Win AD LDAP Success Users Groups

After Much research and problem solving,

I have been able to bring in my Win AD Users and Groups into Wildfire.

Groups show up properly in Spark with AD group members.

This is my conf xml , hope it helps others

FYI - Big things to watch: my default conf did not have ldap group provider,

posixmode is important, my searchfilters were pieced together from several other posts.

AD info:I created new Sec Group “Wildfire” in Users container, add membership with users and groups you want to show up in WFire

AD propagation into Wfire is slow, but if you stop and start Wfire and give it 1 min, youll be up to date.

sensitive info changed and surrounded by “++” so use proper stuff for your AD … post back to this msg if you have questions, i will watch thread


+duck.company.com++dc=company,dc=com++cn=bigadmin,cn=Users,dc=company,dc=com++passwd+<![CDATA[

(&

(objectCategory=Person)

(objectClass=user)

(memberOf=cn=Wildfire,cn=Users,dc=company,dc=com)

(!(userAccountControl:1.2.840.113556.1.4.803:=2))

(sAMAccountName=)
)
]]>
<![CDATA[
(&
(objectCategory=Group)
(objectClass=group)
(memberOf=cn=Wildfire,cn=Users,dc=company,dc=com)
(member=)

)

]]>

This is exactly what I needed to resolve my group problems. Thank you

I have configured it.but from IM client I am not able to add AD groups.it shows empty group there, while there are users in those groups.

Can anyone help me out??

Thanks,

Rawlins.

I am a Linux and Wildfire newbie and I am having some difficulty getting this setup.

I currently have wildfire setup and integrated with AD, but I get ALL the users on the system, as well as computer accounts and other junk. What I would like to do is make sure that only those users in my “domain users” group are imported to Wildfire. Your post seems like it will do the trick, but when I put in a bit of your config about the searchfilter, I can no longer sign in to Wildfire (on either the client or the server side). Any ideas???

Thanks!

Kyle

Your acct used for WFire login would have to be in the filtered container.

So if you are using “Administrator” and it is not in “Domain Users” it probably wont work. Try putting the WFire admin login in your Domain Users to see if it works.

This is my experience—

the “adminDN” sett is just a pointer for authentication, to verify the pwd entered at login for the admin controls. Using a filter defines what accts are valid for login. So you may have the “AdminDN” correct for authentication, but if it does not

pass the filter, then its not a valid login.

The baseDN will pull in all objects all objects below it, unless filtered.

Double chk the logic of your filter string but

You may want to expeiment with

Thanks for the info. My WF user is a member of domain admins, so I don’'t think that is the problem.

However, I currently have my baseDN set to the entire domain. I did that because I wanted to catch users in all OUs. Can I use the CN=Domain Admins for the baseDN even if the members are dispersed (i.e., in various OUs? I will try that… I figured I had to pick the most broad baseDN that would catch all of my users… and that just seemed strange to me since most people do not have all of their users in a single OU!

Thanks!

right, if you had other OUs with IM users then you would want the highest level to be baseDN domain.com.

The first test i would try is to add the acct used for WF mangment to the

Domain Users group. If your search filter is looking there, having admin acct in Domain Admins means nothing. WF does not seem to care about any inherited AD perms or rights. Then see if you can login to web UI or spark, etc.

If that works, chk your search filter again.

In my setup, i created a new security group, and added IM users as members.

My baseDN is also at top level.

Also, you originally mentioned linux, is that your OS for WF or for LDAP srv?

Are you running a true Windows DC, or Linux LDAP?

I’‘ve gotten part of the configuration to work. AD users have been working fine for me for 2 months now, but we are trying to get the groups to populate. We have been able to get a list of all of our groups, but that list is over 1000 long and not sorted and we have more than that, it is only showing the first 1000. When we try to narrow that down to only show groups of groups we can’'t see anything in our group summary page. Here is my config. Similiar to the first post made on this thread

cn=svc_wildfire,cn=users,dc=noamer,dc=teletech,dc=com</adminDN

–>

<groupSearchFilter><![CDATA[

(&(objectClass=group)(memberOf=cn=JabberEnabledGroups,ou=Users,dc=noamer,dc=tel e
tech,dc=com)(member=))

]]>

I use Windows Server 2003 on all of our DCs.

I tried the search that you mentioned, but it does not filter anything. My AD structure looks like this:

Domain

-Users

–Users by Location

—Some Special Users

I have my baseDN set to be the domain itself and the adminCN limited to the admin’'s distinguished name (i.e., CN=xxxx,DN=XXXX,DN=XXXX).

All of my users are members of Domain Users and I would like to limit the users in Wildfire to those users. My Wildfire admin user can login just fine, so that part is working. The problem is that a bunch of other AD items show up as Wildfire users. It makes it damn near impossible to really look at my users.

I appreciate your help, maybe something above will trigger what I am doing wrong.

Thanks!

Also, does anybody have info on how to automatically get the users to populate the contacts in Spark??? Obviously, this is a secondary issue, but I thought I would ask.

I enter in the following:

and then I cannot login. Moreover, I check my AD user and it won’'t even show an attempt to login. So, it seems like when I put the searchFilter in, my LDAP communication stops. So, it looks like a syntax problem or something else that is throwing off wildfire.

The wf_users is a group that nests my domain users group, of which all of my users are a member.

Ideas anyone?

I am sorry for so many posts, but I found a config that partially works. I say partially because it narrows down the users to a much more manageable level. However, it does not seem to want to pull in my groups. I pulled this config from http://www.ferro.eu.org/IronCoded/Wildfire. It works like a champ for the users (although I still have the built-in accounts showing, which I will work to further drill down).

