We’re using Openfire 4.2.3 (hosted on CentOS 7) with ldap integration (hosted on Windows Server 2012 R2).
For tests we build the same AD infrastructure as shown by @speedy on this thread: How to Setup Authentication Groups with LDAP/AD
Basically that setup nearly does the job - but our active directory has a lot of nested user groups and these can’t be read/listed by openfire.
AD groups and users: Openfire Access Group (domain local sec group) - Testgroup1 (global sec group) - test001 (name of user1 etc.) - test002 - test003 - Anothergroup1 (global sec group) - test007 - test008 - test009 - Testgroup2 (global sec group) - test004 - test005 - test006 ldap.searchfilter = (&(objectclass=organizationalPerson)(|(memberOf:1.2.840.1135184.108.40.2061:=CN=Openfire Access Group,CN=Users,DC=mydomain,DC=local))(!(userAccountControl:1.2.840.1135220.127.116.113:=2))) (without spaces from the board) ldap.groupSearchFilter = (&(objectClass=group)(cn=Testgroup*))
Shared rosters are activated for Testgroup1 and Testgroup2 (shown group only).
Now I expected, that all users of Testgroup1 AND Anothergroup1, as nested group of Testgroup1, see each other in the shared roster. The user test001 only saw the other two users test002 and test003, but not the users of the Anothergroup1 (test007-009).
(tested with local installed pidgin and bosh webchat)
When viewing the group in the Openfire adminpage, the problem still exists: at the end of the group page only the users test001-003 are listed, and the diginuished name of the nested group instead of their members:
- cn=anothergroup1,cn=users,dc=mydomain,email@example.com *
The first row seems to show, that openfire is thinking that anothergroup1 is a user object, instead of listening the nested users in that group.
Does anybody have a fix or suggestions for this problem with nested ad groups?
Thanks a lot.