I spent the last few days struggling with LDAP in AD and openfire.xml properties file. I have OpenFire 3.6.3 running in Linux and MySQL and authenticating via LDAP to MS AD.
I properly configured LDAP in the admin interface and it tested successfully for Admins and Users. I subsequently went back in to adjust the user filter to reduce the user count down from 1,000. All of the fields displayed the default values, except I did not notice the Base DN did not display the correct value, showing ‘dc=’ instead of the value I set earlier, ‘dc=domain, dc=local’.
The user filter was on screen 2 of the ldap configuration, so I clicked through “Save and Continue”, saving the bogus Base DN value ‘dc=’.
Naturally, I was unable to authenticate, and unable to get back in the Administrative inteface. I went to edit openfire.xml, only to find there were no LDAP settings in that file. I scanned community forums and was not able to find any reference to properties location other than openfire.xml.
I uninstalled openfire and removed the MySQL database, then reinstalled again. After reconfiguring and testing LDAP again, I went back in to edit the user filter again, but noticed the missing default value for Base DN and re-entered it. I was able to get a user filter query that reduced the user count to below 1,000, but because the OpenFire admins I set up were not in the AD group I was filtering for, I was locked out of the Admin console again.
I subsequently found the LDAP properties in the MySQL database and was able to resolve the issue by manually editing the admin.authorizedJIDs value.
Many of the OpenFire Server properties are stored in the MySQL database, in ofProperty table, including all of the LDAP settings, not in openfire.xml
Why does the default value for Base DN reset to a bogus value in the Administrative interface?
I noticed that openfire.xml time stamp was updated whenever I edited values that are stored in the MySQL database and not in openfire.xml. Which values are stored in which location?