powered by Jive Software

Openfire 3.4.5 Group Summary Not Showing AD Security Groups

hmmm, perhaps I am misunderstanding what hrothgar discusses in this post:

http://www.igniterealtime.org/community/message/120078

I have verified that that group filter does not show the groups when applied only the users. Which means either the filter is wrong or it does not work as he stated.

Ok, so when a group, in my case, openfire is searched, the members are seen as users and therefore my search is invalid. Is there perhaps a way to say something like this:

<groupSearchFilter><![CDATA[

(&

(member NOT NULL)

(memberOf=CN=Openfire,OU=Security

Groups,OU=Groups,OU=Corporate Organizational

Unit,DC=domain,DC=com)

(member=)

If you know what I mean. Obviously not null is not valid, but is there a way to say pretty much, search for users/groups of the security group openfire that have the member attribute, since that would quickly distinguish users from groups?

So, this is what I did to get it to work.

<usernameField>sAMAccountName</usernameField>

<searchFilter><![CDATA[

(&

(objectclass=person)

(memberOf=CN=Openfire,OU=Security Groups,OU=Groups,OU=Co

rporate Organizational Unit,DC=domain,DC=com)

(sAMAccountName=)
)
]]></searchFilter> … <groupNameField>cn</groupNameField>
<groupMemberField>member</groupMemberField>
<groupDescriptionField>description</groupDescriptionField>
<posixMode>false</posixMode>
<groupSearchFilter><![CDATA[
(&
(member=*)
(memberOf=CN=Openfire,OU=Security Groups,OU=Groups,OU=Corporate Organizational Unit,DC=domain,DC=com)
(member=)

)]]></groupSearchFilter>

So now I have it so that users are only those who are a member of my openfire security group, and the groups are only those that are also members of that openfire security group. Seems to work like a charm if anyone needs to do something similiar…

This seems to be exactly what i’m looking for to help filter out my computers from users list…but I am a little confused how your AD is structured. Is it something like this (starting at the root of the domain controller):

domain.com

  • Security Groups

    • Groups
      • Corporate Origanizational
        • Openfire (the group users are members of to have access to openfire?)

Or is it the opposite way around?

The openfire related structure of my domain is as follows:

domain.com

–corporate org unit


groups


security groups


openfire security group

If you have trouble with the syntax of AD, use this program, which I found quite helpful and sped up my troubleshooting:

Then you can go to the properties of any object and get the full ldap syntax of any object. good luck,

I’ve been looking for that program for months now and everyone I’ve talked to has said they know what i’m talking about but don’t know the name or where I could get it. Thanks a lot for that link!!

No problem. Good luck.

This isn’t good. I made changes similar to what you have, but geared towards my AD setup…and now the service won’t start up right. I saved the original xml file and then made the changes to a new xml file…it didn’t work so i tried to revert back to the original and now it’s not working. When I start the service on our server it’s giving me errors.

I am using this on a fedora core 8 server…sounds like you are working on a windows machine? You should post a new question with the errors you are experiencing and upload a sterile version of the xml file as you want it to work,

Yea it’s windows based…but I found out the problem. We had one person vnc in while someone else was rdp in so it wasn’t pulling the right xml file. A quick reboot fixed that one.

Good to hear. Ah, the windows reboot wins again,

OK so with this in mind, how would I do the same thing but for a windows based OS / AD and with the following security group…

domain.com

–Users


Domain Users

The distinguishedName is CN=Domain Users,CN=Users,DC=domain,DC=local

I thought it would be this but it did not work:

<usernameField>sAMAccountName</usernameField>

<searchFilter><![CDATA[

(&

(objectclass=person)

(memberOf=CN=Domain Users,OU=Users,DC=domain,DC=local)

(sAMAccountName=)
)
]]></searchFilter> … <groupNameField>cn</groupNameField>
<groupMemberField>member</groupMemberField>
<groupDescriptionField>description</groupDescriptionField>
<posixMode>false</posixMode>
<groupSearchFilter><![CDATA[
(&
(member=*)
(memberOf=CN=Domain Users,OU=Users,DC=domain,DC=local)
(member=)

)]]></groupSearchFilter>

I may be wrong, but I think it is the wrong DN in your xml snippet:

should be:

CN=Domain Users,CN=Users,DC=domain,DC=local

whereas you have :

CN=Domain Users,OU=Users,DC=domain,DC=local

No the flag CN is for groups and OU is for folders, to put it in simplest terms.

oh yeah, looking again at what you are tring to do with that conf file seems strange to me:

so you want users of domain users to be users on openfire and groups that are also members of domain users to be groups on openfire? sorry, I am probably not much help as I have been playing with this for 2 days…

holy smokes…I’m so close to getting this working…I can taste it…

Your explanation of what this does for you at the end of this post says exactly what I want to have happen for my Openfire setup.
i.e.

“So now I have it so that users are only those who are a member of my openfire security group,
and the groups are only those that are also members of that openfire security group.”

However, I’m not sure I understand the syntax.

Would you (anyone) be willing to help translate for me?

Basically, I know how to edit ‘System Properties’.
I’ve edited my ldap.baseDN to have the widest view of the campus active directory (because my users and groups are not all within the same OU).
I’ve also edited my ldap.searchFilter to only get users from a certain group within my department’s OU (so that I don’t have 100,000 user accounts in my Openfire setup).

However, I also want to have only my department’s groups to show up in the groups section of Openfire.
I think what you have here will do that for me, but I’m just not sure I understand.

Anyone out there willing to do a little hand-holding for a few minutes?

Thanks.
steven

Please start your own thread, and I will be glad to assist.

Hmmm, OK. I will do that.

meanwhile though…

let me know something… I quite often have seen people flame others for starting new threads about a topic that is already being discussed, and for not usign the search feature.

So, I strive to search first and join in where it is already being discussed.

Seems like hell if I do - hell if I don’t (not that you were nasty to me abou tit - you weren’t, but still).

explain?

p.s. Thanks for your offer to help. I’ll see you in that thread when I create it.

Ah but this tread is closed. The flaming comes from duplicating requests with obvious solution threads. Like how do you share a group. I have answered this too many times and even posted a video on how to do it.