Openfire + OpenLDAP + posixGroup + mapping only primary group

Hello,

I have an OpenLDAP database with base DN in dc=example,dc=com, users in ou=Users,dc=example,dc=com (posixAccount) and groups in ou=Groups,dc=example,dc=com (posixGroup).

The group membership is mapped with gidNumber attribute (primary group) under user’s account and with memberUid attribute (secondary group) under group settings.

With this configuration, one user could has multiple groups membership. Example: user1 is inside group1 and group2, and user2 is inside group1 and group3.

The group mapping is working fine in Openfire with the following configuration:

user:
username field: uid
user filter: (&(objectClass=posixAccount)(mail=*))

group:
groupname: cn
Membership: memberUid
posix mode: yes
group filter: (objectclass=posixGroup)

However, since a user can participate in more than one group, it appears duplicated in the group mapping (and in the roster as well).

Is there any configuration that can be made to filter this result and leave the user only in their primary group or make it appear only once?

Thanks and best regards.

Daniel

this may be my design. lets say for example you restrict your roster groups. you may have a member that needs access to both groups…therefore you would want them listed in each roster group. I usually address this issue by creating dedicated IM groups. here is an example on I do this in AD How to Setup Authentication Groups with LDAP/AD

Hi, speedy.

I’m running OpenLDAP in the Linux environment and I do not have nested groups like you mentioned (I know that it is possible, but I don’t have).

I would like to use the system groups (user’s primary group) to map the users and wouldn’t like to create another specific group for Openfire users.

I would like to simplify the account management and when a new account is created, the user is already mapped correctly in the roster without having to put it into another group or any other action (all users in my network have to be listed in Openfire).

I have being using the smbldap-useradd command to create new user’s account, which automaticaly inserts memberUid attribute with related username in the user’s primary group.

Thanks and best regards

Daniel