Yeah the problem is that Openfire don’'t offer the possibility to limit authentication to peoples who are in certains groups.
The only way to “fake” it is when your LDAP server support a dynamic attribute often called memberof where you put a search filter on user that include something like :
I’m also trying to set this up. Base DN is OU=Users company,DC=domain,DC=co,DC=uk, the User Filter is (&(objectClass=organizationalPerson)(memberOf=CN=Spark,OU=Users company,objectClass=organizaionalunit)(uid=))
Isn’t the uid element redundant for AD as organizationalPerson handles that?
When I run a test it says that no user match this filter, but a group Spark exists within the Users company OU and contains several members, including another group (will it understand this?)
If I change the search filter back to (objectClass=organizationalPerson) and proceed with that it finds users.
My BaseDN is just DC=company,DC=de…this works fine.
When i now check the settings i see all users of my AD. Now i add a Search Filter:
Again i check the connection and now i only see the users of my group (GRP-JABBER-STANDARD). Now i save the Connection, go to Users/Groups and also i see exactly the users i wanted to see
But in the second i restarte the openfire service i cannot login anymore
i have one OU that is called 02 GRUPPEN with two spaces between 02 and GRUPPEN. This is not saved correctly in the XML File, one space is getting deleted and so it cant find the OU anymore. When i change this by hand and restart openfire it changes the entry again…
Not to state the obvious but you should not have any spaces in the names of OU. You just demonstrated why. Luckily the OU names can be changed, which is really your only option, that I am aware of. I recommend never having spaces in OU names if you need space use a dash or an underscore.
I still feel I must point out that you are using improper naming structure for your OU. There should never be spaces in the names of an OU, Just as there should not be spaces in an URL. Just because the server will allow you to do it does not mean it is proper. The correct fix would be to fix the names of your OU.
I have used the string provided by pcb-dennis as a search filter, and it works like a charm. However, the group I wish to filter by has another group within it and it seems OpenFire is not parsing the sub-group. Since we’re on the “proper” way of doing things, when allocating a department to an app, you should have a security global group for the department and a security local domain group to control access to the app, with the department group being a member of the software group.
Is there any way to make this work, or does the group have to contain names?
I have not experienced this problem, but I do not use filters. I have my LDAP configured in such a way that they are not needed for openfire. The proble with filters are that they are fairly unforgiving in their nature. If your LDAP structure of LDAP config for openfire are not proper the filter will not work as expected. I can not be more specific because everyone LDAP is different.