LDAP Group issue when using OU's


I just recently implemented 3.6.0a on a new machine and configured it to authenticate LDAP over a DMZ to my LAN ADS DC. Users can authenicate and work, but the group query still appears to be wrong as it repeats the users in the group section. Here’s my configuration:


OpenFire LDAP Config:

Base DN:
Administrator DN:

What am I missing here to cause the groups to show as the users? I assume the inclusion of OU=“Users” causing the proper groups to not show up by locking it to that OU, but if this is so, why can I not get it to authenicate correctly unless I use OU=“Users”?

When I use a Base DN: OU=“company”,DC=“domain”,DC=“local”, I get the following:

Status: Error

No users were found using the specified configuration. Try changing the base DN, user filter or username field.

But using: OU=“Users”,OU=“company”,DC=“domain”,DC=“local” works out with users able to authenicate. It’s just that groups show the users as “groups”.

Also of note, I am using the defaults after step #1 (i.e. sAMAccountName, group mapping=cn, member field=member, etc).

Are you actually using quotes around each of the words in your basedn and admin dn? They are not needed. Maybe this will help you: Binding Openfire to Active Directory LDAP

Thanks for the link to using LDAP with openfire. I had overlooked that seeing that link, I’ll check it over.

As for the quotes, it is rather irrelevant in this case as either way will work.

With Linux OpenLDAP, the quotes help to ensure that if you have a space or special character in any of your string values, it will pass a whole value instead of an error due to misconfiguration. Use of naming values containing special characters: (+=,;"<>#, leading/trailing spaces, consecutive spaces, or ) within DNs will cause nothing but grief and should be avoided. In my case, I chose to use quotes to cover my rear end in troubleshooting as to why I’m unable to see groups and to find the correct string for my BaseDN and GroupCN.

http://www.igniterealtime.org/builds/openfire/docs/latest/documentation/ldap-gui de.html and OpenLDAP examples resolved this.

All Active Directory users should look at using the following settings:

ldap.usernameField sAMAccountName

ldap.nameField displayName

ldap.groupSearchFilter “(objectClass=group)”

ldap.searchFields “Username/uid,Name/cname”

ldap.searchFilter “(objectClass=organizationalPerson)”