powered by Jive Software

Problem with nested groups Openfire <-> Active Directory

Hi all …

First, sorry for my bad english, i hope you can understand my post and can help me to fix a problem that we have on our openfire. I have search a lot of discussions on this forum, but haven’t find some solution for my problem.

Our specs:

  • W2k3 AD Domain “domain.com” with subdomain “sub.domain.com

  • Openfire 3.5.0 hosted on Opensuse 10.2, which is member of the domain

  • openfire.xml attached bottom on this Post

- Logon to Openfire over AD Accounts aren’t the problem, this will work great

Problem:

We have AD groups on our directory, for every organizational Unit, like the following one’s:

  • Unit1_dept

  • Unit2_dept

  • … etc.

This groups are nested groups, inside will be all subunits of the unit1 with the users of this unit (we have 9 main-units but approx. 10-15 subunits per unit).

We have decided, that we want make new groups for Openfire, that name will start with “Openfire …” Inside this groups we want nest unit groups. This will work, but when i nest 2 groups to the new “Openfire …” group, so users arent visible countercross in this group. we have setup, that roster will be shared to all users, but it aren’t visible. only when i put users directly in the “Openfire …” group they will be visible to another users that are in this group and in the nested groups.

Hope you understand this, and can give us a little trick or help to fix this… and thanks for your help …

Here the config of our openfire…

<database>

<defaultProvider>

<driver>com.mysql.jdbc.Driver</driver>

<serverURL>jdbc:mysql://chsts052:3306/openfire</serverURL>

<username>user</username>

<password>pass</password>

<testSQL>select 1</testSQL>

<testBeforeUse>true</testBeforeUse>

<testAfterUse>true</testAfterUse>

<minConnections>5</minConnections>

<maxConnections>15</maxConnections>

<connectionTimeout>1.0</connectionTimeout>

</defaultProvider>

</database>

<ldap>

<host>172.16.4.3</host>

<port>389</port>

<baseDN>dc=sub,dc=domain,dc=com</baseDN>

&lt;adminDN&gt;user@sub.domain.com&lt;/adminDN&gt; 

<adminPassword>password</adminPassword>

<connectionPoolEnabled>true</connectionPoolEnabled>

<sslEnabled>false</sslEnabled>

<ldapDebugEnabled>false</ldapDebugEnabled>

<autoFollowReferrals>false</autoFollowReferrals>

<usernameField>sAMAccountName</usernameField>

<searchFilter>(objectClass=user)</searchFilter>

<vcard-mapping><![CDATA[

<nameField>cn</nameField>

<emailField>mail</emailField>

<groupNameField>cn</groupNameField>

<groupMemberField>member</groupMemberField>

<groupDescriptionField>description</groupDescriptionField>

<posixMode>false</posixMode>

<groupSearchFilter>(cn=Openfire*)</groupSearchFilter>

<searchFields>cn</searchFields>

</ldap>

Nested groups in LDAP are not yet supported by Openfire. This is not planned until version 3.6 (at the earliest I believe). If you are going to create new groups you will need to add the individuals to them not other groups.

is this technically an openfire issue? if you used a ldap browser or windows users and computers, the users don’t actually show as members of the group they are nested in. So windows just inherits the permissions but they aren’t technically members of that group.

Probably not an openfire issue. Windows is notorious for allowing you to do things you should not do. Non-standard characters in names, spaces in web addresses, etc. Truly a dumb operating system. Just because you can do something doen’t mean you should.

Let me add my voice to those requesting LDAP nested group support. This is almost a make or break feature for us, as we have many users arranged in nested groups, and allowing them to share roster information is critical.

Thanks for an excellent product!

Is this Issue finally resolved? Its the only thing we kind of need to use the product in out company.

Thanks!