Openfire 3.6.0 group mappings

Dear All,

I am having problems with the understanding and installation of group mappings. We are currently using Microsoft Active Directory with and using a Microsoft SQL Database. I have created a security group with users populating the group. I want this security group to be the only authorised group to use openfire , but I have users within Active Directory who are not in this security group using openfire.

My security group is located in the following OU using the Base DN of


When I have approached setting up the group mappings , I am not entirely sure what I need to enter here as I leave the default settings.

Can someone please direct me what I need to do to have only the required security group use openfire.



You actually need a UserFilter based on groups not a GroupFilter, Try something like this:


thank you for the info todd. I still seem to have unauthorised users logging to openfire. I have applied the user filter as you stated , but when I review the groups summary within the openfire admin , it shows no users are in the security group created.

Make sure that the scope of your BaseDN is wide enough to include all the members of that group. Clear the Openfire server cache. Then restart openfire server. Then check the group members again.

I am unfortunately still having problems. I have tried clearing the cache and restarting the server , but unauthorised users are still capable of logging to openfire.

My setup is

Base DN: OU=“Users”,OU=“TSC”,DC=“student”,DC=“tsc”,DC=“nsw”,DC=“edu”,DC=“au”

User Mapping: Default Settings

As per the attached image with the following filter

((objectCategory=user)(memberOf=CN=BLAH-IM,OU=Users,OU=TSC,DC=student,DC=tsc,DC= nsw,DC=edu,DC=au))

Is there something I am doing wrong ?

Yes you are. That filter is not a group filter it is a user filter. Group Filters just limit what groups are shown for possible sharing. User filters limit who can login to the server.

Sorry Todd , but I quite dont understand what you mean ? The syntax that I have used , is this not a user filter ? Should this syntax not allow users who are not in the Security Group ( BLAH-IM ) access to openfire ?

I have just taken over this project and with the previous administrator , he only had to add users to the security group to successfully use openfire.

In this case , can you provide me with the syntax that I need if I am wrong.

You need to be adjusting the Openfire System Property ldap.searchFiltervia the web admin. The default setting is (objectClass=organizationalPerson). You do not need to change the group filter or ldap.groupSearchFilter System Property from its default setting of (objectClass=group). Change this merely limits the number of groups displayed in the admin website. It does not limit users in any way.

I have now changed the ldap.searchFilter via the webadmin with the userfilter settings previously discussed. This now allow only authorised users to logon to openfire.

Thank you very much for your help Todd.