Nested AD Groups, Rosters and usernames

Greg_Verhoff · June 11, 2007, 12:45pm

I have openfire 3.3.1 running on centos using a MS SQL backend. Spark 2.5.0 on the client side and Active Directory for LDAP.

I have an issue where if i share out a group with only users in it, everything works as expected, however if i share out a group with nested groups inside of it, rosters aren’‘t filled, usernames don’'t show up unless you specifically add them manually and the usernames that do show up have the JID as the display name instead of their AD names.

This is the only issue we have that’'s keeping us from purchasing the enterprise version for 500+ users.

Weird issue, any help or assistance would be most appreciated. Thanks

Jason_L · June 11, 2007, 2:00pm

First, how are you filtering for your users and groups?

and secondly I would try the free tool found here http://www.ldapadministrator.com/download.htm

just download the browser, its free the other is not. this has always helped me with AD/LDAP troubles.

Greg_Verhoff · June 11, 2007, 2:09pm

LDAP info dc=baseDN,dc=com

Search filters for users is

(objectClass=user)

Groups is (objectClass=group)

Very basic but i like to keep things simple. I’'ll check out that tool you mentioned.

Thanks for your help.

Jason_L · June 11, 2007, 4:18pm

I reread your reply again and it sounds like you are sharing a group that has only other groups inside it, with users inside those groups.

If you use the tool I linked to above (or even AD Users and Computers), the users aren’‘t members of the top-level group, so sharing that group will get you no users published. I don’‘t see this as an openfire problem because AD doesn’‘t count that top-level group towards the membership of the users so openfire certainly can’'t.

Greg_Verhoff · June 11, 2007, 4:25pm

I see, I didn’‘t realize that AD didn’'t count the groups as members.

So does anyone try using nested groups? if so how?

The only reason it’‘s a big deal is i’'d like to be able to use our existing groups without having to add groups for 500+ users. laziness on my part, admittedly, but i would think other folks would like to use this as well.

Thanks again for the help.

Jason_L · June 11, 2007, 9:42pm

that was the exact same problem we ran into. our AD user base is 1100 users and we had to whitle that down a good deal. It ended up being cleaner for us to make new security groups and add the people we wanted. we named all of our groups chat_groupname and that made filtering users and groups much easier in openfire.

I couldn’'t personally get nested groups to work.

Greg_Verhoff · June 12, 2007, 1:24pm

Thanks for your help, hopefully that won’'t scare off my manager from implementing it. I appreciate your assistance.

Jason_L · June 12, 2007, 8:59pm

just give your manager the price of the enterprise alternatives

like office communicator