LDAP Authentication by OU's Issue


We have OpenFire setup in our company since few months ago. Because strategical reasons few weeks after we launch, the chat service was reduced to 2 ou’s instead of the whole AD; the AD structure is as follows:

OU - CompanyOus

|----ou City1

|----ou City2

|----ou City3

|----ou City4

|----ou City5…

So what we did was to point* baseDN* and *alternateBaseDN *tags to the only 2 ou’s of citys that should have chat service, and openfire.xml config looks like this:



Everything works fine this way, but now I have to include two more ou’s (let’s say City3 & City4). The tag alternateBaseDN can only be used once, so I’ve tried a pair of workarounds:

1st. Regarding this documentation http://www.igniterealtime.org/builds/openfire/docs/latest/documentation/ldap-gui de.html I could include a group in BaseDN in form cn=group, so I’ve tried:


Where “OpenFireUsers” is a group in ou City1 that contains 4 groups, each one containing all the users that belong to City1, City2, City3 & City4. Unfortunately it did not work.

2nd. As I’ve read in another thread, I’ve created a filter for this “OpenFireUsers” group to choose the ones that have rights to login to the chat, using this tag:


I didn’t work neither.

The point is that we have applications that point to “CompanyOus/City1…, CompanyOus/City2…” so I’m trying to avoid to restructure again the whole AD to let the users access to chat.

Anyone with a similar situation setup? Anything wrong with the syntax of the filter? Should I create a new OU only for chat permissions including security groups of allowed users in chat?

Any help would be appreciated. Thanks!

You baseDN needs to be set to ou=CompanyOus,dc=Company,dc=com. You then need to use a filter to limit the users. I would create a new OU under this baseDN for chat security groups (i.e. ChatGroups). In that OU make 1 or more groups you would like to use with openfire. This could include an all viable chat users group. Then us a user filter such as this:

That should do the trick. You will not need a group filter at all.

Hi Todd,

Thank you very much for your quick answer. I’ve been implementing what you’ve suggested, and works perfectly, except when I want to use groups in the target group of the searchfilter, I mean, I got groups in each ou like “All users in City1”, and if i include this group inside the group of the searchfilter, the users within are not authorized to login.

Another solution would be to export the users from these groups, and add them individually to this group, but I’d like to take advantage of have them grouped by location, do you know if this could be possible?

Again, thank you very much for your help!!!

you should not need to use a group filter to limit users. This is a a function of the user filter. The filter example I provided limits openfire to what users can login by group membership. I know this seems odd that this should be a user filter but it is.

Hi Todd,

I did not explain myself clearly, sorry. What I mean is, in the example you provided:

If I put users inside “AllChatUsers”, authentication works fine for these users, but if I put inside a group, it does not authenticate the users inside this second group.

What I mean is that if it’s possible to put groups inside this cn group, or is limited, because objectclass=organizationalperson, and so the filter only works with users.

Again, thank you very much for your help.

you can add as many groups to that string as you want. see this document: http://www.igniterealtime.org/community/docs/DOC-1554

i have the exact problem like the above, and your solution works like a charm, but unfortunately, openfire filter is limited to 250 character, even if i tried to do it directly in active directory server, it is limited to 448 character, is it possible to extend this? or is there a query to automatically retrieve all members of the groups that reside on 1 OU?

sorry, i don’t familiar with this LDAP query stuff.

This would be a bug. I have created an issue for this: http://www.igniterealtime.org/issues/browse/JM-1482

Please award points for helpful and correct answers.

thank you for your explanation.

this might sound stupid, but how do i award points for helpful and correct answers?

thanks again.

You cannot because this is not your thread. This is why you should ask new questions in new thread you start instead of adding them to another persons thread, especially one marked answered.

noted, i just thought it is very related to this thread so i keep it on going.

sorry if i’m hijacking another person thread, won’t happen again.