I am configuring openfire 3.3.1 and am having a small issue that I am having trouble tracking down an answer for.
I want to limit the groups that get pulled over from AD to just a group I created called Jabber. I can get test it through and pull back only this one group, and it shows the correct number of members, however when I try to add an admin out of that group the system cannot find them. The ‘‘jabber’’ group resides under the main domain.com heading while users fall in different OUs underneath that structure.
Here is how I configured the base dn to recognize that group
cn=Jabber,dc=domain,dc=com
Is there a better spot to filter out this group to be the only group that gets pulled from AD, and members of that group are the only users to be pulled as well? I don’'t need any of the other groups, and some users, to be pulled in to the database and have an account… only the members I make a part of the jabber group.
As an update:
I changed the base domain back to dc=domain,dc=com
I changed the user mapping settings to include (objectCategory=person) as a user filter. This is found by clicking the ‘‘Advanced Settings’’ link under the Username Field at the top of Step 2 of 3: User Mapping. This eliminated a lot of the unneccesary entries in the system by removing all accounts that are not of the type ‘‘User’’.
This is not an absolute solution as I still have some accounts pulling over I don’'t want, but it did filter out a lot of the problems.
For someone else’'s future reference (I wish there was a post like this 2 days ago):
To resolve this issue I took my step above even further. I went through the active directory accounts and changed the discriptions on items that I didn’‘t want displaying. Below only allows user accounts that do not have a description that starts with administrative account, test, built-in, account disabled, non-bnp, temp, or open. It’'s a bit ugly but actually a pretty simple solution.
(&(objectCategory=person)(!(description=administrative account**))(!(description=test**))(!(description=Built-in**))(!(description=account disabled**))(!(description=Non-BNP**))(!(description=temp**))(!(description=Open*)))
(objectCategory=person) sets the search to only include users
(!(description=administrative account*)) sets the search to not include any account with the defined description. The use of the wilcard * allows me to put more details in the AD profile for the accounts after administrative account.
The (& at the beginning allows the search to include multiple items.
even though you already solved your problem, this seems like a cleaner way to do it.
this is how we handled ours. We created groups in AD like chat_IT, chat_HR… and added the users we wanted as members of the specific groups. for the base DN of openfire I used the lowest DN (dc=XXXXXXX, dc=XXXXXXX, dc=com) path I could so that all users and all groups would be included. and my openfire user search filter looks like this:
with that the only users that will show up in openfire are the ones with the groups explicitly defined above. we used (|( because the | means or, so they have to be a member of the first group or the 2nd or the 3rd
Then my group search filter looks like this:
so the only groups I get start with chat_
Message was edited by: jledhead
Thanks. That’‘s a lot cleaner approach than the way I had devised, I’'ll have to implement it and give it a try.