LDAP Search Filters for Active Directory

Openfire Openfire Support
1

Hi All,

Been searching the forums for a good hour of so looking at other peoples examples and what not trying to find a solution that fits my needs. Unfortunately I only got half of the setup working, I’'ll explain what I am after.

I have created a group called “Company Chat Users” Which is located in Active Directory:

CN=Company Chat Users,OU=Security,OU=Groups,OU=DN,DC=DN,DC=local

The users are scattered in different OU’'s under the “Users” OU which is usually organized by state:

OU=Users,OU=DN,DC=DN,DC=local

Using the following I can lock the authentication down to just the “Company Chat Users” group:

I cannot however get the search filter to show all users in this group using a combination of searchFilter and groupSearchFilter.

Hoping someone here might have more experience with LDAP queries and Wildfire usage that is able to help me out, thanks.

Regards,

Jason

2

I guess my first question is: what you want to do with the groupSearchFilter? I assume your baseDN is OU=DN,DC=DN,DC=local, right?

I would recommend a searchFilter similar to this:

(&(objectCategory=Person)(memberOf=CN=Company Chat Users,OU=Security,OU=Groups,OU=DN,DC=DN,DC=local)(sAMAccountName={0}))

Unless you want to break your users up into Jabber groups, there’'s no need to mess with LDAP groups in Wildfire. I need more details on what you are trying to do with the group filtering to help any further.

3

Hi hrothgar,

My groupSearchFilter I tried a few times with just the basic “any group” it is currently set to:

I am curious as to your searchFilter containing “sAMAccountName=” of which I read in numerous posts should not be used in 3.1?

There is only one Jabber group, thanks for the help.

4

Try changing your “Member Field” to member instead of members.

5

Hi papwu,

If you are talking about the groupMemberField then it’'s currently set to:

Regards,

Jason

6

Well I resolved my problem today when I decided to install the new Wildfire version.

I had created a user called “Jabber” for authentication in AD and it was only a member of “Denied Users” which was denied access to all our corporate data and was removed from the “Domain Users” group, I thought it was working because it was authenticating and also returning my username. However it was only returning my username it was weird.

I found when entering the domain administrator details it worked 100% I delegated read access over our OU to the user and left them out of the “Domain Users” group and changed the search filters and now it’'s working 100%.

Authentication and search results return users only in the group.

I have created a group called “Company Chat Users” Which is located in Active Directory:

CN=Company Chat Users,OU=Security,OU=Groups,OU=DN,DC=DN,DC=local

The users are scattered in different OU’'s under the “Users” OU which is usually organized by state:

OU=Users,OU=DN,DC=DN,DC=local

Using the following I can lock the authentication down to just the “Company Chat Users” group:

For anyone who might be interested…

7

Change your search filter for performance

Your search filter is this.

(&(objectCategory=Group)(objectClass=Group))

better would be this.

(&(sAMAccountType=805306368)(!(objectClass=inetOrgPerson)))

sAMAccountType is an index attribute in AD. It should return things which represent a Person object extended with Principal attributes (password, etc). You can optionallly exclude inetOrgPerson classes. This would leave you with Users in a default AD installation.