Openfire and LDAP

Setting up Openfire 3.6 with LDAP integration. I would like to limit the users it sees. I can’t seem to get the right search criteria. I would like it to only include users who are a member of a particular AD group. Can anyone post a search string sample that would do that.

I also noticed that it displays all the AD groups a user belongs to. I am not sure if this is only visible on the admin page but if not is there a way to remove or mask that?

This document gives some examples at the bottom:

You only need the actual filter contained within the parenthesis.

Here is another example: (&(objectClass=organizationalPerson)(memberOf=cn=WebISteam,ou=ChatGroups,ou=acc o unts,dc=domain,dc=com))

Thanks for your help. It seems I actually did do it right. For some reason after I added the filter it locked me out of the admin console. I had to change the setup parameter to false in openfire.xml. I went back and redid the config, my filter was there and the proper users were added based on the filter.

Thanks again.

I also need to filter the groups by OU. I have an OU with groups created specifically for openfire. The groups do not share any common strings in their name that I can filter on. Can I just filter all groups to a particular OU in AD? I found the statement below from the link in a previous reply. It seems like it is possible although I am not sure of the impact (the latter half of the sentence).

“Filtering by OU is not possible in Active Directory unless you use the ou attribute, which is not populated by default for new user accounts.”

Thanks again for any help.

If all your specific groups are in an individual OU then you can create a filter like this for the groups:


This is what I have in the property value for the ldap.groupsearchfilter. I have an OU called openfire at the root of my AD infrastructure. Inside it are all of the groups that I want Openfire to see. I have restarted the openfire service since implementing this filter yet no groups are displayed. I am not sure what I am doing wrong. I have checked for mispellings and checked the syntax several times.


I turned on ldap debugging in openfire console and got the following error. There are about 5 of these in the log with a different alphnumeric string at the end. I saw something about the filter errorneously adding an extra amp into the configuration. It seems this information is no longer written to the config file so I am unable to check to see if that is the cause.

[org.jivesoftware.openfire.ldap.LdapGroupProvider.getGroupNames(LdapGroupProvide] Could not find user in LDAP 785be3e

your filter is distinctly different than my sample. you are missing the beginning (& and the trailing ) without these the filter may break. Also your BaseDN must be lose enough to allow this filter to work. Since your groups OU is in the root of the domain, implying the users OU is elsewhere, your baseDN should be dc=mydomain,dc=com.

The information is now written into the database but can be edited via the system properties. any erroneous characters would show there.

I did try the correct setting and that didn’t work either. I have just changed it back so it matches your example. My base dn is the root of AD. I am able to get the filter for all my users working. They are contained in a group in a different OU. If I use the group filter, I get no groups. If I take out the extra filter and leave it as objectclass=group, I get all groups as expected. Is there any other setting that would break this?

On Another note.

I need to get this working quickly. I tried to let it see all groups and work with that until I could fix the filter. I have 4 groups that I wanted to use in openfire. I went to the four groups and told it to enable all users but when the users login the only person that shows up in the list is themself even when people in their own groups are logged in.

Thanks again

The group filter really does nothing other than limit the number of groups shown in the list. It adds nothing to security. What I did was preface each of my groups with the word Chat (i.e. ChatISteam). Then my filter had this for the CN: cn=Chat*.

For you other problem are you talking group sharing? They user should never show in their own list, at least in spark. I use the subscription plugin set to Accept Local, as well as setting the sharing like this: Openfire Automatic Roster Population via Shared Groups

Thanks for all your help. I tried several different ways to get the filter to work but was unsuccesful. I settled on a different filter. I added a string in the adminDescription field. I seem to have a handle on the LDAP stuff and the contact list sharing. Thanks again.


Seem to be having the same issue, only wanna populate groups from this ou:

(&(objectClass=group)(cn=*,OU=IMC,OU=Trust,OU=Groups,OU=Corp,DC=mi,DC=micorp,DC= com))

Problem is once I set this file, I dont see any groups anymore. Any insight someone could p rovide I would apprecaite.

I have only been able to get group filters with wildcards to work if there is a prefice to the group name, i.e. cn=Chat*