powered by Jive Software

Problem with users from Active Directory

I spend a few hours with this problem and it could be useful for someone.

I’m using users and groups from AD. I created a special account for connecting to AD, this account was in group Domain Users. I expected that this group has rights to view all records in AD normally (and I can do it by this account). I have search filter for users and groups, which accepts only records which are members of one special group.

When I tried to login with my admin account I failed. When I used different account I could login but I saw only a few users.

After long investigation I uncover, that my account which connects to AD hasn`t enough rights. I used ldp tool from MS and found that without filter I receive all records correctly, but when I use filter on member field it works only for few records.

I would question the filter you used (not implying anything about your abilities). My config can see all users and groups perfectly fine with my AD LDAP. If a user can see some accounts but not others that impies a filter issue, because you only need to be a domain user to look up LDAP entries.

this is more of an AD thing then an openfire thing. I always recommend using softerra ldap browser http://www.ldapadministrator.com/

get the free version. you can practice with the same settings and search filters and see how it works within AD and then apply that to your openfire install.

Of course, I don’'t think that problem is in Openfire.

My users filter is:

(&(objectClass=organizationalPerson)(memberOf=CN=Jabber IM,OU=Special,DC=company,DC=local))

When I don’'t use memberOf part, it returns all users. So some problem must be in rights for memberOf. I tested it with ldp tool and result was same.

My solution was, that I add my account (for connecting to AD) to group Pre-Windows 2000 Compatible Access. Maybe its not good solution, but everything works fine now.

I tried ldap browser, but I think that MS tool ldp from Support Tools is better .