Openfire 3.4.5 Group Summary Not Showing AD Security Groups

Jeffrey_Smith · February 26, 2008, 9:29pm

Was playing with Openfire 3.4.5 today on an FC8 machine and tied it to our Active Directory. I’ve got it so that users in a specific security group (openfire) are added as users, but I cannot get groups to function that way. When I add a group to the openfire group, nothing ever appears in the Group Summary Page. when I go there, it shows Total Groups: 1 yet the page is blank, no groups

When I search I get a couple pages of results (16 results) but nothing is listed. Any thoughts? I searched through some old posts but nothing really helped me out:

openfire.xml pertinent bits…

<usernameField>sAMAccountName</usernameField>

<searchFilter><![CDATA[

(&

(objectCategory=Person)

(memberOf=CN=Openfire,OU=Security Groups,OU=Groups,OU=Co

rporate Organizational Unit,DC=domain,DC=com)

(sAMAccountName=)
)
]]></searchFilter> … <groupNameField>cn</groupNameField>
<groupMemberField>member</groupMemberField>
<groupDescriptionField>description</groupDescriptionField>
<posixMode>false</posixMode>
<groupSearchFilter><![CDATA[
(&
(objectClass=group)
(memberOf=CN=Openfire,OU=Security Groups,OU=Groups,OU=Corporate Organizational Unit,DC=domain,DC=com)
(member=)

)]]></groupSearchFilter>

NO_MESSAGES_OR_FRIEN · February 26, 2008, 9:34pm

Are the groups you would like to see contained within the baseDN? If it is try symplifying your group search filter to (objectClass=group).

Jeffrey_Smith · February 26, 2008, 9:43pm

They are a few OUs dow, but yes, they are within the basdn. I do not, however, want anything with objectclass=group, I only want groups that are members of my openfire security group as well…An I making sense? Thanks for the reply…

NO_MESSAGES_OR_FRIEN · February 26, 2008, 9:50pm

I may be wroong but I don not think you can do what you are trying to do with the group filter though. When you add a group to another group LDAP translates that group into users. The list of groups pulled from LDAP will not expand the list of users on the server, as that is restricted by your user filter.

Jeffrey_Smith · February 26, 2008, 10:06pm

hmmm, perhaps I am misunderstanding what hrothgar discusses in this post:

http://www.igniterealtime.org/community/message/120078

NO_MESSAGES_OR_FRIEN · February 26, 2008, 10:28pm

I have verified that that group filter does not show the groups when applied only the users. Which means either the filter is wrong or it does not work as he stated.

Jeffrey_Smith · February 27, 2008, 4:04pm

Ok, so when a group, in my case, openfire is searched, the members are seen as users and therefore my search is invalid. Is there perhaps a way to say something like this:

<groupSearchFilter><![CDATA[

(&

(member NOT NULL)

(memberOf=CN=Openfire,OU=Security

Groups,OU=Groups,OU=Corporate Organizational

Unit,DC=domain,DC=com)

(member=)

If you know what I mean. Obviously not null is not valid, but is there a way to say pretty much, search for users/groups of the security group openfire that have the member attribute, since that would quickly distinguish users from groups?

Jeffrey_Smith · February 27, 2008, 10:20pm

So, this is what I did to get it to work.

<usernameField>sAMAccountName</usernameField>

<searchFilter><![CDATA[

(&

(objectclass=person)

(memberOf=CN=Openfire,OU=Security Groups,OU=Groups,OU=Co

rporate Organizational Unit,DC=domain,DC=com)

(sAMAccountName=)
)
]]></searchFilter> … <groupNameField>cn</groupNameField>
<groupMemberField>member</groupMemberField>
<groupDescriptionField>description</groupDescriptionField>
<posixMode>false</posixMode>
<groupSearchFilter><![CDATA[
(&
(member=*)
(memberOf=CN=Openfire,OU=Security Groups,OU=Groups,OU=Corporate Organizational Unit,DC=domain,DC=com)
(member=)

