Search Filters not working to limit users to an AD group

Byron_Hay · April 10, 2016, 4:32pm

Installed 4.0.2, integrated with AD, but groupSearchFilter and searchFilter are not working, as I’m seeing all groups and all users

baseDN is root of AD

have group in “Users” container called “MessagingUsers” with 86 members

in console, I see ALL groups and ALL users from my entire AD - approximately 900 items.

Here is the text from my openfire.xml file pertaining to searching AD:

baseDN is “DC=xxxxxxxxxxxx,DC=xxxxx” (redacted)

Everything else seems to be working fine. What am I missing?

To clarify, I’m trying to limit users to an AD group called “MessagingUser”, but my settings are not limiting anything. All users and all groups are showing in the Users/Groups window, and test users that are not in the MessagingUser group are still able to log in. I need to ensure that only members of that group can log in.

I could really use some help here!

Thanks

speedy · April 10, 2016, 11:29pm

Your filter doesn’t look quite right. Perhaps this document will help point you in the right direction

How to Setup Authentication Groups with LDAP/AD

Byron_Hay · April 11, 2016, 2:06am

OK, I’ve re-posted your article here for the purpose of asking some additional questions within this same original thread.

YOUR TEXT FROM THE LINK ABOVE:

In this example I’ll be using the following:

AD domain = AD-DOMAIN.local

access group = Openfire Access Group

roster groups = _IM Group1, _IM Group2

(*note - I’ll be using _IM as part of a wildcard search, so all my groups start with _IM for that reason)

First create your security groups:

Create a Domain Local Security Group. In our example call it Openfire Access Group. In this example, I’ve placed the group in the user container

DOES THE GROUP “HAVE” TO BE DOMAIN LOCAL? OR IS THAT JUST SO THAT YOU CAN ADD THE OTHER GROUPS? IN OTHER WORDS, IF I ONLY HAVE ONE GROUP, CAN IT BE GLOBAL AND STILL WORK PROPERLY?

Create regular security groups (usually Global). In this example: _IM Group1 and _IM Group2.
Make _IM Group1 and _IM Group2 members of the Openfire Access Group
Add your users to the _IM groups

NOTE: be sure to include your openfire admin account in a group, or you will not be able to log into the admin page.

Next, set your system properties in openfire:

ldap.baseDN

DC=AD-DOMAIN,DC=local

ldap.groupSearchFilter

(objectClass=group)(cn=_IM*)

*This will only list groups that start with _IM

**ldap.searchfilter(&(objectclass=organizationalPerson)(|(memberOf:1.2.840.113556. 1.4.1941:=CN=Openfire Access Group,CN=Users,DC=AD-DOMAIN,DC=local))(!(userAccountControl:1.2.840.113556.1.4. 803:=2))) ** WHERE DO THE NUMBERS COME FROM? ARE THEY THE SAME FOR EVERY ACTIVE DIRECTORY? OR DO I NEED TO LOCATE SOME FOR MY ACTIVE DIRECTORY? ARE THEY NECESSARY FOR THIS TO WORK?

watch out for cut and paste issues. Sometimes an extra spaces will be added in the string that will need to be removed. There should be no spaces in memberOF or userAccountControl.

*This string will only allow, and display users that are members of the Openfire Access Group (including members of nested groups) that we created earlier. Disabled user accounts are excluded.

Restart Openfire.

At this point, only the _IM groups will be listed, as will only the users of the groups.

Enable Contact List Sharing for shared rosters. (optional)

WHERE DO I APPLY ALL OF THIS? WITHIN THE OPENFIRE.XML FILE? OR FROM WITHIN THE CONSOLE UNDER SERVER PROFILE SETTINGS?

Thank you VERY much for your reply!

speedy · April 11, 2016, 2:00pm

I’ll try to answer your questions…

the group doesn’t have to be a domain local group, unless you plan on using nested groups.
the memberOf:1.2.840.113556.1.4.1941:= is MS AD attribute for group membership and used to help with nested groups…!(userAccountControl:1.2.840.113556.1.4. 803:=2 is used to exclude disabled users from the search.
To enabled shared rosters, this is done from within the openfire admin interface user users/groups

Byron_Hay · April 11, 2016, 5:42pm

speedy,

Thanks! I figured out that the number codes were pre-defined search parameters for groups in active directory. (Learned something new today!)

I wasn’t clear on the last question, though. Do I apply all of the searchFilter stuff in the .xml file, or in the console?

Thanks again!

speedy · April 11, 2016, 5:48pm

from the console.

Byron_Hay · April 11, 2016, 6:38pm

OK,

I changed the ldap.searchfilter to what you suggested, using my own ldap settings of course, and changed my ldap groupsearchfilter to what you suggested as well, again with my own group. Now I can’t log into the console even though the user is in that group. Give me “invalid username or password”.

What next?

speedy · April 11, 2016, 6:58pm

there is a mistake within your search filter. you’ll need to edit the configuration database directly or run through the setup wizard again. To kick off the wizard setup agian, in the openfire.xml change the tag setup from true to false and restart openfire.

Byron_Hay · April 11, 2016, 8:17pm

OK. It wouldn’t be the first time I fat-fingered something.

I’m using the embedded database. Where do I access it for direct edit? What utility do I use?

speedy · April 12, 2016, 1:21pm

I’m not really sure how to edit the embedded db- I only use an external db li,e mysql or ms sql. I think you can edit openfire.script file (with something like notepad++" located in the embdedded-db folder.

Byron_Hay · April 14, 2016, 1:13pm

OK,

After much trial and error, I loaded my original 3.7.1 files back onto the server, then re-installed 3.7.1 back over the top of it. Then I created an XML file with the following contents (redacted for security), and replaced the original OPENFIRE.XML file, forcing a “re-configure” and pre-loading the basic LDAP data.

Contents of XML File between lines below:

(replace the bold entries with your own data)

____________________________________________________________________

<?xml version="1.0" encoding="UTF-8"?>

9090

9091

user1, user2, user3

CN=NAME_OF_DOMAIN_CONTROLLER

cn

mail

DC=NAME_OF_DOMAIN,DC=NAME_OF_EXTENSION

CN=AD_ADMIN,CN=USERS,DC=NAME_OF_DOMAIN,DC=NAME_OF_EXTENSION

ACTUAL_AD_ADMIN_PASSWORD

org.jivesoftware.openfire.ldap.LdapGroupProvider

en

org.jivesoftware.database.EmbeddedConnectionProvider

FALSE

____________________________________________________________

Examples:

NAME_OF_DOMAIN_CONTROLLER might be something like DC01

NAME_OF_DOMAIN might be something like abcservices

NAME_OF_EXTENSION might be something like com or net or local

NAME_OF_GROUP is the name of the group for allowing access, such as chatusers, etc.

After replacing “openfire.xml” with this file, restart your server. Start an “elevated” Command Prompt window, and navigate to the “bin” folder under the openfire install directory (default is under Program Files, but could be different). In the “bin” folder, execute the following command:

openfire-service.exe /install

This will ensure that openfire is installed as a Windows service (preferred method of operation)

Start the Openfire application (Run as Administrator), then launch the admin console and log in using the AD Admin credentials used in the script above.

You will be allowed to run through the setup again to “fine-tune” your settings.

If you get to the “vCard” profile settings window, and all fields are empty, enter {cn} for Name, and {mail} for Email (WITH the braces), and after you complete the setup, and restart the openfire service, all should be good.

I will now upgrade to the latest version when convenient.

Thank you speedy, for your assistance! I am marking your original post as the “best answer” because it headed me down the correct path.

I hope my answer helps others as well.

Byron