Openfire with Active Directory and it's child domain


I’m trying to configure Openfire with Active Directory. Users should be fetched from two domains.

First domain - holds most of the users and second domain (child domain of

Users in are stored in nonstandard location:


and users in are stored ins standard location:


The problem is that users from are not listed in openfire nor thec can authenticate to the server.

I have configured ldap.baseDN for:


and ldap.alternateBaseDN for:


When I try to search for a user from I get no results, but in the sniffed network traffic I can see that the username i sersolved to cn=name surname,cn=Users,dc=secondary,dc=example,dc=com

After that a search for that object is performed to retrieve the rest of information (telephone numer,email addresss, etc…). But for the purpose of this search to the mentioned object the value from ldap.alternetebaseDN is appended. So the searched object looks like this:

cn=name surname,cn=Users,dc=secondary,dc=example,dc=com,cn=Users,dc=secondary,dc=exampl e,dc=com

and therefore is not found.

Any help with this problem would be higly appreciated, as I am fighting with this configuration for almost a month without a success.

I have set up test environment to check weather i can reproduce my problem, and unfortunately I did.

Again an active directory domain and it’s child domain, ldap.baseDN set for Cn=Users,dc=example,dc=com and ldap.alternateBaseDN for cn=Users,dc=child,dc=example,dc=com.

The problem is that after searching for username from child domain an object is found: cn=Name Surname,cn=Users,dc=child,dc=example,dc=com.

Afterwards a search, to retrieve sAMAccountName, is performed using object cn=Name Surname,cn=Users,dc=child,dc=example,dc=com,cn=Users,dc=child,dc=example,dc=com

According to Openfire source code ( the results of search are relative to baseDN/alternateBaseDN, but the the object returned is a full path to the searched user. Then the alternateBaseDN is appended to that full path and the search for a sAMAccountName fails?

Is it a bug? Did anybody succeded with ldap.alternateBaseDN?

Hi Suchy,

I was just following up to see if you ever found a solution to this issue? I’m in the same boat. We’ve recently acquired another company and the decision was made to allow the absorbed company to operate under a child domain in Active Directory, to allow for them to maintain internal support given time zone differences. That being said we’re left in the situation of needing to integrate users from our domain and their domain (our child domain) into a single instance of Openfire. It’s disappointing that this is not a more popular question.



You could try making your basedn the root domain pointed to your global catalog, and then use use groups and search filters to apply access and clean things up.