After more time than I care to admit, I have figured out what exactly is required to get my Openfire 3.7.0 instance to authenticate and pull users from a full Active Directory domain forest.
- company.local
- northamerica.company.local
- europe.company.local
- asiapacific.company.local
I pointed Openfire at a domain controller in company.local with the global catalog server role and made the following changes to LdapManager:
Index: LdapManager.java
===================================================================
--- LdapManager.java (revision 2)
+++ LdapManager.java (revision 3)
@@ -622,7 +622,11 @@
* the secure connection has been established. */
if (!(startTlsEnabled && !sslEnabled)) {
env.put(Context.SECURITY_AUTHENTICATION, "simple");
- env.put(Context.SECURITY_PRINCIPAL, userDN + "," + baseDN);
+ if (baseDN == null || baseDN.trim().isEmpty()) {
+ env.put(Context.SECURITY_PRINCIPAL, userDN);
+ } else {
+ env.put(Context.SECURITY_PRINCIPAL, userDN + "," + baseDN);
+ }
env.put(Context.SECURITY_CREDENTIALS, password);
} else {
if (followReferrals)
System properties:
- ldap.adminDN = openfire@company.local
- ldap.autoFollowAliasReferrals = false
- ldap.autoFollowReferrals = false
- ldap.baseDN =
- ldap.encloseDN = true
- ldap.host = 10.0.0.10
- ldap.port = 3268
- xmpp.domain = company.local
Please note that a global catalog server communicates on TWO different ports:
- 389: global catalog server responds as a domain controller in its natural domain
- 3268: global catalog server responds as a global catalog server
While this is in place and working, it requires that the ldap.basedn variable be set to blank or null, a situation the installer is not impressed with.
Are my changes above worth considering for implementation in a future release? If so, can someone work with me to insure the installer functions correctly for future global catalog owners?
Thanks! And I hope this is useful to someone in the future.