Using AD Groups with OpenFire

Jason_M · January 26, 2009, 2:58pm

I work at a hospital where our AD system OU’s are broken up by patient care area. For example there is one OU for ER, one for ICU, and so on. When setting up OpenFire I created a new OpenFire OU with the Spark Admin user account and a Spark Users group. My plan was to add users that required access to that Spark Users group. When OpenFire searched for users it found the admin account, but seemed to ignore the users group. My question is: Is there a way for OpenFire to read the members of an AD group?

I know the obvious answer is to move the all required users into an OU for OpenFire, but the problem with that is that we also have AD group policies and specific login scripts set up per patient care area. I need to be able to give the managers of ED and ICU access to Spark while restricting anyone else in those areas from using Spark or showing up in the offline users list.

NO_MESSAGES_OR_FRIEN · January 26, 2009, 3:37pm

Spark pulls users accounts directly from AD. It does not look in groups for the users, but looks for actual user accounts. This cannot be altered. You can change your baseDN and then spark will find all the users. You can use the group you made as a filter to limit the results.

(&(objectClass=organizationalPerson)(memberOf=cn=WebISteam,ou=ChatGroups,ou=accounts,dc=domain,dc=com))

sample user filter based on group membership:

Jason_M · January 26, 2009, 5:55pm

Thank you Todd for the quick reply. I have attached a pic of my AD layout. If I understand correctly I would need to put the following in the filter section:

(&(objectClass=organizationalPerson)(memberOf=cn=1GROUPS,ou=File Security Groups,ou=SparkUsers,dc=nanticoke,dc=org))

NO_MESSAGES_OR_FRIEN · January 26, 2009, 6:15pm

(&(objectClass=organizationalPerson)(memberOf=cn=SparkUsers,ou=File Security Groups,ou=1GROUPS,dc=nanticoke,dc=org))

Jason_M · January 26, 2009, 6:47pm

Working like a champ now. Thanks again.