Look for the <searchFilter> and <groupSearchFilter> in your openfire.xml, this will alow you to customize which UO your users are called from.
It’s been a while since I installed our server, but if memory servers:
Our openfire service runs on the DC as a system service (I got lazy). Then there is a user called ‘openfire’ with domain logon rights (This is used by openfire, although I’m not sure its really needed anymore), see <adminDN> below.
In Active Directory, we have a group called jabber (see <searchFilter> and <groupSearchFilter> below), any user that needs to be on the openfire server is a member of this group, and only members of this group are on the openfire server.
I chose to configure the openfire.xml by hand (a bit of googling helped) and the ldap section of this file looks a little like this:
(I found you need to stop openfire before editing the file, and restart when you are done.)
<searchFilter> <![CDATA[ (&(sAMAccountName=)(memberOf=CN=Jabber,CN=Users,DC=domain,DC=local))]]> </searchFilter>
<groupSearchFilter> <![CDATA[ (cn=Jabber) ]]> </groupSearchFilter>
Hope this helps.