Problems with groups and ldap

Luca_Ferrari · March 4, 2008, 9:11am

Hi,

I’ve got my ldap server and openfire that connects to it, but I’m experiencing some problems with groups. First of all, there are groups that are not listed in my ldap tree. For instance, while in my phpldapadmin, group tree I can see the group “fake”, I cannot see it into the group summary of Openfire. Moreover, it seems as most groups are not visible in openfire, and in fact I’ve got a few groups for system accounts (e.g., cups,…) that are not listed in the tree I can see through phpldapadmin.

What I’d like to obtain is that, having a few users belonging to a unix group, that openfire keeps such users in the same group. Is this possible? Anyone else experiencing similar problems?

NO_MESSAGES_OR_FRIEN · March 4, 2008, 1:31pm

What LDAP server are you using? Your groups will only be pulled from within your BaseDN. Are all the groups you are looking for with in that BaseDN?

Luca_Ferrari · March 4, 2008, 1:36pm

I’m using openldap on an Ubuntu server, can you please provide me a way to check that the groups I’ve got in the ldap server are valid for the openfire server?

NO_MESSAGES_OR_FRIEN · March 4, 2008, 1:42pm

Any group should be valid as long as it is contained within your BaseDN. The BaseDN is the LDAP structure you specified when configuring Openfire that contains all your users and groups.

Luca_Ferrari · March 21, 2008, 11:14am

I’ve checked and the base for the ldap is correct, the groups are all on the basedn but there are not other groups listed in the openfire group list as exec, login, ssh, and so on. Moreover I found a list of group, one per each user, that are not listed under ou=Group on the ldap server, they seems to me rather the ou=People again…

Moreover, in the ou=People I’ve got a gidNumber for each user that represents the group she belongs to, however every group in the openfire server are empty.

What I must to do to make the binding between users and (right) groups?

Thanks,

Luca

NO_MESSAGES_OR_FRIEN · March 21, 2008, 12:21pm

Groups should be automatically populated with people if your LDAP configuration is correct oin Openfire and openldap. Could you post your openfire.xml for us to examine for errors.

Luca_Ferrari · March 25, 2008, 8:04am

Attached there’s my configuration file. As I stated before, in my ldap configuration I can see the group of each user, while in the openfire configuration I see all the groups, plus all the users and no match between the users and the group.

Thanks,

Luca

NO_MESSAGES_OR_FRIEN · March 25, 2008, 12:45pm

Right but there is this line in the openfire.xml

Luca_Ferrari · March 25, 2008, 1:25pm

The use of gidNumber is because I noted that in phpldapadmin my users have the group id in the gidNumber property. However, using the uidNumber does not make any change, while using gidNumber in the groupNumberField and in groupMemberField reduced the number of groups to the right one (I mean only those I’ve defined), but the users are still no belonging to any of such groups.

Luca_Ferrari · April 1, 2008, 7:41am

I found that the migration tools used to import the /etc/passwd, /etc/group etc files to LDAP did not configure the memberUID for each group, thus the OpenFire was seeing all groups as empty. Forcing each member to belong to the group thru the memberUid makes the openfire server to see the users belonging to that group.

Thanks,

Luca