One more LDAP integration issue

Bastian1 · December 23, 2011, 8:07am

Hi,

I’m trying to set up openfire for ldap authentication.

So far I configured everything like that (using the setup script on port:9090

selected language (in my case german)
configured to use a mysql database (connection is ok)
LDAP Server to manage users and groups

On Step 1 of profile settings I have set up the following:

my windows server 2003 domain is company.local
I set servertype to Active directory
and inserted the hostname (dc1) and default port 389
as BaseDN: dc=company;dc=local;cn=Users
as AdminDN: company\OFAdmin

Then I test the communication and get a success message.

On Step 2 - User mapping I have removed all variables I don’t need. So I just configured {cn}, {mail}, {displayName} as Name, E-Mail, Fullname

But when now clicking on Test settings I get

Status: Error

No users were found using the specified configuration. Try changing the base DN, user filter or username field.

No error is written in a log file (I’ve checked warn, error

I’ve checked the connection to the domain controller using the ldap browser (Windows app). LDAP browser shows up all users and groups, so I think the baseDN should be fine.

My users are all in cn=Users, I have no OU configured (for testing purpose I’ve created one ou=domainUsers and moved a user into it.

Then I’ve changed the basedn to:

dc=company;dc=local;cn=Users;ou=domainUsers

and

dc=company;dc=local;ou=domainUsers

but the result was the same.

Any ideas?

Regards,

Bastian

M_Tejera · December 23, 2011, 9:38am

Add a filter for importing users. I used one like this to only allow users that were added into a specific security group.

(&(objectClass=user)(objectCategory=person)(memberOf=Openfire Users,OU=domainUsers,DC=company)(!(userAccountControl:1.2.840.113556.1.4.803:=2 )))

Change it according to your needs. But it is important that the security group is in the same OU that is declared on the filter.

Bastian1 · December 23, 2011, 11:23am

I’ve tried it now with several options but without success:

(&(objectClass=user)(objectCategory=person)(OU=DomainUsers,DC=company))
(&(objectClass=user)(objectCategory=person)(OU=DomainUsers,DC=company,CN=users) )
(&(objectClass=user)(OU=DomainUsers,DC=company,CN=users))
(&(objectClass=user)(OU=DomainUsers,DC=company,DC=local,CN=users))

M_Tejera · December 23, 2011, 12:04pm

Try ADExplorer to accurately identify the filter sintax you need to use to get the users.

http://technet.microsoft.com/en-us/sysinternals/bb963907.aspx

And just in case, add the user variables you removed in the Step 2 and try again.

speedy · December 26, 2011, 4:44pm

make your basedn DC=Company,DC=Local

Then use search filters and group filters to filter out any information you don’t want.

Here is how I handle mine

http://community.igniterealtime.org/message/204068#204068

Bastian1 · January 9, 2012, 7:11am

Today I’m back at work and will try

I will let you know if it works.

Regards,

Basti

Bastian1 · January 9, 2012, 10:36am

can’t get it to work

I’ve downloaded the ADExplorer from sysinternals and can connect to our AD without any problem.

I’ve added the administrative user and my user to the group _IM-Gr1

the group _IM-Gr1 is a member of “Openfire Access Group”

ADExplorer tells that my testuser is a memberOf:

CN=_IM-Gr1,CN=Users,DC=company,DC=local

I’ve tried the filters from speedys post

set basedn to: DC=Company,DC=local (replaced Copmany with my domain) -> success …

and as a user filter I’ve set:

(&(objectclass=organizationalPerson)(|(CN=_IM-Gr1,CN=Users,DC=Company,DC=local)) )

-> no success

I’ve also tried (as in speedys post):

(&(objectclass=organizationalPerson)(|(memberOf:1.2.840.113556.1.4.1941:=CN=Open fire Access Group,CN=Users,DC=company,DC=local)))

-> no success

Is there an advanced debugging feature? The log files show no error or problem…