powered by Jive Software

LDAP User Filter Issues

First, I promise that I have searched through the forums for a solution but everything that I’ve tried hasn’t yielded a resolution thus far. I say this because there seem to be a ton of posts/questions for issues that have been ‘answered’ multiple times, under multiple threads. I certainly could have missed something while reading posts though. I would GREATLY appreciate any insight that anyone can provide as to where I’ve messed up. Please let me know if there is any additional info that I can provide to aid with assistance. I am new to OpenFire so please be gentle. Thanks in advance!!!


  • Server2003R2x64 SP2
  • Openfire 3.6.4
  • MySQL 5.1
  • Active Directory
  • Base DN: dc=DomainName,dc=local
  • LDAP User Filter: (&(objectClass=organizationalPerson)(memberOf=CN=OpenFireUsers,CN=users,DC=Domai nName,DC=local))


My AD environment is configured with OUs specific to business units. As you’ve deduced from the user filter above, I’ve created an OpenFireUsers (Global Security) Group and added all desired user accounts to this group. The group resides inside the OpenFire OU.


When I look within Users/Groups in the Admin Console, with the aforementioned configuration, I am only able to see or find one user. If/when I change the user filter to (objectClass=organizationalPerson) I am able to see all accounts within AD.


I did some testing with LDP today to try and eliminate variables. I found that the filter output is the same in LDP as it is when performed via OpenFire. I imaging many are saying, “duh.” The interesting part, for me, is that if I bind using the domain admin account, as opposed to the regular user account created for this purpose, my filter functions correctly and returns all members of my OpenFireUsers group. Any thoughts or ideas? Thx.

Solution below…


It was a permissions issue. The service account created for LDAP queries needs the Read permission for the MemberOf attribute of each user account within the OpenFireUsers group. In addition, the service account needs the Read permission for the Members attribute of the OpenFireUsers group. Problem solved. I hope this info helps others down the road…