Openfire setup with W2k3 AD

Hi all,

I’m attempting to setup an Openfire installation with LDAP User Authentication. My setup is as follows:

• Openfire 3.6.4 - the main installation
• Microsoft SQL Server 2005 SP2 - the database
• Windows Server 2003 Active Directory - for LDAP user authentication

I then proceeded to:

1. Download the Openfire installer and installed it on my server;
2. Create a new database named Openfire on my SQL Server, and an SQL login with full access to the new database; and
3. Pointed the Openfire app to this new database via the setup wizard.

So far so good. Next up was the LDAP Binding.

My AD Structure is as follows:

• Company.local (Domain)
  • Company Name (OU)
    • Internet Users (OU)
      • Department Name (OU)
        • User

As the names suggest, I have this setup because part of my users have access to Internet (under the Internet Users organisational unit), and another part do not (directly under the Company organisational unit).

I already use this setup with a number of devices and software, including my VPN and Proxy appliances, and to date everything is working ok.

I created a new AD User name “Openfire” and delegated the rights to read all user information. I put it directly under the Internet Users organisational unit.

I continued to go through the setup wizard, pressing the Test Setting button each time, and all went smoothly.

The **ofProperty **table on my Database was populated with the following data:

name
propValue
admin.authorizedJIDs
myuser@Company.local
ldap.adminDN
Openfire@Company.local
ldap.adminPassword
openfire_password
ldap.autoFollowAliasReferrals
true
ldap.autoFollowReferrals
true
ldap.baseDN
ou=Internet\ Users,ou=Company\ Name,dc=Company,dc=local
ldap.connectionPoolEnabled
true
ldap.debugEnabled
false
ldap.emailField
mail
ldap.groupDescriptionField
description
ldap.groupMemberField
member
ldap.groupNameField
cn
ldap.groupSearchFilter
(objectClass=group)
ldap.host
LDAP_Server
ldap.ldapDebugEnabled
false
ldap.nameField
cn
ldap.override.avatar
true
ldap.port
389
ldap.posixMode
true
ldap.searchFilter
(objectClass=person)
ldap.sslEnabled
false
ldap.usernameField
sAMAccountName
ldap.vcard-mapping

<![CDATA[ {cn} {mail} {displayName} image/jpeg {jpegPhoto} {homePostalAddress} {homeZip} {co} {streetAddress} {l} {st} {postalCode} {co} {homePhone} {mobile} {telephoneNumber} {mobile} {facsimileTelephoneNumber} {pager} {title} {department} ]]>

mail.configured
true
mail.debug
false
mail.smtp.host
Email_Server
mail.smtp.port
25
mail.smtp.ssl
false
mediaproxy.echoPort
10020
mediaproxy.enabled
true
mediaproxy.idleTimeout
60000
mediaproxy.lifetime
9000
mediaproxy.portMax
20000
mediaproxy.portMin
10000
provider.auth.className
org.jivesoftware.openfire.ldap.LdapAuthProvider
provider.group.className
org.jivesoftware.openfire.ldap.LdapGroupProvider
provider.user.className
org.jivesoftware.openfire.ldap.LdapUserProvider
provider.vcard.className
org.jivesoftware.openfire.ldap.LdapVCardProvider

Some notes on the above:

• myuser@Company.local is my username on the Active Directory, which I use for my computer
• LDAP_Server is the hostname of my Windows 2003 Active Directory Server

What I need is the following:

1. To use the Department Name organisation unit as the Group, instead of creating a Group object
2. Be able to log into the Openfire Admin Console. I tried with all the combinations possible:

• myuser
• myuser@Company.local
• myuser@company.com
• Company\myuser
• Company.local\myuser
  however, all I get is this error:

Login failed: make sure your username and password are correct and that you're an admin or moderator.

Any help would be greatly appreciated!

Hi, i have the same error, but when i installed OPENFIRE 3.6.4, but i choose the database that is integrated with OPENFIRE installation file. i put my email and password for admin and openfire never display any error… but when i try to logging in the webpage of the adminstration console i cant … any suggestion ???

thanks…

I don’t see where either of you did this, so try restarting the openfire service.

see the announcements at the top of the forums - this is a known issue with 3.6.4.

Hi Wes,

I did read the announcement, and I have started and stopped Openfire multiple times.

I even restarted the server on which Openfire is installed, but no luck

What I have tried so far:

• Emptied the OfProperty table, set false and went through the wizard without adding LDAP
  this allowed me to log into the admin console using admin/admin, however LDAP was not enabled

• Set the false flag again, and this time re-added LDAP
  with this, LDAP authentication on Spark was back, but the admin console was locked again!

Any ideas anyone?

Hi Joseph & Roque,

I’m only new to openfire/spark but here is what I did.

At the last step of the setup wizard it will ask if you would like to add additional users to access the web admin. So I added myself and the administrator (usernames only) as it uses LDAP.

As for LDAP. Don’t go down to the user ou as this will block the groups in the department ou. You can set which user accounts and security groups in the openfire web admin.

I hope this helps.

Regards

Chris

in AD what does your sAMAccountName look like? is it just a username or is it an email address? If it is an email address this is going to cause problems with XMPP authentication.

Hi chrisw,

I went down to the Internet Users ou since I only want the users underneath this ou to have access to spark. The Group objects are underneath this ou as well, however I would like to start using the ou name as the Group instead of a separate Group object.

This has been working fine to date with my Proxy and VPN.

sixthring,

I think that the sAMAccountName is the AD username alone.

I did use myuser to login through the Spark client.

Its just the web admin console which is not letting me in.

web console should just be the username and password as well. no @ in there. you also have to be defined as an openfire admin which was done at setup.

I have done both, as can be seen from the output of the OfProperty table.

I have tried all combinations, with and without the @, but still no luck.