powered by Jive Software

Trying out Openfire - can it do this? (AD/LDAP auth+groups)

Hi all,

I’m just trying out OpenFire to replace our current jabberd2 installation, and I have to say it’s looking great so far. I just have a few questions I wasn’t able to find a definite answer to, hopefully someone here can advise. For background, I’ve set up OpenFire 3.6.4 to connect to AD via LDAP and it’s working well. My questions are:

  • I’m using a handful of groups to prepopulate users’ rosters so I don’t need to keep them up to date manually. This works well, but I get lots of other unrelated accounts the roster too. I think this is because by default all groups I’m a member of show up in my roster. Is there any way to turn this off, so that only the groups I manually select are shown in the roster?
  • Is there any way to ignore LDAP for authentication and use another system (but keep LDAP for everything else?) I would like to automate the client-side set up, but since any scripts I write won’t know the users passwords I need to be able to ignore the ones in LDAP and use something else that I can reproduce on the client side without any user interaction.
  • All our computer accounts are appearing in the user list on the web management page (they end with a dollar sign) but I can’t see anywhere to filter these out, other than searching every time.

Also I may as well mention while I’m here, if you go in and try to edit the server’s base DN it gets truncated in the edit box. Our DN starts with OU=“blah blah” and it gets cut off at the first double-quote. Probably an escaping issue.

Otherwise this is looking like a very nice, functional Jabber server!

Hi

  • Yes You can. Go to the User/Groups-> Groups, select grout that you are interest in, then select Disable grop sharing.
  • Why don’t You use SSO or NTLM ? Alternatively you can always sync users in AD with users in OF via external script.
  • Maybe You need to apply some search filter as objectclass=organizationalPerson

I’m not quite sure of correct syntax, but why don’t You try without quotes?

Thanks for your reply!

  • I can only find ‘disable group sharing’ against an individual group. As there are about 100 groups I am a member of (we are a fairly large organisation) I don’t want to have to go through and untick those groups by hand. Also our central IT department creates new groups all the time for various reasons so I don’t want to have to go back and change options every time a new group appears.
  • I was not aware that I could use SSO or NTLM, please advise how I can set up a Jabber client like Psi to do this, I have not seen an option for it.
  • Your suggestion to filter the list of users worked. I changed it from (objectClass=organizationalPerson) to (objectCategory=person) and this did the trick - no more computer accounts.

The Base DN works fine with and without quotes, you just have to keep repasting it if you edit it when it has quotes. It seems this is a bug.

Thanks again for your suggestions!

  • I can only find ‘disable group sharing’ against an individual group. As there are about 100 groups I am a member of (we are a fairly large organisation) I don’t want to have to go through and untick those groups by hand. Also our central IT department creates new groups all the time for various reasons so I don’t want to have to go back and change options every time a new group appears.
    Yes, I mean just that (sorry for misspelling). You can allays try to filter groups by some criteria. 1st example will load groups witch name contains ‘group_name_contains’. 2nd example will load groups witch email field(in AD User&Computers-> Group-> Properties) is not empty (So you can ask your AD administrator to fill that field with something).

(&(objectClass=group)(cn=group_name_contains))
or
(&(objectClass=group)(mail=*))

  • I was not aware that I could use SSO or NTLM, please advise how I can set up a Jabber client like Psi to do this, I have not seen an option for it.
    There is a few good topics at this site. Psi can’t do NTLM right now. I believe Pidgin can. Also Spark possible?

The Base DN works fine with and without quotes, you just have to keep repasting it if you edit it when it has quotes. It seems this is a bug.

Thanks again for your suggestions!

I think that this is a bug.

You are welcome.

Thanks for the suggestion - after my post I began experimenting with the LDAP search criteria as you suggested and hit upon the same idea to restrict the groups. I changed the advanced options for the group (in the server settings, step 3) and set the criteria to (&(objectClass=group)(|(name=First_)(name=Second_))) and now only groups starting with First_ and Second_ are appearing in the list! No need to untick any ‘do not share’ options.

I’ll have a look at Pidgin (Spark seems a little resource heavy), so it looks like getting that to work might be enough to make the switch!

Thanks again for your help.