Not able to connect and import users in openfire using active directory

Openfire Openfire Support
1

Hi ,

i have a active directory by name rocsearch.local , i have further installed openfire and have created a user by the name spark with admin rights in users (default ou) to connect openfire and active directory.

the details i used are …

Base DN: cn=Users;ou=Research;dc=rocsearch,dc=local.

Administrator DN: cn=spark,cn=users,dc=rocsearch,dc=local.

i was able to connect but the problem is with step 2 and 3, i have all the users under different ou, please find the active directory screenshot atttached, please help me with so that i can use all the ou users in openfire… thanks

2

Hi,

Look for the <searchFilter> and <groupSearchFilter> in your openfire.xml, this will alow you to customize which UO your users are called from.

It’s been a while since I installed our server, but if memory servers:

Our openfire service runs on the DC as a system service (I got lazy). Then there is a user called ‘openfire’ with domain logon rights (This is used by openfire, although I’m not sure its really needed anymore), see <adminDN> below.

In Active Directory, we have a group called jabber (see <searchFilter> and <groupSearchFilter> below), any user that needs to be on the openfire server is a member of this group, and only members of this group are on the openfire server.

I chose to configure the openfire.xml by hand (a bit of googling helped) and the ldap section of this file looks a little like this:

(I found you need to stop openfire before editing the file, and restart when you are done.)

<ldap>

<host>server.domain.local</host>

<port>389</port>

<baseDN>dc=domain,dc=local</baseDN>

<adminDN>cn=openfire,cn=users,dc=domain,dc=local</adminDN>

<adminPassword>securepassword</adminPassword>

<connectionPoolEnabled>true</connectionPoolEnabled>

<sslEnabled>false</sslEnabled>

<ldapDebugEnabled>false</ldapDebugEnabled>

<usernameField>sAMAccountName</usernameField>

<searchFilter> <![CDATA[ (&(sAMAccountName=)(memberOf=CN=Jabber,CN=Users,DC=domain,DC=local))]]> </searchFilter>

<groupSearchFilter> <![CDATA[ (cn=Jabber) ]]> </groupSearchFilter>

<nameField>cn</nameField>

<emailField>mail</emailField>

<groupNameField>cn</groupNameField>

<groupMemberField>member</groupMemberField>

<groupDescriptionField>description</groupDescriptionField>

<posixMode>false</posixMode>

<vcard-mapping> <![CDATA[

<vCard xmlns=‘vcard-temp’>

<FN></FN>

<NICKNAME></NICKNAME>

<EMAIL>

<INTERNET/>

<USERID></USERID>

</EMAIL>

<TITLE></TITLE>

<URL></URL>

</vCard>

]]> </vcard-mapping>

</ldap>

Hope this helps.

-Rob

3

i have tried to do some mix and match using the xml that you have sent but no luck, can u please be morespecific …

4

Just looking at your initial post again, try using a baseDN of “dc=rocsearch,dc=local” (leave off the groups/ou as this is set in searchFilter and groupSearchFilter)

Edit: Also, the forum seems to be mangling pasted data, so compare what I have given with http://www.igniterealtime.org/builds/openfire/docs/latest/documentation/ldap-gui de.html

5

thanks man…half of the problem is solved…now i’m able to login as a user,

i wish to display all the ou’s as groups in im listing with all the users under these ou…i tried working with filters but no luck…w.r.t. ou’s …please please help me …

6

This won’t work. Openfire only accepts an AD group as source for a group in your IM-roster (wich is a pity I admit). As far as I know there is now way other than creating groups in AD for each group you need in your IM adding your users to those groups and pointing the filter to those group(s). Of course you have to update them as well everytime something changes -.-

Wellwell…now at least we are 2 that would like to see different approaches on forming groups

7

There are different ways to get this done, and unfortunately, I’ve only done it with 1 group before which made it easy to “hardcode” my search results.

I used <groupSearchFilter> < ![CDATA[ (cn=Jabber) ]] > </groupSearchFilter> Jabber being a group I setup in AD of which all IM my users are a member.

You could get more creative with your search sting, unfortunately I have limited experience with this, so perhaps one of the forums Gurus can help here.

You could use something like <groupSearchFilter>(objectClass=group)</groupSearchFilter>, which will then list all groups.

From here, open the web console, go to user/groups tab, and under the groups section, find the ones you want. Open the group, and it will give you a config option for the group where you can “Enable contact list group sharing” and “Share group with additional users / all users” which will push the group to everyones roster.

8

May I add an example for a filter:

(&(objectClass=group)(|(cn=GRPNAME1)(cn=GRPNAME2)(cn=GRPNAME3)))

Groupfield is usually cn, Memberfield is members

The upper example gets everything within basedn that is a group and matches one of GRPNAME* (you may add more of those of course), forms a group from each one and adding members found in the “members” field.