Openfire 3.9.3 AD Connection Issue

Mo1 · August 4, 2014, 2:09pm

Hi all,

I’ve used Openfire before in local user mode and all was well. Now i’m trying to bind it to AD.

I’m trying to setup Openfire access based on permissions - so only users in a specific security group will have access to it.

I’ve created the security group and added the users ok. However i’m stuck at the Base DN stage.

I can point it drectly to the group but the next stage of the setup (Admin Account) fails as obviously if it’s looking at a user group it won’t see any other users.

For Base DN I have: cn=G-Openfire-IM,dc=domain,dc=com

Specifying an OU or not doesn’t make a difference.

Can someone tell me what i’m doing wrong?

Thanks

Mo

speedy · August 4, 2014, 4:35pm

https://community.igniterealtime.org/docs/DOC-2744

Mo1 · August 5, 2014, 8:00am

Hi Speedy,

Thanks for the reply - I have followed that guide to the letter (well, with different group names) but it doesn’t work.

I import AD by pointing Openfire to the full domain then go into system properties in the admin console to change the LDAP search filters as in the link you posted.

Once done it says it can’t find the user account for me to log in to the admin console

The user is a member of the global security group, the global security group is a member of the access group.

I think it’s falling over here:

ldap.searchfilter(&(objectclass=organizationalPerson)(|(memberOf:1.2.840.113556. 1.4.1941:=CN=Openfire Access Group,CN=Users,DC=AD-DOMAIN,DC=local))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

I change the DN to what i’ve used so it looks like this:

(&(objectclass=organizationalPerson)(|(memberOf:1.2.840.113556. 1.4.1941:=CN=G-OpenFire-IM,OU=Test Groups,OU=Security Groups,DC=domain,DC=com))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

I don’t think it’s right but i’m not entirely sure. Am I missing something?

Thanks

Mo1 · August 5, 2014, 10:38am

Sorted it!

Thanks to post here by fishface:

The guide above posted by speedy needs updating.

Using the above I was able to point it directly to a Global Security Group instead of creating SG’s to be members of Domain Local Access Groups etc…

Thanks

speedy · August 5, 2014, 6:01pm

I’ll double check the guide, but it should be fine. The nested group members allows for shared rosters based on those groups to be shared and updated based on membership. Either way, I’m glad that you got it working!