I setup openfire because i saw some good reference to it’s ease of active directory authentication. So i installed it onto a Windows box and it went incredibly smooth! However, our users are not stored in the cn=Users. The bug i believe i noticed is that one cannot authenticate when a CN has a space in it.
for example…the following functions just fine.
cn=Users,dc=DOMAINNAME
the following example does not work. presumably because of the space in the CN name…
cn=DOMAIN Users,dc=DOMAINNAME
we cannot easily change this to remove the space, as a number of other systems tie into this already, and while it currently works just rine using DC=DOMAINNAME… it’s a bit sloppy when PC names, system accounts, and whatnot will show up in users searches.
I’m not sure at all that spaces in the base DN are not accepted - I’m pretty sure when I was playing around with the setup I had spaces and it worked just fine. However what I’ve ended up with (as our AD is a mess) is using the domain as the base DN - dc=DOMAINNAME and then using LDAP filters to cut down on the number of users and groups returned. At the moment I just use (objectCategory=Person) which cuts it down a bit, but you could probably use memberOf, mailnickname etc to filter it down a lot more.
You can not use a CN in the baseDN. It should be an OU. CN is a designation for group names and users. OUs are the folders that contain the groups and users.
So…: ou=DOMAIN Users,dc=DOMAINNAME should work. Spaces should not be an issue but that being said you should not use spaces, slashes or other such characters in AD naming. Just because Microsoft is dumb enough to allow it does not mean you should use it.