Is there a howto on restricting logins on the server to a certain AD group?
So I created a domain local security group named users_of
I created 2 other roster groups and put them as members of users_of
I added my account to one of the roster groups
Group search filter is (&(objectClass=group)(cn=_of*))
ldap search filter is (&(objectclass=organizationalPerson)(|(memberOf:1.2.840.113556. 1.4.1941:=CN=users_of,CN=Users,DC=AD-DOMAIN,DC=local))(!(userAccountControl:1.2.840.113556.1.4. 803:=2)))
I restart but my account cannot login.
Did your read through the whole thing? It looks like you may have missed a few steps or explanations. Did you make changes based on your environment?
Yes. I modified both group filter and search filter. I still lock myself out.
so.you created users_of and put it in the users container of your domain, and your domain is dc=ad-domain,dc=local?
No. Modified it dc=ad,dc=domain,dc=edu
Our AD is ad.domain.edu for example
make sure your member groups start with _of*?
also check to make sure your openfire admin account is a member of one of your access groups.
Its odd. So I went back to your default example
I have a domain Local Security group called = Openfire Access Group
I have 2 global security groups Group1_im and Group2_im which are members of Openfire Access Group
My account is a member of Group1
Base DN is DC=ad,DC=domain,DC=edu
group search filter is (&(objectClass=group)(cn=*_im))
I set this. Restart the service. I look into groups and see Group1_im and Group2_im
I set the user search filter to (&(objectclass=organizationalPerson)(|(memberOf:1.2.840.113556. 1.4.1941:=CN=Openfire Access Group,CN=Users,DC=ad,DC=domain,DC=edu))((userAccountControl:1.2.840.113556.1.4. 803:=2)))
I restart the service. Bam I am locked out.
Openfire Access group is in the Users OU
users ou or a user container?
also, look for added spaces caused by cut and paste…
I had this issue when I was testing this.
Basically, the issue is you have a space hidden somewhere in the user search statement. This causes it to become an invalid statement so Openfire will not pick up users.
I would recommend copying the statement into notepad and doing a search and replace for any spaces or just manually search it.
The search and replace should work. I was annoyed and stupid at the time of fixing my issue and never thought of doing a search and replace and just did it manually.
Once you remove all the spaces and confirm it works, I would recommend saving the statement to a file (so you don’t have to deal with this again).
When I put the statement in Openfire I noticed a red squiggly below the statement (the same one you get when you spell something wrong in Word). If you see this and it is broken up, you probably have a space somewhere.