After searching a view hours without finding a solution I finally post here…
My issue:
I have users being member of multiple groups in the AD.
When I lookup their user-properties in the Openfire webinterface, only one group is shown under their “Groups:”-info.
The only user, being displayed as a member of multiple groups is me and I am marked as administrator.
My setup:
• Openfire authenticates against AD via LDAP
• Groups reflect different services
• Users are members of one supergroup with all users and all groups of their subscribed services
My AD-structure (example):
- OU=someou,DC=example,DC=com
- OU=customers
- Contains users that are customers
- Examples: ted, jed, fred
- OU=users
- Contains users that are simple subscribers of services (ie. services provided by customers)
- Examples: don, ron, john
- OU=services
- Contains groups reflecting the services
- Example: some-group
- All users are in a supergroup for all users: all-users
Group-members overview:
all-users: ted, jed, fred, don, ron, john
some-group: ted, jed, don, ron
Openfire LDAP-setup:
ldap.baseDN: OU=orgun,DC=example,DC=com
ldap.groupSearchFilter: (objectClass=Group)
ldap.SearchFilter: (&(objectClass=user)(objectCategory=person))
Effect:
The properties of the users ted, jed, don and ron only show “some-group” in the “Groups:”-info field.
Looking at the groups list shows the same. Members of the group “all-users” are only fred and john, while the members of “some-group” are ted, jed, don and ron. They are actually members of “all-users” in the AD but missing in that group within Openfire.
Thoughts:
If a user is member of multiple groups, only one group is being saved/synced.
Are groups in Openfire build by the users’ memberOf-information or by querying LDAP for groups?
Why is my (administrative)-account synced correctly as memberOf both groups?
What do I have to do to get this synced correctly?