powered by Jive Software

LDAP Group Issues

Hello,

I have successfully set up Openfire to work with Active Directory, but I cannot figure out how to incorporate groups. I’m on a large-scale university AD setup, so I do not, of course, have the ability to change any AD settings.

My group code section: (default)

<groupNameField>cn</groupNameField>

<groupMemberField>member</groupMemberField>

<groupDescriptionField>description</groupDescriptionField>

<posixMode>false</posixMode>

<groupSearchFilter>(objectClass=group)</groupSearchFilter>

I’ve tried the suggested “uid”, as well, and it did not work. I also saw some long, drawn out, solution elsewhere that involved something like, “memberOf=cn=groups…” etc. Again, no luck. Any ideas?

are your groups caontained with the BaseDN you configured for your LDAP connection? I have attached my openfire.xml for a reference. It contains extra stuff pertaining to SSO so don’t be thrown by that.

No, and I know that is part of the issue. There are many top level OUs. Two of them, Accounts and BL, are what I need to access. Accounts is what is listed as my BaseDN, and it accesses the account information perfectly. BL is where my groups are located. (Or, several OUs below BL as shown below.)

The BaseDN is “ou=Accounts…”

The groups are located in an ou structure like this: "BL > BL-LIBG > Security > User Groups

Does that make sense?

It makes perfect sence except that if your BaseDN does not contain the groups they will not be added to the openfire server. Is there no OU that contains both Accounts and BL?

Yes, the very top level. So, I removed the “ou=Accounts” specification, and now all groups are showing up. So, right now everything works as intended, and I could leave it at that. (That answers my initial question.)

My current issue is, how do I limit who can log in? I’m assuming I need to change something in the search filter? Right now it shows: "<searchFilter>(objectClass=organizationalPerson)</searchFilter> "

Is there something I could change that would make it only allow users listed in x group to use the server? Thank you very much for the help, I really appreciateit!

I think the search filter would go something like this:

&lt;searchFilter&gt;&lt;![CDATA[[(&(objectClass=organizationalPerson)(memberOf=cn=GroupNameHere,ou=groups,dc=domain,dc=com))]]]&gt;&lt;/searchFilter&gt;

For some reason, that doesn’t want to work for me. Here’s what I have:

<searchFilter> <![CDATA[(&(objectClass=organizationalPerson)(memberOf=cn=mainlib,ou=Account s,dc=ads,dc=iu,dc=edu))]]></searchFilter>

If it is set as that, I cannot even login to the Admin Console. If I remove: (memberOf=cn=BL-LIBG-Admins,ou=Accounts,dc=ads,dc=iu,dc=edu), I am fine, but back where I started. (obviously.)

I have attached a modified openfire.xml and a picture to show the results of a filter I rant on my server. It reduced the people to only the IS Team of my company.

For some reason, that’s just not working for me. Let me try to explain a little better what my AD structure is:

AD (Top Level)

-Accounts (This OU contains all users.)

-BL (On the same level as Accounts.)


BL-LIBG (Right below BL)


Security (Right below BL-LIBG; This OU contains our groups.)

If I modify my searchfilter to work with yours, I cannot even login to the Admin Console. Another thing I’m noticing, is that if I leave the searchfilter default, when I go to the Users/Groups screen, and view a User’s properties, next to Groups, it shows none. Even though, when I go to a specific group in the Group Summary, it clearly shows that user as a member of that group. So, basically, it’s getting the account information perfectly. It’s also able to see every group in the directory, and its members. BUT, when looking at each user, they show up as not being a member of any group.