powered by Jive Software

Microsoft AD LDAP Filter

I have a new install of OpenFire in my test lab. This is using a active directory for authentication. My AD has a sub domain in it. I want to be able to filter out the sub domain. OpenFire is finding duplicate users as some of the usernames in the subdomain are the same as what is in the main domain. Is there a way to create an LDAP filter that will filter out the sub domain? In other words I have sub.domain.com and I only want the users that exist in domain.com.

The common setup for LDAP queries in Openfire is to set the base DN at the root. This will, as you have seen, trickle up to anything above that level such as a sub domain. You should Google LDAP Queries and find a suitable example for “If domain == sub.domain.com” There are many variables and because I don’t have any sub domains in my environment I haven’t had to attempt this. You can nest the queries in such a way that this should be doable.

Hope this helps.

To restrict the search for users and groups to your subdomain, use the following in your LDAP properties:

ldap.baseDN

OU=YourOU,DC=sub,DC=domain,DC=com

I further restrict that search with the specific OU, but your configuration may vary. Additionally, I also restrict the Roster Groups with a filter, only looking for groups with a name that starts with OF:

ldap.groupSearchFilter

(objectClass=group)(cn=OF*)

Hop this helps!

It is very hard to help you without seeing the actual structure. You terms may not mean the same thing as what I visualize. Regardless you should be able to set your baseDN to a more specific setting to capture only the domain you want. If that is not possible due to your tree structure, I cannot help without seeing the tree structure. You can show that with a picture of the tree expanded via AD Users and Computers MMC. Edit the pic for security of course.

This is what my user filter looks like

(objectclass=person)(mail=*)(!(objectclass=computer))(!(objectclass=contact))(!( cn=SystemMailbox))(!(cn=IUSR))(!(cn=IWAM))(!(userAccountControl:1.2.840.11 3556.1.4.803:=2)))

It includes user with an email address, drops computer accounts, contacts, system accounts, and disabled users.

I just realised that this doesn’t really help answer your question. sorry

My AD structure as JExplorer sees it is attached. All of the blacked out names are just OU’s. I want to search the root domain and exclude the sub domain. My baseDN is set to the root domain, but that causes the system to search both the root domain and the sub domain. I need a filter that will tell it not to include the sub domain in the search. Speedy3K’s filter shows some promise since only users in the root domain have E-Mail addresses. I may also just create a group and put the users I want to have access in that group, then filter based on that.

I would be surprised if these 2 parts actually do anything: (!(cn=IUSR))(!(cn=IWAM))

The user filters for openfire previously did not support wildcards. Group filters do however.

The filter based on group membership is the easiest to implement. The filter for your subdomain would be difficult to manage as you need to get the full LDAP string for that branch to create a filter.

i think wildcards work, as the mail=* works.

I may go ahead and drop mail=* just to see if the wildcards are working for the system accounts.