Security with AD groups are not working

Hi all,

I’ve installed Openfire with the following configuration:

DB: Microsoft SQL.

OS: Windows Server 2012

I ran Openfire’s setup against Active directory with the following configuration.

  • DN Base: DC:mydomain, DC:Local.

  • idap.groupsearch: default

  • idap.searchfilter: default

Afterwards I followed this documentation: https://community.igniterealtime.org/docs/DOC-2902

I created the groups: “Openfire Access group” and “_IM Staff” into Openfire Access groups, the users ID are host on different OU.

These groups were created on OU=IM, DC=mydomain, DC=LOCAL. I added the members over here.

Later I went to system properties on Openfire and changed ldap.groupSearchFilter with: (objectClass=group)(cn=_IM*). I restarted the Openfire service and Openfire listed me just all groups started with _IM, I could see the members and everything but I could see all domain users yet.

I tried to modify ldap.searchfilter following the above documentation (see link) but I couln’t login to admin portal anymore (I’m member of the groups as well) to apply more security to Openfire for all members and groups into Openfire Access Group were able to login and no others in the domain.

I used this string: ldap.searchfilter(&(objectclass=organizationalPerson)(|(memberOf:1.2.840.113556 .1.4.1941:=CN=Openfire Access Group,OU=IM,DC=MyDomain,DC=local))(!(userAccountControl:1.2.840.113556.1.4.803: =2)))

This string should force to Openfire Access Groups members to login only and no others. I have problems with the code here:

ldap.searchfilter(&(objectclass=organizationalPerson)(|(memberOf:1.2.840.113556.1.4.1941:=CN=Openfire Access Group,OU=IM,DC=MyDomain,DC=local))(!(userAccountControl:1.2.840.113556.1.4.803: =2)))

For some reason Openfire cannot read the users on these groups (remember users are created on a different OU), I just followed this documentation but I don’t know how to verify to understand if the code is correct or not, I don’t have more information to see what if wrong. I know this filter is incorrect no the others.

Please help me.

Thank you.

Current configuration working:

ldap.baseDN : dc=mydomain,dc=local

ldap.groupSearchFilter:(objectClass=group)(cn=_IM*)

ldap.searchFilter:(objectClass=organizationalPerson)

Note: I know this web site is adding spaces to the code so please forget that part.

“_IM staff” is a member of “Openfire Access Group” right?

Yes, sir. “_IM Staff” is member of the “Openfire Access Group”

I’m going to run the below string with your confirmation.

ldap.searchfilter(&(objectclass=organizationalPerson)(|(memberOf:1.2.840.113556. 1.4.1941:=OU=Openfire Access Group,OU=IM,DC=MYDOMAIN,DC=local))(!(userAccountControl:1.2.840.113556.1.4.803: =2)))

Remember:

My groups are created on: OU=IM,DC=MYDOMAIN,DC=local

ldap.baseDN : dc=mydomain,dc=local

ldap.groupSearchFilter:(objectClass=group)(cn=_IM*)

ldap.searchFilter:(objectClass=organizationalPerson)

Are you still over there?