LDAP support for Active Directory global catalog servers

After more time than I care to admit, I have figured out what exactly is required to get my Openfire 3.7.0 instance to authenticate and pull users from a full Active Directory domain forest.

  • company.local
    • northamerica.company.local
    • europe.company.local
    • asiapacific.company.local

I pointed Openfire at a domain controller in company.local with the global catalog server role and made the following changes to LdapManager:

Index: LdapManager.java
--- LdapManager.java     (revision 2)
+++ LdapManager.java     (revision 3)
@@ -622,7 +622,11 @@
              * the secure connection has been established. */
             if (!(startTlsEnabled && !sslEnabled)) {
                     env.put(Context.SECURITY_AUTHENTICATION, "simple");
-                    env.put(Context.SECURITY_PRINCIPAL, userDN + "," + baseDN);
+                    if (baseDN == null || baseDN.trim().isEmpty()) {
+                         env.put(Context.SECURITY_PRINCIPAL, userDN);
+                    } else {
+                         env.put(Context.SECURITY_PRINCIPAL, userDN + "," + baseDN);
+                    }
                     env.put(Context.SECURITY_CREDENTIALS, password);
                } else {
                     if (followReferrals)

System properties:

  • ldap.adminDN = openfire@company.local
  • ldap.autoFollowAliasReferrals = false
  • ldap.autoFollowReferrals = false
  • ldap.baseDN =
  • ldap.encloseDN = true
  • ldap.host =
  • ldap.port = 3268
  • xmpp.domain = company.local

Please note that a global catalog server communicates on TWO different ports:

  • 389: global catalog server responds as a domain controller in its natural domain
  • 3268: global catalog server responds as a global catalog server

While this is in place and working, it requires that the ldap.basedn variable be set to blank or null, a situation the installer is not impressed with.

Are my changes above worth considering for implementation in a future release? If so, can someone work with me to insure the installer functions correctly for future global catalog owners?

Thanks! And I hope this is useful to someone in the future.


There isn’t really anybody actively developing openfire’s code. We need more folks to help out.


My blog post on this:

http://blog.johngauthier.com/2011/03/26/openfire-3-7-0-authenticating-with-an-ac tive-directory-global-catalog-server/

I’ll try to keep everything up to date as I make more progress on this.

Can you provide a compiled jar with your patch?

Thank you

openfire.jar (7194518 Bytes)

hello, John! Can you help me a little bit? I did just as you told (i.e. applied patch, emptied baseDN etc).

Yet, I cannot add users from other trees in my domain.

The structure is as follows:










Only the users from cn=chatGroup1,ou=userOU,dc=domain,dc=local are available. How can I fetch users from other trees?

P.S. The search filter is:

(&(objectClass=organizationalPerson)(|(memberOf=cn=ChatGroup1,ou=userOU,dc=domai n,dc=local)(memberOf=cn=chatOffice,ou=officeOU,dc=domain,dc=local)(memberOf=cn=c hatOffice2,ou=officeOU2,dc=domain,dc=local)))