Shared roster group with forest and tree root members


I’ve got one Openfire server in the Windows forest root domain with users authenticating using LDAP. I’m using universal security groups to filter and add users to the shared roster groups and that seems to work fine.

Now I’m attempting to add users to the security groups that are in a tree-root domain, meaning a domain that is in the forest but has a completely different name, like:

forest root =

tree root =

So, I can’t just use the ldap.baseDN alone so I’ve added the ldap.alternateBaseDN option and set that to the tree root domain, then I set the ldap.port to 3268, and that seems to work fine for authentication. Then

when I use the wizard to test the group filters, it will show the correct number of users in each group. However, when I save the

configuration and then look at the groups from in the admin console, it only shows the users in the forest root domain. Also, Spark is only showing the forest

root domain users so the tree-root users aren’t populated and have no presense, but they can be searched.

I’ve read the tutorial about blanking the baseDN so that it will search across the whole forest but then authentication seems to fail and it

locks me out of the admin console. I actually think it was working as intended after I set it up initially but it broke when the server was restarted.

I guess I just need to know if what I’m trying to accomplish is even possible, and if so, where am I going wrong?

Thanks in advance.

Try setting your baseDN to the root of your forest and removing the alternativebaseDN option. Also, I think i would try working with local groups vs universal groups.

But if I don’t specify the alternate domain then the users in the tree-root cannot authenticate, and if I don’t use universal groups I won’t be able to add users from both domains to the same group.