Please help with OpenFire Active Directory LDAP integration

I’ve included a screenshot of my Active Directory. Can anyone advise as to how to correctly specify the Base DN & Admin DN? Thanks guys.

As you can see in my scenario (ad1.jpg), my users folder is inside Managed OUs\LA\Users.

How would I need to specify the correct settings as in (ad2.jpg)?

u have the OUs backwards try this. And Managed OU is a OU not a common name. i think,

OU=Users, OU=LA, OU=Managed OUs, dc=eecomail, dc=ad

also. for the admin i think your administrator DN will have to be in the same OU as the rest of your users to work with the GUI config. I am trying to figure out the same thing right now to use an additonal LDAP path for my admin. I tried manually modifying the conf/openfire.xml file but i blew up my install.

so it would look like this…

cn=administrator, ou=Users, OU=LA, OU=Managed OUs, dc=eecomail, dc=ad

1 Like

Hey shackbill, thank you for trying, but I’ve tried it over the weekend, and still can’t figure out the correct Base & Admin DN. I’ve tried the one’s above (with spaces and without), but it now pops up the error

Error connecting to the LDAP server. Ensure that the directory server is running at the specified host name and port and that a firewall is not blocking access to the server.

I’ve even tried to change the port to 3268 in the same config screen, but same error as above.

Thanks for the effort bud. I’m still trying to figure this out.

you can point base dn to the root of AD, and than use group filtering to specify users of what OU are allowed to use openfire.

One word of advice - try to stay away from OUs with spaces I believe there are special syntax to be used in openfire LDAP configuration if there are spaces in OU names.


Base DN: dc=eecomail,dc=ad

Authentication: ** ** (make sure DNS is setup correctly)

create ou, lets say openfire, in the root of AD and create a security group, lets say** ofusers**; add openfire users to that group.

then at ldap searc filter use: memberOf=CN=ofuser,ou=openfire,dc=eecomail,dc=ad

(\ may be placed by server - in cofig screen you may not need it, I do not remeber for sure).

If you have more than one group (or you want have groups in openfire) you can use (!(…),(…)) syntax to ad multiple groups to ldap filter search.

1 Like

Hey J2567 thanks for the tip. I’ve created the “openfire” OU in the root of AD, with the security group called “ofusers”. I’ve added every user that will be using the IM service. Now, where would I specify the LDAP search feature syntax?

there are a screen (at initial configuration) where you specify ldap search filters, if you already pass that point

go to system properties and find/create property, put property value memberOf=CN=ofusers,ou=openfire,dc=eecomail,dc=ad

1 Like

I’ve created a user called “ofadmin” in the Users folder of the root of AD. I’ve assigned Domain Admin and Administrator group for the user. I went into the “openfire” OU and then went into the ofusers group and added the “ofadmin” user to the group. I still can’t get past the testing screen. Please see screenshot “of1.jpg” for more info.

try instead of DN string - that worked for my setup

also take out ou=ofusers,ou=openfire, from base dn string. (I assume you are installing openfire on domain controller)

1 Like

Yes OF is installed on a server 2003 running exchange. I’ve tried the "" as the Admin DN and it still kicks off the error

Error connecting to the LDAP server. Ensure that the directory server is running at the specified host name and port and that a firewall is not blocking access to the server.

At this point, is it possible to use a different port?*

Is openfire running on domain controller? is a localhost IP address. Even if it is, try to replace it with real IP of the domain controller.

you can also google for a free LDAP checking utility, it will allow you to check your LDAP configuration.

1 Like

I’ve successfully managed to get past the Base & Admin DN screen. Turns out the IP address of the DC that I was using was incorrect.

Now I’m running into the Error 500 and I can’t figure out what to do next, or what to look for. I’ve attached more screenshots.

did you change any other defaults in user mappings? Advanced settings for group mappings?

1 Like

I have not changed any mappings, as you can see in the screenshot.

try to change (objectClass=person) to (objectClass=group)


try to clear user filiter field.

1 Like

Very good! It took me to the screen where I can add an Admin. Do I need to type it as e.g. or just administrator?

it will be ither just administrator, or

if it lett you pass that step - you good

As I recall I just used my login name without domain , but in configuration I saw it in username@openfireservername.mydmainname format.

1 Like

I tried and it still failed, but I did somehow complete the install, which it now asks me for the username and password. No matter which combinations I try, it fails to login.As far as the username above, is it case sensitive?

Note: eecoexchange is the name of the server, whereas the is the domain.

is administrator a member of openfire group in ad? (same group you add in ldap.searchfilter)

it need to be.

1 Like

Yes he is. I’ve also added “ofadmin” to the openfire OU ->ofusers group in AD which pointed to the Base DN -> ou=openfire,dc=eecomail,dc=ad.

Tried both administrator and ofadmin, it won’t log in. Is there an XML file that I need to edit?

try to set base dn to just dc=eecomail,dc=ad

Is your installation SQL based?