The groups is the big question mark now. Once I get the groups setup I will be able have it push the users to the contacts in Spark.

As always, any help is appreciated!

    </searchFilter>
<groupSearchFilter>
            <![CDATA[
                    (&
                    (objectCategory=Group)
                    (objectClass=group)
                    (member=)

)

]]>

Hello, I’'m trying so many weeks to LDAP works, but I dont have sucess.

I’'ts my xml configuration.

Thanks!!!

What is your specific issue? Are you able to get any users imported at all? Soe things to do:

  1. Confirm that you can properly access your AD server and make LDAP queries

  2. Confirm that your admin user is a member of the group stated in your search filter

  3. If you are able to see the users, but not the groups, then you got as far as I did… congrats! If you still cannot see any users being imported, then save your xml file as a bak and then copy and paste the config from my previous post (on the link that I posted) into a new wildfire.xml file, obviously replacing the username and password and the domain info. That should get the users imported.

Kyle

When I change my xml file, I cant do my spark client connect. I was use very user names and passwords and I can not connect.

Answers for your questions

1- Yes, I’'m network administrator

2- OK

3-I cant see anything, but I cant login in spark client.

Lest’'s make different. I will go to show all my cenario and you (if you can) wil go to make the corect xml file, ok?

my domain = NET.SEFAZ.ES.GOV.BR / IP adress - 172.17.1.56

user administrator = rediao

I was make a group named Wildfire on my AD to put the wildfire users.

Can you help-me??? sorry for my poor english!

After several hours of struggling with the LDAP entries, I’‘ve finally got things working. The examples posted previously gave me a good starting point, but they didn’'t work for me. My process was to:

  1. get LDAP connectivity working without worrying about filters (piece of cake).

  2. get the user searchFilter functioning (this took the longest).

  3. after everything else was working, get the groupSearchFilter working.

As is usually the case with any of my programming tasks, little typos were my most nagging problem. Also, my philosophy is to keep things as simple as possible.

I’'m not sure, but I suspect that my problems with not getting the previous examples to work for me is in slight differences in my environment/schema. That said, let me state that my network is native Windows Server 2003, without Exchange or other add-ons that might alter the schema. And so, here is what works for me (only LDAP entries):

domaincontrollerdc=name1;dc=name2;dc=name3cn=wildfire_svc;cn=Users;dc=name1;dc=name2;dc=name3

password<![CDATA[

(&

(objectClass=user)

(memberOf=CN=WildfireIM,CN=Users,DC=name1,DC=name2,DC=name3)

(sAMAccountName=)
)
]]> name <![CDATA[
(&
(objectClass=group)
(memberOf=CN=WildfireIM,CN=Users,DC=name1,DC=name2,DC=name3)
(name=)

)

]]>

I could not use the (objectCatagory=Person) for some unknown reason, and using ADSI Edit, I didn’‘t find this in user properties. Also, putting users and groups into a common designated group is what works best for me. And finally, for the groups search I use (name=) instead of (member=) because it’‘s the groups’’ name that I want to seach on, not the groups’’ member attribute.

I’'m having issues too…

2006.06.07 13:24:29 Connect Socket[addr=/192.168.69.52,port=2321,localport=5222]

2006.06.07 13:24:30 Trying to find a user’'s DN based on their username. sAMAccountName: drew, Base DN: dc=vel,dc=corp…

2006.06.07 13:24:30 Creating a DirContext in LdapManager.getContext()…

2006.06.07 13:24:30 Created hashtable with context values, attempting to create context…

2006.06.07 13:24:30 Exception thrown when searching for userDN based on username ‘‘drew’’

javax.naming.AuthenticationException: LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030F, comment: AcceptSecurityContext error, data 525, vece

at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)

at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)

at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)

at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)

at com.sun.jndi.ldap.LdapCtx.<![CDATA[

(&

(objectCategory=Person)

(objectClass=user)

(memberOf=cn=Wildfire,cn=Users,dc=vel,dc=corp)

(!(userAccountControl:1.2.840.113556.1.4.803:=2))

(sAMAccountName=)
)
]]>
<![CDATA[
(&
(objectCategory=Group)
(objectClass=group)
(memberOf=cn=Wildfire,cn=Users,dc=vel,dc=corp)
(member=)

)

]]>

Any suggestions?

I was able to get mine working using mharvey71 example. Hurrah!!!

Question, are any of these samples supposed to pre-populate the buddy list on Spark? If not, is there some filter of server configuration I need to do that?

Ok, now my head is hurting. I’‘ve been fiddling with this for 6 hours and I’'m just not getting something.

Here’'s my info:

Wildfire installed on FRED (WinXP…just loading here to learn how to load it)

My W2K domain is MYDOMAIN.COM

My domain controller is WILMA

I don’‘t care who logs in (I’'ll deal with filters as soon as SOMEONE can log in)

My domain admin is ADMINISTRATOR and his password is SECRET

What part of what I have is wrong?

I’‘m assuming that if I can get Wildfire running and users added in the console and able to log in as ME@FRED and talk to METOO@FRED that all possibly needed software has been loaded to incorporate LDAP. We do have an exchange server (BARNEY) so I don’'t know if that throws a wrench in things at all.

Thanks in advance…I’'m tired of having a headache.

For the

Message was edited by: torr

After getting groups to populate properly, the group members’’ status would not update. Further research led to the following thread:

http://www.jivesoftware.org/community/thread.jspa?threadID=20138

I hope they get this fixed soon. In the mean time, I’'ve gone back to manually defined groups within Wildfire.