powered by Jive Software

Openfire 4.3.2 and Active Directory integration issues


#1

Hi everyone,

I’m using Openfire 4.3.2 on a Debian 9.8 VM. I run the installation and setup without any issues and was able to connect to our Active Directory environment successfully. I can see all the users and groups and it’s updating correctly (i.e. create a new AD user and it shows up in Openfire, update a current user and it also updates in Openfire). I can also sign in to the admin console using the AD administrator account.

Now, I have a couple of issues:

  1. Our AD OU structure is based on company departments. I have setup different OUs for each department (HR, Sales, Support, etc.). Each OU has both users and computers in it, this allows me to set different GPOs for each department easily. Now, since I selected the top level OU during the Openfire setup, I now have all users and all computers in the Users list. Is there a way to filter objects and only select users? I’d like to not see every single computer as an inactive user.

  2. I’m getting Incorrect Username or password errors while trying to connect, either with Spark or Pidgin. Both latest versions. However, I can login using the administrator credentials. I’ve looked everywhere for the solution and nothing seems to be working. Openfire connects to AD without problems so I don’t know where to look for the solution.

Here are the LDAP settings:

LDAP Settings
Host: ekr-svr01-dc01.corp.ekroboter. com
Port: 389
Base DN:  OU="EK roboter",DC="corp",DC="ekroboter",DC="com"
Administrator DN: administrator@corp.ekroboter. com

EKR-SVR-01-DC01 is our domain controller.
CORP.EKROBOTER.COM is our domain.
EK roboter is the top level OU

Openfire server details

XMPP Domain Name: ekr-svr12-xmpp.corp.ekroboter. com 
Server Host Name (FQDN): ekr-svr12-xmpp.corp.ekroboter. com

EKR-SVR12-XMPP is the VM running Openfire
I also setup a DNS record chat.corp.ekroboter. com pointing to the server’s IP to avoid having to type ekr-svr12-xmpp.corp.ekroboter.com every single time. This is working just fine.

I’ll appreciate any help or guidance, I’m stuck trying to figure this out.


#2

you’ll want to edit the search filter to exclude computer accounts…something like (&(objectclass=user)(!(objectclass=Computer)) should work. this will still pull in disabled account and probably some service accounts if they are in your ou. I tend to handle my uses based on security groups and not ou, as its easier for me to work with…the link will show you an example.


#3

Thank you for the quick reply. I understand the concept, but I can’t get this to work properly. I followed the example and I either get an error saying to choose a different DN o it’ll just show the group’s name as the only result found.

I’ve create a Chat Group in the Security Groups OU, which in turn is inside the EK roboter OU. so the full DN would be CN=Chat,OU=Grupos de Seguridad,OU=EK roboter,DC=corp,DC=ekroboter,DC=com How can I run a filter to only select the users within that chat group? I’m not interested in having groups for the chat, there’s only about 20-25 users connected at the same time and we all know each other, so a simple list of users will be just fine.


#4

Alright, I think I got it. I used this filter: (&(sAMAccountName={0})(memberOf=CN=Chat,OU=Grupos de Seguridad,OU=EK roboter,DC=corp,DC=ekroboter,DC=com)) and it successfully showed me only the users that belong to the Chat group.

However, it also created a whole bunch of additional groups! While I added only 4 users to the Chat group as a test (and I can see only those 4 users in the Users panel in Openfire), the Groups panel contained 120 items! Each user, computer and printer was being interpreted as a group.

So I added a filter to only look for groups: (&(objectclass=group)) and now everything is fine.

So, issue #1 is resolved. Now onto #2. Only the admin account can do so, either with Spark or Pidgin. Every other user throws a Invalid Username or Password error. Turns out AD authentication won’t work if I deny users to log on to specific machines in the domain, so I had to give very user permission to log on to the domain controller and this fixed my problem. Seems weird but it worked out.