LDAP auth with both user and group membership

Ray2 · July 27, 2007, 12:01am

Hi,

I’'m probably missing something in the documentation - but am not seeing how to accomplish authentication

how we want. First, I’'m running Wildfire 3.2.3 authenticating to an OpenLDAP directory. I have basic user

authentication working so I’‘m most of the way there. Here’'s what I want to do:

Uid authenticating to something like ou=people,ou=chatserver,ou=host,o=ldapsvc,dc=bar,dc=foo

and from the “people” branch my users can authenticate as we stand. However, now I want to allow only

users in a group in an LDAP branch looking like

memberUid found in cn=staff,ou=PosixGroup,ou=chatserver,ou=host,o=ldapsvc,dc=bar,dc=foo

As I said, my users in the Uid branch are getting on fine, but how do I also test for group membership

(memberUid) in my group branch as stated above? My baseDN is set to

ou=chatserver,ou=host,o=ldapsvc,dc=bar,dc=foo

with the “Search Field” set to ou=people.

How/where do I configure the group requirement?

Thanks very much,

Ray

scarr4 · July 27, 2007, 10:37pm

if you want to restrict access to only those in a certain LDAP group, you can edit the openfire.xml file under conf to have something like this:

Hopefully that is what you are after.

Ray2 · July 31, 2007, 8:08pm

Thank you for the response. I’‘m not sure if this filter is exactly what will work. It isn’'t working, btw. The second

“part” of it looks good - I’'m wondering about the “objectClass=organizationalPerson” part. Is “organizationalPerson”

an Active Directory -specific value? Since everything to the right of this bit looks right, I’'m wondering if I need

to change “organizationalPerson” to something else?

Thanks again for the help, it seems like this should work, I can only wonder about the exact syntax here.

Dennis_Schwan · August 17, 2007, 3:30pm

Hi I tried the following:

[/code]

When i set this as search filter in the adminpanel all seems fine, i can see exactly the users of this group. But after shuting down openfire and start it up again i cannot login with my admin user, after removing the searchfilter from the XML File it works again.

The Error:

2007.08.17 19:54:44

org.jivesoftware.openfire.auth.UnauthorizedException: org.jivesoftware.openfire.user.UserNotFoundException: Username dschwan not found

at org.jivesoftware.openfire.ldap.LdapAuthProvider.authenticate(LdapAuthProvider.j ava:109)

at org.jivesoftware.openfire.auth.AuthFactory.authenticate(AuthFactory.java:149)

at org.jivesoftware.openfire.admin.login_jsp._jspService(login_jsp.java:135)

at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:97)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)

at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:491)

at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1074)

at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:39)