)]]></groupSearchFilter>

So now I have it so that users are only those who are a member of my openfire security group, and the groups are only those that are also members of that openfire security group. Seems to work like a charm if anyone needs to do something similiar…

Tim_Davis · February 28, 2008, 3:12pm

This seems to be exactly what i’m looking for to help filter out my computers from users list…but I am a little confused how your AD is structured. Is it something like this (starting at the root of the domain controller):

domain.com

Security Groups
- Groups
- - Corporate Origanizational
- - - Openfire (the group users are members of to have access to openfire?)

Or is it the opposite way around?

Jeffrey_Smith · February 28, 2008, 3:18pm

The openfire related structure of my domain is as follows:

domain.com

–corporate org unit

groups

security groups

openfire security group

If you have trouble with the syntax of AD, use this program, which I found quite helpful and sped up my troubleshooting:

Then you can go to the properties of any object and get the full ldap syntax of any object. good luck,

Tim_Davis · February 28, 2008, 3:28pm

I’ve been looking for that program for months now and everyone I’ve talked to has said they know what i’m talking about but don’t know the name or where I could get it. Thanks a lot for that link!!

Jeffrey_Smith · February 28, 2008, 3:30pm

No problem. Good luck.

Tim_Davis · February 28, 2008, 3:44pm

This isn’t good. I made changes similar to what you have, but geared towards my AD setup…and now the service won’t start up right. I saved the original xml file and then made the changes to a new xml file…it didn’t work so i tried to revert back to the original and now it’s not working. When I start the service on our server it’s giving me errors.

Jeffrey_Smith · February 28, 2008, 3:47pm

I am using this on a fedora core 8 server…sounds like you are working on a windows machine? You should post a new question with the errors you are experiencing and upload a sterile version of the xml file as you want it to work,

Tim_Davis · February 28, 2008, 4:20pm

Yea it’s windows based…but I found out the problem. We had one person vnc in while someone else was rdp in so it wasn’t pulling the right xml file. A quick reboot fixed that one.

Jeffrey_Smith · February 28, 2008, 4:22pm

Good to hear. Ah, the windows reboot wins again,

Tim_Davis · February 28, 2008, 5:07pm

OK so with this in mind, how would I do the same thing but for a windows based OS / AD and with the following security group…

domain.com

–Users

Domain Users

The distinguishedName is CN=Domain Users,CN=Users,DC=domain,DC=local

I thought it would be this but it did not work:

<usernameField>sAMAccountName</usernameField>

<searchFilter><![CDATA[

(&

(objectclass=person)

(memberOf=CN=Domain Users,OU=Users,DC=domain,DC=local)

(sAMAccountName=)
)
]]></searchFilter> … <groupNameField>cn</groupNameField>
<groupMemberField>member</groupMemberField>
<groupDescriptionField>description</groupDescriptionField>
<posixMode>false</posixMode>
<groupSearchFilter><![CDATA[
(&
(member=*)
(memberOf=CN=Domain Users,OU=Users,DC=domain,DC=local)
(member=)

)]]></groupSearchFilter>

Jeffrey_Smith · February 28, 2008, 5:22pm

I may be wrong, but I think it is the wrong DN in your xml snippet:

should be:

CN=Domain Users,CN=Users,DC=domain,DC=local

whereas you have :

CN=Domain Users,OU=Users,DC=domain,DC=local

NO_MESSAGES_OR_FRIEN · February 28, 2008, 6:02pm

No the flag CN is for groups and OU is for folders, to put it in simplest terms.

Jeffrey_Smith · February 28, 2008, 6:11pm

oh yeah, looking again at what you are tring to do with that conf file seems strange to me:

so you want users of domain users to be users on openfire and groups that are also members of domain users to be groups on openfire? sorry, I am probably not much help as I have been playing with this for 2 days…