powered by Jive Software

Restrict by Active Directory Group


#1

Is there a howto on restricting logins on the server to a certain AD group?


#2

#3

So I created a domain local security group named users_of
I created 2 other roster groups and put them as members of users_of
I added my account to one of the roster groups

Group search filter is (&(objectClass=group)(cn=_of*))

ldap search filter is (&(objectclass=organizationalPerson)(|(memberOf:1.2.840.113556. 1.4.1941:=CN=users_of,CN=Users,DC=AD-DOMAIN,DC=local))(!(userAccountControl:1.2.840.113556.1.4. 803:=2)))

I restart but my account cannot login.


#4

Did your read through the whole thing? It looks like you may have missed a few steps or explanations. Did you make changes based on your environment?


#5

Yes. I modified both group filter and search filter. I still lock myself out.


#6

so.you created users_of and put it in the users container of your domain, and your domain is dc=ad-domain,dc=local?


#7

No. Modified it dc=ad,dc=domain,dc=edu

Our AD is ad.domain.edu for example


#8

make sure your member groups start with _of*?
also check to make sure your openfire admin account is a member of one of your access groups.


#9

Its odd. So I went back to your default example
I have a domain Local Security group called = Openfire Access Group
I have 2 global security groups Group1_im and Group2_im which are members of Openfire Access Group
My account is a member of Group1

Base DN is DC=ad,DC=domain,DC=edu

group search filter is (&(objectClass=group)(cn=*_im))

I set this. Restart the service. I look into groups and see Group1_im and Group2_im

I set the user search filter to (&(objectclass=organizationalPerson)(|(memberOf:1.2.840.113556. 1.4.1941:=CN=Openfire Access Group,CN=Users,DC=ad,DC=domain,DC=edu))((userAccountControl:1.2.840.113556.1.4. 803:=2)))

I restart the service. Bam I am locked out.

Openfire Access group is in the Users OU


#10

users ou or a user container?
also, look for added spaces caused by cut and paste…


#11

I had this issue when I was testing this.

Basically, the issue is you have a space hidden somewhere in the user search statement. This causes it to become an invalid statement so Openfire will not pick up users.

I would recommend copying the statement into notepad and doing a search and replace for any spaces or just manually search it.

The search and replace should work. I was annoyed and stupid at the time of fixing my issue and never thought of doing a search and replace and just did it manually.

Once you remove all the spaces and confirm it works, I would recommend saving the statement to a file (so you don’t have to deal with this again).

When I put the statement in Openfire I noticed a red squiggly below the statement (the same one you get when you spell something wrong in Word). If you see this and it is broken up, you probably have a space somewhere.