One more LDAP integration issue


I’m trying to set up openfire for ldap authentication.

So far I configured everything like that (using the setup script on port:9090

  1. selected language (in my case german)

  2. configured to use a mysql database (connection is ok)

  3. LDAP Server to manage users and groups

On Step 1 of profile settings I have set up the following:

  • my windows server 2003 domain is company.local

  • I set servertype to Active directory

  • and inserted the hostname (dc1) and default port 389

  • as BaseDN: dc=company;dc=local;cn=Users

  • as AdminDN: company\OFAdmin

Then I test the communication and get a success message.

On Step 2 - User mapping I have removed all variables I don’t need. So I just configured {cn}, {mail}, {displayName} as Name, E-Mail, Fullname

But when now clicking on Test settings I get

Status: Error

No users were found using the specified configuration. Try changing the base DN, user filter or username field.

No error is written in a log file (I’ve checked warn, error

I’ve checked the connection to the domain controller using the ldap browser (Windows app). LDAP browser shows up all users and groups, so I think the baseDN should be fine.

My users are all in cn=Users, I have no OU configured (for testing purpose I’ve created one ou=domainUsers and moved a user into it.

Then I’ve changed the basedn to:

  • dc=company;dc=local;cn=Users;ou=domainUsers


  • dc=company;dc=local;ou=domainUsers

but the result was the same.

Any ideas?



Add a filter for importing users. I used one like this to only allow users that were added into a specific security group.

(&(objectClass=user)(objectCategory=person)(memberOf=Openfire Users,OU=domainUsers,DC=company)(!(userAccountControl:1.2.840.113556.1.4.803:=2 )))

Change it according to your needs. But it is important that the security group is in the same OU that is declared on the filter.

I’ve tried it now with several options but without success:

  • (&(objectClass=user)(objectCategory=person)(OU=DomainUsers,DC=company))

  • (&(objectClass=user)(objectCategory=person)(OU=DomainUsers,DC=company,CN=users) )

  • (&(objectClass=user)(OU=DomainUsers,DC=company,CN=users))

  • (&(objectClass=user)(OU=DomainUsers,DC=company,DC=local,CN=users))

Try ADExplorer to accurately identify the filter sintax you need to use to get the users.

And just in case, add the user variables you removed in the Step 2 and try again.

make your basedn DC=Company,DC=Local

Then use search filters and group filters to filter out any information you don’t want.

Here is how I handle mine

Today I’m back at work and will try :slight_smile:

I will let you know if it works.



can’t get it to work

I’ve downloaded the ADExplorer from sysinternals and can connect to our AD without any problem.

I’ve added the administrative user and my user to the group _IM-Gr1

the group _IM-Gr1 is a member of “Openfire Access Group”

ADExplorer tells that my testuser is a memberOf:


I’ve tried the filters from speedys post

set basedn to: DC=Company,DC=local (replaced Copmany with my domain) -> success …

and as a user filter I’ve set:

(&(objectclass=organizationalPerson)(|(CN=_IM-Gr1,CN=Users,DC=Company,DC=local)) )

-> no success

I’ve also tried (as in speedys post):

(&(objectclass=organizationalPerson)(|(memberOf:1.2.840.113556.1.4.1941:=CN=Open fire Access Group,CN=Users,DC=company,DC=local)))

-> no success

Is there an advanced debugging feature? The log files show no error or problem…