powered by Jive Software

LDAP different DN for groups

Right now the ldap configuration contains ldap.baseDN. I would like to have a different group DN to help limit the searches. The problem I am having right now is my current ldap tree has an organizationalUnit for my login groups (ou=group,dc=foo,dc=bar) and a different organizationalUnit for openfire (ou=OpenFireGroups,dc=foo,dc=bar). Right now I have to set the “owner” attribute to OpenFire and create a groupSearchFilter (&(cn=)(objectClass=groupOfNames)(owner=OpenFire)). You could keep the ldap.baseDN for backwords compatibility and add something like ldap.userDN for user lookup and ldap.groupDN for group lookup. I could then have something like

<ldap>
  <userDN>ou=People,dc=foo,dc=bar</userDN>
  <groupDN>ou=OpenFireGroups,dc=foo,dc=bar</groupDN>
</ldap>

Why not use a user filter and a group filter along with a very relaxed BaseDN. The filters will narrow the results for you.

Did you actually read my post?

Yes I and i think my point is still valid. Use the top of the LDAP tree for for you base DN the use the filters correctly in openfire to limit results. On my test server I was able to limit results to 2 users in different groups in my LDAP with filters.

If his directory services backend is Active Directory, he cannot.

MS Active Directory and LDAP integration has a limitation with it.
It seems the MS implementation of LDAP does not support search filters based on OU. In my case I had a large AD tree and I only wanted to connect to 2 OUs. No matter what I tried I couldn’t get the search filter to filter on the basis of OU.

Further reading and playing around with LDAP searches in Softerra LDAP Browser confirmed it couldn’t be done with a single search filter. No results are returned. You need to point the base of your search at the OU and then create your filter for the objects inside it. This negates the ability to search multiple OUs at the same level of a tree.

i.e (&(objectClass=group)(ou=OpenFireGroups) doesn’t work.

I totally agree with the original poster and request an ldap.baseGroupDN property that can be defined apart from the ldap.baseDN property for users.

My AD tree:

company.com

|

L__ Accounts

| L__ user1

| L__ user2

|

L__ Groups

| L__ group1

| L__ group2

|

L__ Group Policies

|

L__ Departments

|

L__ etc

Searching DC=company,DC=com for (&(ou:dn:=Groups)(objectClass=group)) returns nothing.

Searching DC=company,DC=com for (&(&(ou:dn:=Accounts)(objectClass=user)(memberOf=CN=group1,OU=Groups,DC=company ,DC=com))) returns nothing.

Searching DC=company,DC=com for (&(ou:dn:=Accounts)(objectClass=user)) returns nothing.

These searches work, but the base DN needs to be related to their search. Searching for users requires the base to be OU=Accounts,DC=company,DC=com.

Searching for groups requires the base to be OU=Groups,DC=company,DC=com.

My organization is very large (thousands of users and computers and hundreds of groups). The AD tree layout cannot and will not be changed for a messaging program. I feel other users are in the same boat and that is why this feature is requested.

Wiht the use of custom groups you can limit both users and groups. If you create a group with all valid chat users, it will limit openfire to those users. If you create groups you wish to use with Openfire with a specific prefix (e.x. chat_) then you can use a group filter with a wildcard to limit groups to only those iwht that prefix. the groupDN is only heplful if all groups are contain in one OU. the filter method does not have this limitation.

Your structure is fine, you just need to see my previous post for how to work within your limitations.

Hey Todd,

So, given the AD tree below, if I provide OpenFire with a base DN of “OU=Groups,DC=company,DC=com” and a filter of “(&(objectClass=user)(memberOf=CN=group1,OU=Groups,DC=company ,DC=com))” it will only list the users that are members of that group? Assume group1 is all the users I want to have access to OpenFire. Now suppose group2 is a group I create for an OpenFire buddy group. That should show up in my groups list (as well as group1) in the OpenFire admin console?

company.com

|

L__Accounts

| L__ user1

| L__ user2

|

L__Groups

| L__ group1

| L__ group2

|

L__Group Policies

|

L__Departments

|

L__etc

Thanks,

unless your users are contained within that OU you will not find the users. With a filter in place you can make your baseDN just the domain and the filter will limit the results.

Thanks for the continued help Todd, I’m just having trouble crafting a filter that would return users.

Say my base DN is “DC=company,DC=com”.

All my user account objects are in “OU=Accounts,DC=company,DC=com”

My OpenFire user group object is “CN=OpenFireUsers,OU=Groups,OU=MyDept,OU=Departments,DC=company,DC=com”

I am unable to create a filter to return any users if the base DN is the root of the AD tree.

Any ideas, pointers, urls?

Thanks again,

What kind of group is it? what is your filter?

So your BaseDN should be: dc=domain,dc=com

Your filter shoud be: (&(objectClass=organizationalPerson)(memberOf=cn=OpenFireUsers,ou=Groups,ou=MyD ept,ou=Departments,dc=company,dc=com))

after setting these you need to restart openfire. don’t forget you need to be in that group too, as well as any other openfire admin.

Thanks Todd,

That did it. I was also able to get group listings by:

(&(objectClass=group)(memberOf=cn=OpenFireGroups,ou=Groups,ou=MyDept,ou=Departme nts,dc=company,dc=com))

I appreciate all the help. I did notice that when you make a change to an AD group (adding/deleting users) OpenFire will not reflect the change until it is restarted. Is this by design or is there a way I can refresh that information without shutting the daemon down?

The LDAP refresh seems to vary greatly from server to server. I have no idea why. My server refreshes LDAP every few minutes so changes are reflected quite quickly.

Hello, I am having problems very similar to virtualwallflower with user filters. I’m not able to figure out how to use my openfire LDAP group to limit my user search. Below is the LDAP schema I’m working with. The number of actual People accounts we have is around 400k but the actual number of users in my openfire group that need to login is around 20. What I put in (&(objectClass=organizationalPerson)(memberOf=cn=openfire,ou=Groups,o=company.com)) for the User Filter and (&(objectClass=companyGroup)(memberOf=cn=openfire,ou=Groups,o=company.com)) for the Group Filter I get username not found error when I try and add an admin with dude1@company.com. However if I change my user filter to be (&(objectClass=organizationalPerson)( cn=dude1)) I can add dude1 to be an admin but in the admin console user search I can only find dude1. I’ve reviewed threadhttp://community.igniterealtime.org/thread/33779 even though it seems like a very similar use case I cannot seem to get this working. Any ideas of what I should try?

LDAP schema:

company.com

http://company.com/ People