Hello!
I have two OpenFire servers with LDAP authorization. AD groups in both domains named “Jabber” and shared Rosters for them. Server to server transport works whell, i can send message from user@jabber.domain1.local to user@jabber.domain2.local.
Or, maybe, i can add contacts from domain2.local to Openfire roster within domain1.local?
I’m not seeing a fast way of automating this. Openfire groups are specific to the domain that they’re defined in, and aren’t really usable on another domain.
Users on any domain can add users on the other domain to their roster, which implicitly causes them to subscribe to the presence of the user. That’s the manual way of doing things, which is probably not what you’re asking.
You could manually create groups in the admin console that holds users from both domains, but that is cumbersome to maintain.
Perhaps a new custom GroupProvider implementation needs to be created somehow, that can connect to both AD servers, and somehow combine all users in groups. I’m not sure if this is feasible.
is there a trust between the AD domains? If not, I don’t see a way of doing this. sounds like you want realm xyz to push/publish roster groups to realm 123. and vice versa. then you’d have to figure out a way way to handle the permissions of the publish group. Will everyone get the roster, or would it be published to selected users of 123?
Yes, there is trust between this two domains. I created Local Security Group and added users from the second domain into the group, and a can’t see users from second domain in the roster.
are the domains part of the same forest? have you tried connecting to the global catalog?
Domains are part of different trees in one forest. How can i connect to the global catalog?
determine which of your DC is also a global catalog, and connect on port 3268 (LDAP) or 3269 (LDAPS), instead of 389/636. You’ll then want to make your search filter the root of the forest, not the domain.
keep in mind, depending on what you use for “username” you could run into duplications.
is there no other solution then global catalog? my domains right now in different forests and me also want to share rostrer to both domains …
also looks like using s2s i can search users by ldap name (not jid) my users would like to type in search name of persona, then his JID
also earlier said that . its not problem for me, and it will be solution for me , but i cant . when i click create new group i see “Not allowed: the group account system is read-only.” because of ldap.
When you configure Openfire to use LDAP/AD, it will install providers for all relevant data types:
All of these are read-only, preventing you to apply changes, as you’ve found.
You will likely be able to work around this by changing Openfire’s GroupProvider back to the default provider, named org.jivesoftware.openfire.group.DefaultGroupProvider. You can do this by changing a property in openfire.xml, as documented in Openfire: Custom Group Provider Guide
@guus should i put in openfire.xml
org.jivesoftware.openfire.group.DefaultGroupProvider
in opefire.xml? this didnt help. still read only
I expect that to work, yes.
More specifically, you’ll need something like:
<provider>
<group>
<className>org.jivesoftware.openfire.group.DefaultGroupProvider</className>
</group>
</provider>
If this is an already installed server, then you may need to set the system property (in the admin console) provider.group.className to org.jivesoftware.openfire.group.DefaultGroupProvider
well it working but i wanted to get users from my domain automatically, plus manually adding from other. Here i should do everything manually, and in contact list they displaying like JID@domain, but i wanted like in standard ldap in like last name+ first name
Nevermind, i think i want too much.
can you tell me , im able to search users from other domain not by JID, but by last name? our users will have problems searching people by JID 
I feel like you could use the hybrid provider too, but im not sure. Its been a million years since I’ve played with it!
Do you have a trust between your two forest/AD? if so, you could prob just use the GC