First integrate OpenFire with Active Directory in a structure that has users distributed in multiple Organizational Units
After the Active Directory integration, Single-Sign-On: Auto log users into spark based on the information used to login to windows
Set users from active directory into different groups like you can with a “normal” spark setup. In other words be able to put users A & B into a “Purchasing Department” group, Users C & D into an “Auditing Department” Group, and so on.
Last if the grouping is possible, is it still possible to limit certain groups to only be able to chat to other certain groups like you can with a normal setup. For example, I want everyone in the purchasing department to be able to talk to the auditing department, but do not want the purchasing department to be able to see or talk to the attorney’s office.
Thanks for any input. Just wanted to make sure these are possible to do before I even attempt to start setting this up.
Also if users being distributed throughout multiple organizational units (OU’s) is an issue, are there any work arounds or will i just have to put them all in one OU?
Maybe someone will correct me, I think Openfire uses groups, not ou’s when integrated with LDAP. As about limiting the groups, Packet Filter plugin should work with groups pulled from AD and you should be able to limit who can talk to whom.
You can set the server to pull the user info from a particular OU with a filter, but user groups are based on AD Groups, rather than OUs.
In my case, i preferred to have complete control over groups, so i set up the server based on LDAP and modified the parameter provider.group.className with the default value (org.jivesoftware.openfire.group.DefaultGroupProvider)
With that, you have LDAP users, but Groups are controlled in the Openfire server, so you can manually set the groups yourself and control their visibility.
So you are saying that you have users set up into Groups in Active Director but still have control on who goes into what “spark group” in OpenFire as well?
Question, whenever you set up “Goups” in Active Directory, you cannot apply active directory group policies to groups the same way you can to organizational units right?
This was my main reason that I have OU’s set up.
I am trying to figure out the best way to go about this before i start setting this up.
Question, whenever you set up “Goups” in Active Directory, you cannot apply active directory group policies to groups the same way you can to organizational units right?
This was my main reason that I have OU’s set up.
No, you can’t apply group policies to groups (heh, irony:)). Well you can restrict group policies to apply them only to the specified groups, but GPO still has to be attached to an OU. You should have some security groups though. Can’t them be used for grouping in Openfire? Or you will have to create some groups reflecting your OU structure.
Okay. I see, “groups” are actually the groups that users can be a part of.
Such as me making my username part of the “Enterprise Admins” group. Correct?
So for my OpenFire, would me creating an “OpenFireUsers” group in active directory and adding all the users that I want to have access to spark into it work?
usually we use security groups to organize users, as security groups also serve for setting permissions for various resources (folders, printers, etc.). Though we also use distribution groups for managing addressbook in Exchange. We name our security groups by departments, so they can be used for displaying hierarchy in Spark. But M. Tejera advice, which i have already heard from someone else in the forums, is very interesting. To pull all the users from LDAP and then change groupprovider config to default one and then manage all the imported users as local users in Openfire and put them in local groups, which you can create in Admin Console. Haven’t tried this myself, but two forum users say this is possible. Interesting, though i can’t say which is better.
you can’t have subgroups (as with OUs), but a group can be a member of another group. This way you can organize users easier by adding groups into groups instead of manually adding user by user. Say department A has Sales and Management. Then you can create groups SalesA, ManagementA and then group DepA and put SalesA and ManagementA into DepA. If you need to set some permission for all users in department A, you can just set those permissions for DepA group and other groups will inherit those permissions.
so it is up to you whether you want to create many groups and pull them into Openfire or create just one, pull the users and then change the provider setting and manage users in Admin Console locally.
* usually we use security groups to organize users, as security groups also serve for setting permissions for various resources (folders, printers, etc.). Though we also use distribution groups for managing addressbook in Exchange. We name our security groups by departments, so they can be used for displaying hierarchy in Spark. But M. Tejera advice, which i have already heard from someone else in the forums, is very interesting. To pull all the users from LDAP and then change groupprovider config to default one and then manage all the imported users as local users in Openfire and put them in local groups, which you can create in Admin Console. Haven't tried this myself, but two forum users say this is possible. Interesting, though i can't say which is better.
One of the reason i took this approach was because when i originally set up Openfire we only had local users. After a year and half we migrated our infraestructure to AD, but kept the Openfire with local users and groups. Now i’m planning to migrate the server to LDAP accounts and try to keep the original group structure as much as possible to avoid user confusion
We use OUs to organize our users, and security groups to manage permissions, resources and scripts. Since some users belong to five (or more!) different groups and we follow a complex naming scheme, we can’t really use the security groups to create the Spark groups. So i tried the approach of using local groups with LDAP users and it works well. I can import the users seamlessly and integrate them into the groups. It requires more work since new users need to be integrated into their groups, but since i manage a branch with only about 50~ users i can live with it.
I am trying to get this linked with AD now, but cannot get it to connect.
I keep getting this error.
Test: Connection Settings
Status: Error
[LDAP: error code 8 - 00002028: LdapErr: DSID-0C0901FC, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v1db1�]
Any ideas?
[I have attached a file of the settings I have put in before testing it that are resulting in this error.]
Are there any companies that anyone here has dealt with that offer support on initial setup and configuration of OpenFire? I can’t seem to get this thing to connect to Active Directory and it is driving me nuts.
