LDAP. I don''t what to create a new OU for wilfire

Luca · May 17, 2006, 1:46pm

I use LDAP and AD. all my users are under the Users OU and I don’'t want to add another OU just for wildfire. We are a small company and is perfectly fine to have all the users under Users.

The search filter part is working fine, I see all the users in the Admin Console and all the users are able to connect but I can’'t figure out how to automatically populte the users in spark.

This is the specific section of my wildfire.xml

<groupNameField>cn</groupNameField>
<groupMemberField>member</groupMemberField>
<groupDescriptionField>description</groupDescriptionField>
<groupSearchFilter><![CDATA[
            (&
                (objectClass=group)
                (member=)

)]]>

looking at AD with LDAP browser I see I have

dc=example

cn=builtin

cn=users (objectclass group)

cn=users (objectclass container)

cn=usersID

.

any suggestion is appreciated. Thanks

Patrick_Siu · May 17, 2006, 4:03pm

I can’'t figure out how to automatically populte the users in spark.

If you are talking about something like “new users cannot automatically add to the list on Spark clients after I loaded them on the server without restarting”, I would think this is not a configuration problem, but rather a software issue, which is documented as JM-379 but haven’'t solved after all these releases.

To present this in a simple sentence: I tend to believe there is nothing wrong about you.

Luca · May 17, 2006, 4:32pm

No. I am actually talking about being able to have the entire list of users show up on spark without having to manually add every single user.

I’'ve read other posts and I believe this should be possible using the groupSearchFilter.

Patrick_Siu · May 17, 2006, 4:58pm

No. I am actually talking about being able to have

the entire list of users show up on spark without

having to manually add every single user.

Are you sure that the groups in the OU are populated with users?

I once tried your filter (which is the default of Wildfire AFAIK) on empty groups (without users) and they just cannot show up.

Moreover, is that you tried enabling “showing offline users” on Spark but still no avail?

Cameron_Moore · May 17, 2006, 5:08pm

If you don’'t want to do a bunch of different groups, just add one group and have everyone a member of that group. Then make that one group visible to all users.

Luca · May 17, 2006, 5:58pm

Do I HAVE to create one group and place all the users under it?

What I hoped I could do is just use the “Users” container and treat it as a group since all the users are already under the CN “Users”

Cameron_Moore · May 17, 2006, 6:31pm

I believe you do. What I would do is create a simple groupSearchFilter that would just catch the Domain Users[/b] group or something similar. Then share that group from the admin console.

Cameron_Moore · May 17, 2006, 6:34pm

When you say “group,” do you mean an OU? The OU’‘s in AD don’'t have any real relevance to Wildfire. Use your actual AD security groups to create groups in Wildfire. You can leave all your user objects where they are in AD.

Luca · May 17, 2006, 6:37pm

ok.

When you say share the group in the admin console you mean go to

users/group > groups > create new group

and then you will create a group with the same name as the one in LDAP?

after that select the “enable sharing group in roster” right?

This is what I’'ve been trying but no users show up inder that group

or am I supposed to actually see that group listed somewhere in the admin console?

Cameron_Moore · May 17, 2006, 6:45pm

If you are using LDAP groups, you won’'t ever create a group from the admin console. If your groupSearchFilter is working properly, you will see the discovered groups in the Group Summary page of the admin console. From there you go in a share the groups that have already been discovered.

To test your groupSearchFilter, enter it into LDAP Browser’'s search feature (Ctrl+F) and see what it returns.

Luca · May 17, 2006, 7:35pm

so, I’'ve created a group called “wildfire” (and this is a security group at the same level as all the other users. it shows up as two little heads in “ADuser and computers” in my MS DC.)

I’'ve added 4 users under that group.

I went to the LDAP browser and performed a search

SearchDN: cn=users,DC=aaaaaa,DC=bbbbb,DC=com

Filter: memberOf=cn=Wildfire,cn=Users,dc=aaaaaa,cd=bbbbbb,dc=com

and the 4 users showed up!

Then I edited my wildfire.xml file and now it looks like this

<groupNameField>cn</groupNameField>
<groupMemberField>member</groupMemberField>
<groupDescriptionField>description</groupDescriptionField>
<groupSearchFilter><![CDATA[
  (&
    (objectClass=group)
    (memberOf=cn=Wildfire,cn=Users,dc=aaaaaa,cd=bbbbbb,dc=com)
    (member=)

)]]>

restarted wildfire

logged into the admin console

I see the four users in the user summary

I DO NOT see anything under groups summary

and I do not see any users in spark

Cameron_Moore · May 17, 2006, 9:18pm

Let me translate your groupSearchFilter into english:

Match any group[/b] that is a member of the Wildfire group[/b].

Do you see that that’‘s not what you want? The only way that will work is if you make the Wildfire group a member of itself! Doh! That’'s not even possible!

Try this instead:

[/code]

Translation: match any group who’'s Common Name is Wildfire[/b]. You should then see a Wildfire group show up in the admin console.

Luca · May 17, 2006, 10:26pm

I did what you suggested and it still doesn’'t work.

If I go to the LDAP browser and enter

objectClass=group in the flind field I get all the groups

and if I enter cn=Wildfire I see the wildfire group so I assume everything is correct.

…but unfortunately it still doesn’'t work.

this is my modified wildfire.xml

I can’'t think of anything else

Patrick_Siu · May 18, 2006, 1:53am

I still think the member field of your Wildfire group is empty or something like that. Try seeing the properties under that group.

Luca · May 18, 2006, 3:07am

My wildfire group I has four members fields, one for each user I added to that group.

How can I add a wildfire member into the wildfire group?

Patrick_Siu · May 18, 2006, 7:39am

Seems that your LDAP is OK…

Would you mind doing the following (If you have enabled debug log, start at step 5)

login the admin console
Click “Logs” on the left
Click “Debug”
Find “Debug Log” and Click “Enabled”, then press “Save changes”
Click “Users/Groups” on the top
Click “Group summary” on the left (don’'t mind the result)
Click “Server” on the top
repeat steps 2 and 3
Copy the debug logs, hide any sensitive data and post it here…

Message was edited by: Patrickov

Luca · May 18, 2006, 12:09pm

Here are the results. I don’'t see any problems…

2006.05.18 08:09:09 Creating a DirContext in LdapManager.getContext()…

2006.05.18 08:09:09 Created hashtable with context values, attempting to create context…

2006.05.18 08:09:09 … context created successfully, returning.

Cameron_Moore · May 18, 2006, 1:31pm

I assume you are using the LdapGroupProvider[/b], right?

Also, you should see a lot[/b] more debugging information that what you just provided.

Luca · May 18, 2006, 1:46pm

Yes I am

This is my complete wildfire.xml

<groupNameField>cn</groupNameField>
<groupMemberField>member</groupMemberField>
<groupDescriptionField>description</groupDescriptionField>
<groupSearchFilter><![CDATA[
  (&
    (objectClass=group)
    (cn=Wildfire)
    (member=)

)]]>

Cameron_Moore · May 18, 2006, 2:37pm

No, you’'re not. You should have this:

[/code]