LDAP Authentication by OU's Issue

jrsoler · October 16, 2008, 8:05am

Hello,

We have OpenFire setup in our company since few months ago. Because strategical reasons few weeks after we launch, the chat service was reduced to 2 ou’s instead of the whole AD; the AD structure is as follows:

OU - CompanyOus

|----ou City1

|----ou City2

|----ou City3

|----ou City4

|----ou City5…

So what we did was to point* baseDN* and *alternateBaseDN *tags to the only 2 ou’s of citys that should have chat service, and openfire.xml config looks like this:

ou=City1,ou=CompanyOus,dc=Company,dc=com

ou=City2,ou=CompanyOu2,dc=Company,dc=com

Everything works fine this way, but now I have to include two more ou’s (let’s say City3 & City4). The tag alternateBaseDN can only be used once, so I’ve tried a pair of workarounds:

1st. Regarding this documentation http://www.igniterealtime.org/builds/openfire/docs/latest/documentation/ldap-gui de.html I could include a group in BaseDN in form cn=group, so I’ve tried:

cn=OpenFireUsers,ou=City1,ou=CompanyOus,dc=Company,dc=com

Where “OpenFireUsers” is a group in ou City1 that contains 4 groups, each one containing all the users that belong to City1, City2, City3 & City4. Unfortunately it did not work.

2nd. As I’ve read in another thread, I’ve created a filter for this “OpenFireUsers” group to choose the ones that have rights to login to the chat, using this tag:

ou=City1,ou=CompanyOus,dc=Company,dc=com

I didn’t work neither.

The point is that we have applications that point to “CompanyOus/City1…, CompanyOus/City2…” so I’m trying to avoid to restructure again the whole AD to let the users access to chat.

Anyone with a similar situation setup? Anything wrong with the syntax of the filter? Should I create a new OU only for chat permissions including security groups of allowed users in chat?

Any help would be appreciated. Thanks!

NO_MESSAGES_OR_FRIEN · October 16, 2008, 12:26pm

You baseDN needs to be set to ou=CompanyOus,dc=Company,dc=com. You then need to use a filter to limit the users. I would create a new OU under this baseDN for chat security groups (i.e. ChatGroups). In that OU make 1 or more groups you would like to use with openfire. This could include an all viable chat users group. Then us a user filter such as this:

That should do the trick. You will not need a group filter at all.

jrsoler · October 16, 2008, 10:57pm

Hi Todd,

Thank you very much for your quick answer. I’ve been implementing what you’ve suggested, and works perfectly, except when I want to use groups in the target group of the searchfilter, I mean, I got groups in each ou like “All users in City1”, and if i include this group inside the group of the searchfilter, the users within are not authorized to login.

Another solution would be to export the users from these groups, and add them individually to this group, but I’d like to take advantage of have them grouped by location, do you know if this could be possible?

Again, thank you very much for your help!!!

NO_MESSAGES_OR_FRIEN · October 17, 2008, 11:47am

you should not need to use a group filter to limit users. This is a a function of the user filter. The filter example I provided limits openfire to what users can login by group membership. I know this seems odd that this should be a user filter but it is.

jrsoler · October 17, 2008, 11:53am

Hi Todd,

I did not explain myself clearly, sorry. What I mean is, in the example you provided:

If I put users inside “AllChatUsers”, authentication works fine for these users, but if I put inside a group, it does not authenticate the users inside this second group.

What I mean is that if it’s possible to put groups inside this cn group, or is limited, because objectclass=organizationalperson, and so the filter only works with users.

Again, thank you very much for your help.

NO_MESSAGES_OR_FRIEN · October 17, 2008, 12:37pm

you can add as many groups to that string as you want. see this document: http://www.igniterealtime.org/community/docs/DOC-1554

andreas_johanns · October 18, 2008, 6:17am

i have the exact problem like the above, and your solution works like a charm, but unfortunately, openfire filter is limited to 250 character, even if i tried to do it directly in active directory server, it is limited to 448 character, is it possible to extend this? or is there a query to automatically retrieve all members of the groups that reside on 1 OU?

sorry, i don’t familiar with this LDAP query stuff.

NO_MESSAGES_OR_FRIEN · October 18, 2008, 2:43pm

This would be a bug. I have created an issue for this: http://www.igniterealtime.org/issues/browse/JM-1482

Please award points for helpful and correct answers.

andreas_johanns · October 20, 2008, 1:09am

thank you for your explanation.

this might sound stupid, but how do i award points for helpful and correct answers?

thanks again.

NO_MESSAGES_OR_FRIEN · October 20, 2008, 11:07am

You cannot because this is not your thread. This is why you should ask new questions in new thread you start instead of adding them to another persons thread, especially one marked answered.

andreas_johanns · October 21, 2008, 1:28am

noted, i just thought it is very related to this thread so i keep it on going.

sorry if i’m hijacking another person thread, won’t happen again.

thanks.