powered by Jive Software

Restrict Ldap Users

I have been though about 10 post here now on how to restrict logins based on security groups in ad and here is what i have.

This is in openfire.conf

(memberOf:CN=AllStaff,OU=Office,OU=Other Sites,OU=KCS,DC=something,DC=K,DC=2,DC=3)

(removed the acutall address but i can login as anyone outside of this group. Does this group have to be a Security Local group or can it be a global security group. The group listed above has a list of groups in it, is that a issue?

So far i have not been able to restrict others from using openfire so I haven’t deployed it anywhere else except for my location.

This should point you in the right direction.

basicly, create a security group that allows access, and then point your search filter to that group. Then add members to the group to grant access.

https://community.igniterealtime.org/docs/DOC-2744

I have seen that thread speedy, and I have done that.

Basically i have a Domain Local Security group and add the other sites users (ie Groups: xxxAdmin) to the Openfire Group. but it still allows all domain users to login to open fire.

The only difference is my other group is a universal group and not a Global security group.

whats your search filter look like?

(&(objectclass=organizationalPerson)(|(memberOf:1.2.840.113556.1.4.1941:=CN=Open Fire,OU=TTS,OU=Other Sites,OU=KCS,DC=gville,DC=us))(!(userAccountControl:1.2.840.113556.1.4.803:=2)) )

i had to remove a few of the dc='s. I did a query in ad computers & users and it resolved the groups within that group…

is it working correctly now?

No, it allows all domain users to login.

i also tried adding it to the openfire.xml from some examples i have found here and no go.

hmm…in the user list of in the openfire admin page, are all your domain users listed or just the group members?