powered by Jive Software

Packet Filter Question Active Directory Groups

OpenFire 4.03

Spark 2.8

Windows 2008 R2

I have successfully set up the openfire server, configured it with our active directory, set up two groups in AD (mgmt.,staff) and populated those groups with users. My searchfilters are limiting what groups (and users) can use the service… to these two. I’ve followed the instructions in this link and ‘packet filter rules’ to attempt the following: Mgmt can see and chat with Mgmt and Staff, Staff can only see and chat with Mgmt (not with each other). http://serverfault.com/questions/191365/openfire-hide-all-users-in-the-same-grou p-from-each-other

This is what my packet filter config looks like:

Here is what is happening - I have several issues:

  1. Staff can not see each other as planned, and can not start a chat manually by entering the user id from the spark client menu (Actions->Start a Chat)… a popup window opens but there is no connectivity to the other staff user. However, if from this popup the staff user selects the icon to ‘Invite to a conference’, then that successfully connects the two staff members. As I understand it, this should not happen if I have ‘Any’ or ‘Reject’ set up to block ALL packet traffic.

  2. Selecting the spark menu option (Contacts->Show offline users, or Show empty groups) allows me to see both groups (Mgmt and Staff) when I am logged in as a member of Mgmt. Staff or Mgmt that are logged in show up in their respective groups. But when logged in as a Staff member, I cannot see the Mgmt group - nor anyone logged in in under the Mgmt group. I need the staff to be able to see and chat to Mgmt.

Can someone help me diagnose what is going on here?

Thanks in advance,

Rich

Title was edited by: Richard Darlington

Hi…you may want to change the title of your post to something like “packet filter question” as it sounds like your AD setup is fine!

I think you’ll have to play with the packet types to get your end result.

MUC (conference) filter blocks the conference packets. I think this is an all or nothing setting. If you need the user to access MUC, but don’t want them to use it as a workaround to bypass your 1:1 filter, you’ll need to adjust permissions of the conference rooms. (prevent user from creating/inviting/etc/password/et

“Presence” filter might handle letting your users see each other. You’ll likely need to allow this.

speedy,

I’ve looked at the packet filter plugin readme and the directions are not detailed and do not cover all possibilities included in the drop down selections within a filter rule. It seems the settings I have to prevent (drop) all im traffic within group Staff should stop all traffic. Would you suggest I add separate rules to drop each type of traffic (seems redundant). Is there some other, more detailed documentation in regards to the filter rules options?

I do not want the Staff (group) users to even see other Staff users; let alone chat… so no to the ‘Presence’ filter for them. I only want Staff group users to see and chat to the Management (group) users. Again, since ‘all’ im traffic is opened both ways between both groups, I would expect Staff to be able to see Mgmt - but they don’t.

??