LDAP Problems

Jonathan_Clark · August 15, 2007, 7:07pm

We are trying to use Openfire’s LDAP capabilities to pull all of our usernames and groups from Active Directory. We can get all of the users and groups pulled in but none of the users are in their appropriate groups, each group shows zero users. Does anyone have any suggestions of how to fix this? Thanks!

Nate_Putnam1 · August 15, 2007, 8:47pm

Could you post the relevant parts of your openfire.xml so we could have a look?

Jonathan_Clark · August 16, 2007, 12:53pm

Here is the LDAP portion of the openfire.xml file, Thanks!

(ou=)

Message was edited by: jwcmonkey

Jason_L · August 16, 2007, 1:20pm

I am going to post my config, compare my search filter to yours, also I notice you don’t have a group filter where mine is at the bottom of my config. here is my config:

@DOMAIN.NAME

]]>

displayName

mail

cn

member

description

false

(objectClass=group)(cn=chat*)

Jonathan_Clark · August 16, 2007, 1:31pm

I posted the wrong file, I’ve edited my above post with the correct one.

Jason_L · August 16, 2007, 1:57pm

I can’t imagine this would return anything of good use

(ou=)

for an easy graphical demonstration of user and group searches in active director try the free tool like below

http://www.ldapbrowser.com/download.htm get the browser, its free

Jonathan_Clark · August 16, 2007, 2:48pm

Changing the group search filter to this didn’t work

Our groups show up fine, but the users don’t map correctly and nobody shows up in the groups.

I noticed you have a weird searchFilter, how does this work?

Just for reference our Active Directory is set up like this…

base DN: DC=Company,DC=local

ou=Company Users

ou=Various Departments

cn=People

Jason_L · August 16, 2007, 3:26pm

I am assuming you shutdown and restarted openfire after making the changes?

if not do that.

As for my search filter, the user search filter at the top says openfire can only see the users specified in those groups. My group search filter says that openfire only sees groups that start with chat

the tool I linked to above is a good 3rd party tool for looking at ldap stuff. I would installing that to see what shows up for your setup, like what groups people belong to.

Do you just have all of your users in the People OU and not in any groups?

jbowles · August 16, 2007, 4:06pm

I’m working here in the same office as jwcmonkey on this LDAP problem. We’ve stopped and started openfire after making changes, and have actually installed the LDAP browser. We do have nested groups. Here’s an example. OU=DEPARTMENT,OU=MAIN,DC=DOMAIN,DC=LOCAL Each department is setup like this. We have 28 departments and they’re all nested under the MAIN OU.

Our goal is to have everyone authenticate with Active Directory using their own credentials, and have the users roster pull directly from Active Directory as well. All users and groups will be included.

Nate_Putnam1 · August 16, 2007, 4:36pm

Openfire doesn’t support nested groups really. It flattens the ldap tree. What happens if you make your baseDN less restrictive?

Jason_L · August 16, 2007, 4:40pm

when using a nested group, the users aren’t actually members of the higher level group, this isn’t an openfire thing its just AD, you can see the same result with the ldap browser.

That being said though, you should be able to see all of your groups and the users in those groups, remembering that nested groups will show 0 members if its a group within a group.

in openfire, do you have your baseDN setup to what was mentioned above base DN: DC=Company,DC=local

**EDIT, DOH - too slow

NO_MESSAGES_OR_FRIEN · August 16, 2007, 5:18pm

you can point your LDAP settings to whatever level of the OU tree you would like it will read down from there.

Here is my config (I do not use group filters sorry, but I did make changes to the vCard area so it works correctly with AD):

<?xml version=“1.0” encoding=“UTF-8”?>

<jive>

</adminConsole>

<admin>

<authorizedUsernames>some_admins</authorizedUsernames>

</admin>

<className>org.jivesoftware.database.EmbeddedConnectionProvider</class Name>

</connectionProvider>

<sasl>

<mechs>GSSAPI</mechs>

<realm>AD.MTSTRAVEL.COM</realm>

<config>C:\Program Files\Openfire\conf\gss.conf</config>

<useSubjectCredsOnly>false</useSubjectCredsOnly>

</gssapi>

</sasl>

<ldap>

<host>mts1.ad.mtstravel.com</host>

<baseDN>OU=accounts,DC=ad,DC=mtstravel,DC=com</baseDN>

<adminDN>adminuser@domain</adminDN>

<adminPassword>adminpassword</adminPassword>

<sslEnabled>false</sslEnabled>

<ldapDebugEnabled>false</ldapDebugEnabled>

<autoFollowReferrals>false</autoFollowReferrals>

<usernameField>sAMAccountName</usernameField>

<searchFilter>(objectClass=organizationalPerson)</searchFilter>

<vcard-mapping><![CDATA[

<N>

</N>

<EMAIL>

</EMAIL>

<ADR>

<HOME/>

</ADR>

<TEL>

<HOME/>

</TEL>

<TEL>

<HOME/>

<CELL/>

</TEL>

<TEL>

<WORK/>

<FAX/>

</TEL>

<TEL>

<WORK/>

</TEL>

<ORG>

</ORG>

</vCard>]]></vcard-mapping>

<groupMemberField>member</groupMemberField>

<groupDescriptionField>description</groupDescriptionField>

<posixMode>false</posixMode>

<groupSearchFilter>(objectClass=group)</groupSearchFilter>

</ldap>

<vcard>

<className>org.jivesoftware.openfire.ldap.LdapVCardProvider</className >

</vcard>

<user>

<className>org.jivesoftware.openfire.ldap.LdapUserProvider</className& gt;

</user>

<auth>

<className>org.jivesoftware.openfire.ldap.LdapAuthProvider</className& gt;

</auth>

<group>

<className>org.jivesoftware.openfire.ldap.LdapGroupProvider</className >

</group>

<classList>org.jivesoftware.openfire.sasl.LooseAuthorizationPolicy org.jivesoftware.openfire.sasl.DefaultAuthorizationProvider</classList>

<!-- other options: null, LdapAuthorizationProvider, UnixK5LoginProvider, Strict and Lazy–>

</authorization>

</provider>

<log>

<debug>

</debug>

</log>

</jive>

Jonathan_Clark · August 17, 2007, 3:15pm

We’ve added groups on Active Directory and put people in them, then Openfire was able to pull all of our groups. For some reason pointing Openfire to OUs wouldn’t work. Thanks a million everyone for your help!