powered by Jive Software

New to openfire, requesting help with LDAP Base DN

I’m new to openfire and I’m having trouble getting LDAP set up.

My Active Directory is set up as follows:


RIG Users

411 State

Finance and Administration

IT <— My administrative DN user will reside in this OU



415 State





Carriage House



As you can see all my users are set up in sub-OU’s. Once I list RIG Users, will it know to access all the sub-OU’s, or will I need to define each and every one of them?

Server Type: Active Directory

Host: (local IP of primary domain controller) Port:389

Base DN: ou=RIG Users;dc=,dc=org.

Administrative DN: cn=adminuser,ou=RIG Users,ou=411 State,ou=IT,dc=,dc=org.

Password: ********

The end result from this is a minute or two after I go to test the connection, I get an error back saying:

Status: Error

Error authenticating with the LDAP server. Check supplied credentials.

Is anyone able to help me set up my Base DN and Administrator DN lines so this will work, or at least point me in the right direction?



you may need quotes around OUs with spaces like ou=“RIG Users”. Also the adminDN can be in the form of username@domain.org or domain\username

hmm… I put the quote marks in, and it failed again, only this time it only left whatever was before the quote mark in the text box, as opposed to leaving the entire string in for you to fix. It makes me think it doesn’t like quote marks.

Just a test, try only this part.



Hi Suhanov,

I tried just that for Base DN, and I got the same error about check supplied credentials.

That is with also setting the Administrator DN to cn=domain.org\blockz,ou=RIG Users,ou=411 State,ou=IT,dc=,dc=org.

any other ideas?

Your idea as wrong.

If your domain is. mycompany.com

BASEDN. DC=mycompany,DC=com

and that’s all that should be there for basedn? then what about administrator dn based on my OU structure from the original post?

the adminDN can be either domain\username or username@domain.com or the full cn=username,ou=someOU,dc=domain,dc=com

here is a reference: http://www.igniterealtime.org/community/docs/DOC-1554

All that being said I must get on my high horse here. Just because windows is stupid enough to allow non-alphanumeric characters in your AD structure and objects does not mean it is proper to do so. You should not have any spaces or special characters in OU names or domain objects (users, computers, etc). They do not play well with web based applications such as LDAP. I would take the time while you have it to rename/restructure your AD. Bear in mind that OUs are simply folders that hold AD objects and can be used for granular group policy application. You can rename the folders with no ill effect unless you have other LDAP bindings looking at the current paths. Moving OUs is more complicated and should be avoided if possible.