I’ve searched an exhausting amount on this topic and have found no solutions or anything relevant enough to lead me to one. Apologies in advance if this has already been correctly answered.
We’re undergoing an effort to integrate LDAP authentication with freeIPA on all our applications and Openfire is the only one giving me trouble with filtering users based on group membership. Most questions/answers I have seen refer to AD and I’m not sure if there’s some syntactical difference that I’m missing here that makes all the difference.
Down to details…
I’ve tried modifying the searchfilter value both directly in the database (required after you mess up because authentication will reject even your admin user), and through the admin UI.
Test 1 - Simply setting the filter to “(objectClass=inetorgperson)” authentication still works. All users in the directory can be returned with this very same search filter.
Test 2 - Changed filter to “(&(objectClass=inetorgperson)(memberOf=cn=openfire-users,cn=groups,cn=accounts ,dc=REDACTED,dc=com))” all authentication attempts now fail. Testing with ldapsearch on any of my freeIPA nodes returns users that are specifically in the openfire-users group as expected. Openfire and freeIPA logs do not verbosely report the reason for failure.
Test 3 - I guessed maybe using the “&” operator wasn’t being handled correctly because it’s already joining the filter with the default. Changed filter to “(memberOf=cn=openfire-users,cn=groups,cn=accounts,dc=REDACTED,dc=com)” same results as test 2. Again, this filter is valid with ldapsearch and I use the exact same thing in other applications to limit authentication to users in a specific group.
I have a feeling there’s something small I’m missing here…