Ldap Group Authentication

lhrt · March 9, 2007, 8:30am

Hi Guys,

I am trying to get the ldap authentication with group support.

We have ldap Domain strucure as

Ou=Users,dc=mycompany,dc=com and

another organizational unit Groups and Cn group Wildfire in it.

Added some of users from Ou=Users to member of Wildfire .

Now i want only the guys who are member of only Wildfire group should authenticate. How can i achive it?

here is my ldap structure

dc=mycomapny,dc=net

|

ou=Users–

uid=user1----objectclass=person

| objectcalss=organizationalPerson

| objectcalss=top

| objectcalss=inetOrgPerson

|

ou=Groups----

cn=Wildfire,ou=Users,objectClass=organizaionalunit

|

objectClass groupOfNames

member uid=user1,ou=Users,dc=mycompany,dc=com

cn Wildfire

thanks,

Marc_Seeger · March 9, 2007, 9:28pm

I think you’'d have to customize the search filter so only your wildfire members will be found and can therefor auth.

lhrt · March 10, 2007, 3:23am

hi rb2k,

Can you show some examples for the serach filters?

Thanks

jeff_garner · March 11, 2007, 12:00pm

This should do it for you.

Jeff

lhrt · March 13, 2007, 12:55pm

Did I miss something?

Actually I want to authenticate only people in the Wildfire group.

I my diectory structure the user data is defined on the ou=Users,dc=domain,dc=net

Created a group named Wildfire as Ou=Groups,cn=Wildfire,dc=net

and added some ppl from Users to wildfire group as member. But on admin webclient it shows all users on ldap dir and allow to login through client.

Here is my ldap configuration

INTERNET/>

VOICE/>

(&(objectclass=groupOfNames)(cn=Wildfire)(member=)))

Please advice…

Thanks,

Lhrt

Cameron_Moore · March 13, 2007, 9:19pm

Get rid of the groupSearchFilter for right now. BaseDN should be dc=mycomapny,dc=net. Set your searchFilter to this:

(&amp;(objectClass=organizationalPerson)(memberOf=CN=Wildfire,OU=Users,objectClass=organizaionalunit)(uid={0}))

Note: the forums jack up & chars when you put them in a code segment. “&” should just be “&”.

lhrt · May 28, 2007, 10:46am

hi hrothgar,

I tried the search filter as (&;(objectClass=organizationalPerson)(memberOf=CN=Wildfire,OU=Users,objectClass =organizaionalunit)(uid=))

but this shows aal users under the base dn. So no filtering of group members Wildfire occurs.

thanks,

Lhrt

David_Paquet · May 29, 2007, 2:22pm

Memberof is only available with Active Directory. Depending of your LDAP server you may have to use another attribute (if it’'s available).

So what is your LDAP server?

lhrt · May 30, 2007, 5:29am

hi towerman,

thanks for the replay.

I am using the Open LDAP server 2.2. and I want to authenticate only the members on the wilfdire group.

I can use different group member ship schema.

member ( objectClass groupOfNames) or

uniqueMember (objectClass groupOfUniqueNames)

bye.

David_Paquet · May 31, 2007, 6:19pm

Yeah the problem is that Openfire don’'t offer the possibility to limit authentication to peoples who are in certains groups.

The only way to “fake” it is when your LDAP server support a dynamic attribute often called memberof where you put a search filter on user that include something like :

(objectclass=inetorgperson)&&(memberof=cn=group,ou=etc,dc=.com)

The problem is that I don’'t think Openldap support it (I have the same problem with Sun One Directory).

lhrt · June 1, 2007, 5:04am

Hi Guys,

At last i found a work around for my problem. Don’'t know what will be the log term effect on this.

what I did is put an ‘‘ou’’ attribute on all users. ex: ou=Openfire

than added a group named Openfire with members on it and on user filter added (ou=Openfire)

and on group search filter added (&(cn=Jabber)(objectClass=groupOfNames))

So here is my ldap directory

ou = People

|___uid=openfireuser---------------objectClass=person

objectClass=organizationalPerson

objectClass=top

objectClass=inetOrgPerson

cn=firstname lastname

sn= openfire user

givenName=firstname lastname

+*ou=Openfire*+

ou = Groups

|__ cn=Openfire-------------------objectClass=groupOfNames

cn=Openfire

member  uid=openfireuser,ou=People,dc=mycompany,dc=com

and the serach filters are -

<searchFilter>(ou=Jabber)</searchFilter>

<groupSearchFilter>(&(cn=Jabber)(objectClass=groupOfNames))</groupSearc hFilter>

Thanks, Lhrt

Dennis_Schwan · August 20, 2007, 8:26am

isn’t there another possibility?

Paul_Cocker · August 20, 2007, 10:04am

I’m also trying to set this up. Base DN is OU=Users company,DC=domain,DC=co,DC=uk, the User Filter is (&(objectClass=organizationalPerson)(memberOf=CN=Spark,OU=Users company,objectClass=organizaionalunit)(uid=))

Isn’t the uid element redundant for AD as organizationalPerson handles that?

When I run a test it says that no user match this filter, but a group Spark exists within the Users company OU and contains several members, including another group (will it understand this?)

If I change the search filter back to (objectClass=organizationalPerson) and proceed with that it finds users.

Dennis_Schwan · August 20, 2007, 11:28am

I go on trying:

My BaseDN is just DC=company,DC=de…this works fine.

When i now check the settings i see all users of my AD. Now i add a Search Filter:

Again i check the connection and now i only see the users of my group (GRP-JABBER-STANDARD). Now i save the Connection, go to Users/Groups and also i see exactly the users i wanted to see

But in the second i restarte the openfire service i cannot login anymore

Dennis_Schwan · August 20, 2007, 11:35am

Okay i think i have found my problem:

i have one OU that is called 02 GRUPPEN with two spaces between 02 and GRUPPEN. This is not saved correctly in the XML File, one space is getting deleted and so it cant find the OU anymore. When i change this by hand and restart openfire it changes the entry again…

can anybody help me with that issue?

NO_MESSAGES_OR_FRIEN · August 20, 2007, 1:02pm

Not to state the obvious but you should not have any spaces in the names of OU. You just demonstrated why. Luckily the OU names can be changed, which is really your only option, that I am aware of. I recommend never having spaces in OU names if you need space use a dash or an underscore.

Dennis_Schwan · August 20, 2007, 1:20pm

I found the Solution:

http://www.igniterealtime.org/community/message/153974#153974

NO_MESSAGES_OR_FRIEN · August 20, 2007, 1:51pm

I still feel I must point out that you are using improper naming structure for your OU. There should never be spaces in the names of an OU, Just as there should not be spaces in an URL. Just because the server will allow you to do it does not mean it is proper. The correct fix would be to fix the names of your OU.

Paul_Cocker · August 20, 2007, 2:11pm

I have used the string provided by pcb-dennis as a search filter, and it works like a charm. However, the group I wish to filter by has another group within it and it seems OpenFire is not parsing the sub-group. Since we’re on the “proper” way of doing things, when allocating a department to an app, you should have a security global group for the department and a security local domain group to control access to the app, with the department group being a member of the software group.

Is there any way to make this work, or does the group have to contain names?

NO_MESSAGES_OR_FRIEN · August 20, 2007, 2:31pm

I have not experienced this problem, but I do not use filters. I have my LDAP configured in such a way that they are not needed for openfire. The proble with filters are that they are fairly unforgiving in their nature. If your LDAP structure of LDAP config for openfire are not proper the filter will not work as expected. I can not be more specific because everyone LDAP is different.