powered by Jive Software

Openfire 3.4.5 Group Summary Not Showing AD Security Groups

Was playing with Openfire 3.4.5 today on an FC8 machine and tied it to our Active Directory. I’ve got it so that users in a specific security group (openfire) are added as users, but I cannot get groups to function that way. When I add a group to the openfire group, nothing ever appears in the Group Summary Page. when I go there, it shows Total Groups: 1 yet the page is blank, no groups

When I search I get a couple pages of results (16 results) but nothing is listed. Any thoughts? I searched through some old posts but nothing really helped me out:

openfire.xml pertinent bits…

<usernameField>sAMAccountName</usernameField>

<searchFilter><![CDATA[

(&

(objectCategory=Person)

(memberOf=CN=Openfire,OU=Security Groups,OU=Groups,OU=Co

rporate Organizational Unit,DC=domain,DC=com)

(sAMAccountName=)
)
]]></searchFilter> … <groupNameField>cn</groupNameField>
<groupMemberField>member</groupMemberField>
<groupDescriptionField>description</groupDescriptionField>
<posixMode>false</posixMode>
<groupSearchFilter><![CDATA[
(&
(objectClass=group)
(memberOf=CN=Openfire,OU=Security Groups,OU=Groups,OU=Corporate Organizational Unit,DC=domain,DC=com)
(member=)

)]]></groupSearchFilter>

Are the groups you would like to see contained within the baseDN? If it is try symplifying your group search filter to (objectClass=group).

They are a few OUs dow, but yes, they are within the basdn. I do not, however, want anything with objectclass=group, I only want groups that are members of my openfire security group as well…An I making sense? Thanks for the reply…

I may be wroong but I don not think you can do what you are trying to do with the group filter though. When you add a group to another group LDAP translates that group into users. The list of groups pulled from LDAP will not expand the list of users on the server, as that is restricted by your user filter.

hmmm, perhaps I am misunderstanding what hrothgar discusses in this post:

http://www.igniterealtime.org/community/message/120078

I have verified that that group filter does not show the groups when applied only the users. Which means either the filter is wrong or it does not work as he stated.

Ok, so when a group, in my case, openfire is searched, the members are seen as users and therefore my search is invalid. Is there perhaps a way to say something like this:

<groupSearchFilter><![CDATA[

(&

(member NOT NULL)

(memberOf=CN=Openfire,OU=Security

Groups,OU=Groups,OU=Corporate Organizational

Unit,DC=domain,DC=com)

(member=)

If you know what I mean. Obviously not null is not valid, but is there a way to say pretty much, search for users/groups of the security group openfire that have the member attribute, since that would quickly distinguish users from groups?

So, this is what I did to get it to work.

<usernameField>sAMAccountName</usernameField>

<searchFilter><![CDATA[

(&

(objectclass=person)

(memberOf=CN=Openfire,OU=Security Groups,OU=Groups,OU=Co

rporate Organizational Unit,DC=domain,DC=com)

(sAMAccountName=)
)
]]></searchFilter> … <groupNameField>cn</groupNameField>
<groupMemberField>member</groupMemberField>
<groupDescriptionField>description</groupDescriptionField>
<posixMode>false</posixMode>
<groupSearchFilter><![CDATA[
(&
(member=*)
(memberOf=CN=Openfire,OU=Security Groups,OU=Groups,OU=Corporate Organizational Unit,DC=domain,DC=com)
(member=)

)]]></groupSearchFilter>

So now I have it so that users are only those who are a member of my openfire security group, and the groups are only those that are also members of that openfire security group. Seems to work like a charm if anyone needs to do something similiar…

This seems to be exactly what i’m looking for to help filter out my computers from users list…but I am a little confused how your AD is structured. Is it something like this (starting at the root of the domain controller):

domain.com

  • Security Groups

    • Groups
      • Corporate Origanizational
        • Openfire (the group users are members of to have access to openfire?)

Or is it the opposite way around?

The openfire related structure of my domain is as follows:

domain.com

–corporate org unit


groups


security groups


openfire security group

If you have trouble with the syntax of AD, use this program, which I found quite helpful and sped up my troubleshooting:

Then you can go to the properties of any object and get the full ldap syntax of any object. good luck,

I’ve been looking for that program for months now and everyone I’ve talked to has said they know what i’m talking about but don’t know the name or where I could get it. Thanks a lot for that link!!

No problem. Good luck.

This isn’t good. I made changes similar to what you have, but geared towards my AD setup…and now the service won’t start up right. I saved the original xml file and then made the changes to a new xml file…it didn’t work so i tried to revert back to the original and now it’s not working. When I start the service on our server it’s giving me errors.

I am using this on a fedora core 8 server…sounds like you are working on a windows machine? You should post a new question with the errors you are experiencing and upload a sterile version of the xml file as you want it to work,

Yea it’s windows based…but I found out the problem. We had one person vnc in while someone else was rdp in so it wasn’t pulling the right xml file. A quick reboot fixed that one.

Good to hear. Ah, the windows reboot wins again,

OK so with this in mind, how would I do the same thing but for a windows based OS / AD and with the following security group…

domain.com

–Users


Domain Users

The distinguishedName is CN=Domain Users,CN=Users,DC=domain,DC=local

I thought it would be this but it did not work:

<usernameField>sAMAccountName</usernameField>

<searchFilter><![CDATA[

(&

(objectclass=person)

(memberOf=CN=Domain Users,OU=Users,DC=domain,DC=local)

(sAMAccountName=)
)
]]></searchFilter> … <groupNameField>cn</groupNameField>
<groupMemberField>member</groupMemberField>
<groupDescriptionField>description</groupDescriptionField>
<posixMode>false</posixMode>
<groupSearchFilter><![CDATA[
(&
(member=*)
(memberOf=CN=Domain Users,OU=Users,DC=domain,DC=local)
(member=)

)]]></groupSearchFilter>

I may be wrong, but I think it is the wrong DN in your xml snippet:

should be:

CN=Domain Users,CN=Users,DC=domain,DC=local

whereas you have :

CN=Domain Users,OU=Users,DC=domain,DC=local

No the flag CN is for groups and OU is for folders, to put it in simplest terms.

oh yeah, looking again at what you are tring to do with that conf file seems strange to me:

so you want users of domain users to be users on openfire and groups that are also members of domain users to be groups on openfire? sorry, I am probably not much help as I have been playing with this for 2 days…