Spark: Only allow certain AD Groups

Garo · December 30, 2013, 7:57pm

I just joined today!

I was able to successfully install Openfire on Server 2003 and have it using LDAP with our domain. I’m able to log in with users on the domain and IM back and forth. I’m using most of the defaults, including the embedded DB.

Here is the situation:

-I do not want everyone on the domain able to access this (yes, they’d need the server name of course, but still)

-I have an OU I can use, but then I have a few consultants that reside in another OU. The OU they’re in has a ton of other consultants that I do NOT want to give access to

-If I can allow an AD group, my problem should be solved

-If I can allow or disallow users, I’d do that too, but I’d like to keep using LDAP and not have to create separate user accounts

Thanks,

Garo

speedy · December 31, 2013, 6:43pm

this should help point you in the right direction

NO_MESSAGES_OR_FRIEN · January 1, 2014, 4:51pm

http://community.igniterealtime.org/docs/DOC-1554

Garo · January 2, 2014, 2:21pm

Sorry, guys. None of these helped me.

Here’s my setup (anonymized as best I could). I’m running mostly defaults for the setup, using the embedded database and LDAP.

Let’s call my domain: domain.com

The actual name of the OU is NA that I’m going to use, and you can see its appropriate DN below. NA is for North America and has a plenty more sub OUs, such as NYC (NY City), but all of the user and group accounts I’m interested in are located in one of the sub (or further down) OUs of this main OU.

Step 1 - Connection Settings

LDAP Server

Server Type: Active Directory

Host: domain.com, Port: 389

BaseDN: ou=NA,dc=domain,dc=com

Authentication - this works fine, so no reason to display the info

Advanced Settings - default

Now my question is, where/how do I put in the AD Security Groups that I want only having access to Spark, along with its search feature?

I took a look at both links from speedy and sixthring, but unsure where to put them exactly. Do I dump them into the openfire.xml before, during, after the setup, or in the initial web setup itself?

The DN of the AD group is similar to this (anonymized, but this many levels down):

CN=NYC AAA Users,OU=AAA,OU=ZZZ,OU=NYC,OU=NA,DC=lazard,DC=com

Pardon my ignorance, but I’m not very familiar with search filters and most of the coding here. I’m familiar with AD, and DNs mostly.

NO_MESSAGES_OR_FRIEN · January 3, 2014, 12:30am

do not include the ou in the base dn. create a new security group for spark users and reread my doc.