing this for 100s of users.

The Openfire Setup will allow you to choose Admin users who can manage Openfire, after you have setup LDAP. But the Admin users cannot be maintained through AD.

– Curt

So, you couldn’t have AD groups as members of the openfire_users CN ? I have a number of departments and would rather just add a user to the department group if they move in/out of departments and not have to directly manager the openfire users.


That sounds like that could work. To a degree it just comes down to how you want to manage your users and groups. You may have to setup your “openfire_users” as a “Domain Local” security group type, so other security groups can be added as members.

– Curt

I found the solution;

The user filter needs to be:

(&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=openfire_Users,OU=Appl ications,OU=Security Groups,OU=CompanyA,DC=Company,DC=local))

It gave me the correct limited list of users with the test button.

I just need to see why I came across another





Caused by:


after the group settings.


I think I found the cause of the error myself. It appears to be a timeout related issue as I went through the whole install again without looking for extra details, filled in everything as I was wanting it and all went fine.

I now have a working server after a few more reinstalls due to plugin corruptions.

All good for now.

Sorry to resurect a long dead thread but I have almost the same problem and near certain it’s with my User Filter.

Can you tell me what the “memberOf:1.2.840.113556.1.4.1941” is for in your string.

I think that may be my problem because I just copied what you have but not sure what it is and if it works with my setup.

Here’s what I tried to use:


But it still doesn’t find any users in that Group. I’m in LDAP Hell here .



This is MS AD. The memberOf:1.2.840.113556.1.4.1941 allows the supplied DN to be iterated for all members so if you put groups in it, the groups members will be found. See http://msdn.microsoft.com/en-us/library/aa746475%28VS.85%29.aspx

What I did was download a free ldap browser that allow queries. Can’t remember which one worked best as all the ones I tried had pros and cons. One of them shower the memberof format which I then looked up on msdn. If it is not an AD install, you may need to use DN instead of DC.

Do you have any error messages come up?


This link might help as to what I’m doing:


I’m pretty sure I’ve got everything correct except this damn User Filter. Probably wouldn’t hurt if I knew a bit more about LDAP. I’ll go download an LDAP browser. I use ADSI Edit in my MMC console but it doesn’t have the functionality I’m looking for.

Thanks for the reply