Yet another LDAP configuration issue

Openfire Openfire Support
1

Hey guys, yet another clueless Active Directory admin who knows nothing about LDAP. I have been searching the forums for quite awhile now and have tried many different suggestions, usually by pasting and then editing it my specifics settings. Nothing has worked so far, and its starting to drive me nuts! Below are the settings I have used as well as the places that I receive errors.

Host: servername

Base DN: dc=domainname,dc=local - (For this the domain is domainname.local)

Administrator DN: cn=spark,cn=users,dc=gc,dc=local - (I created a domain admin named “sparK” in the users countainer which is in its default location. When I test this setting he successfully authenticates!)

Username field: sAMAccountName

Search Fields: Blank

User Filter: ((objectCategory=Person)(memberOf=CN=users,DC=domainname,DC=local)) - At this point I try testing the user mapping and it brings an error saying “No users were found using the specified configuration. Try changing the base DN, user filter or uername field”

It however allows me to continue, so I do

Group Field: cn

Memeber Field: member

Description Field: description

At this point I hit test settings and get the following error “No Groups were found using the specified configuration. Try changing the base DN, group filter or member field”

However, I am hopeful so I keep going. I was able to successfully authenticate my administrative user in the first step, so I would assume that when it asks me to Add Administrator, this step should work?!

WRONG - I try and add in “spark” or even just “administrator” and I get a “No username was provided or the specified username was not found.”

So guys… please help I’m thinking about crying.

2

Also, just some more information about my setup … In the “users” container, I created a group called “jabber” with which I have added all users who will need access to logon to the server

3

All your users are in the default Users folder of AD? If that is the case that is improper. They should be in an OU. The same should be true for groups, and computers. The default folders Users and Computers should only contain default AD accounts. This will allow you to use group policy to regulate the computers and users. You should also make sure to use standard dos naming conventions when creation AD OU structures (Alphanumeric and no spaces). For example I created this structure:

  • -Domain.info

  • -DomainAccounts

  • -DomainUsers

  • -UserLocation1

  • -UserLocation2

  • -DomainGroups

  • -DomainComputers

  • -ComputerLocation1

  • -ComputerLocation2

This would make your baseDN OU=DomainAccounts, DC=Domain, DC=info

as for the adminDN you can use a domain user that has read access to the AD structure. I would create a new user for this purpose with no other group rights. This is because the password is in plain text in the openfire configuration file. This user can be in the default Users folder for AD. If you create the user openfire you can use this for the adminDN: openfire@domain.info.

Your Jabber group should be in your groups OU located within your baseDN. I would start without a filter though as it is easier to setup. Filters can be added later by editing the openfire.xml from the openfire conf folder.

In short take the time to configure your AD structure now if you have not already done so. It will save you a world or hurt later.

4

I went with the base DN that I did because I had seen so many posts saying to configure a unspecific base and then use filters to search for the users?

My AD has many OU’s and containers to keep user accounts. For instance the users I want to use IM are scatter through the AD in the following fashion

domain.local > Company OU > User Accounts OU > Department OU > User Account - Obviously there are many different department OU’s which is why I created the group and just dumped it into the user container, thinking this would be the most simple to configure?

The admin account is the only one in the default location of domain.local > User Container > Admin Account

Unfortunately there are some spaces in the OU’s and Containers, but this pre-dates me as I didnt configure it. That being said, do you see something that is wrong with my origional configuration? Did I just follow advice that was more specific to someone elses deployment? Thanks for your help so far… Hopefully I am on the right track.

5

If all you users and groups contained under a single OH that should be your baseDN. Open fire will find anything contained within. If not then you baseDN should be the domain.

6

That being said, my above configuration should work? Or am I missing something?

7

I do not believe this filter is right: ((objectCategory=Person)(memberOf=CN=users,DC=domainname,DC=local))

Firstly it I thought you were trying to filter by group. You should use a group filter not a user filter.

Second you are trying to filter by the container Users. I do not think this is right based on your description.

Without actual specifics of the domain I do not know how much accurate aid I can give.

I would try to configure first without any filters to make sure you have your baseDN and adminDN correct.

I have attached my openfire.xml (it contains some extras for my SSO). It has the default filters in it to save you a reinstall.

8

Sorry, I wasnt able to find any attachment on your post? I have however attached a picture of my AD, just to help clarify any matters I might have confused. I am going through the information you posted and I am going to see if I can make something happen

Also, if you would be so kind as to tell me where your file is attached that might be useful as well.

Thank you for your assistance so far

9

your baseDN should be OU=scribbledout, DC=domain, DC=local

sorry my attachment is now actually attached.

10

Thanks so much for your help! I basically just copied your file and made the nessesary changes. It boils down to the following changes having been made. I’m documenting the changes that were ultimately made to assist anyone in the future who may have this issue.

  1. I took out the admin DN and just put the username of the admin account

  2. Removed the search filter in place of the default setting

  3. Configured my base DN to go to the next level up - This one I dont understand why it didnt work. Wouldnt it just have had to search through more containers and OU’s, but ultimately come back with the same results? Instead it didnt work at all with dc=domain,dc=local but once I changed it to ou=companyou,dc=domain,dc=local

  4. Removed some periods from the DN (it used to be dc=local. now its just (dc=local) Does that make a difference?

  5. Searchfields is Username/UID,Name/CNAME which is probably the default setting? I dont recall

  6. Groupsearchfilter is (objectClass=group) which again, perhaps is default?

Either way, thanks so much for your help!

11

Sorry budies, I am a new user of the Active Directory & LDAP services, and i’m having the same probblem

I configure everything as his default value, except for the conection parameters, such as SB, USER and PWD of my mysql, an DN an CN of my domain, but still i can manage to the OPENFIRE SETUP take me som user as the administrator, i’ve try to put a user in the domain root, in the OU, in the Users Folder, and can’t manage that yet, i manage to take all the users and they can connect via SPARK, but i cannot do administrative task, because he doesn’t take any users from the active directory as administartor

12

I forgot to say:

My AD it was settign up in this order:

  • Active directory

  • domain.local

  • Something

  • Something

  • Users

  • OU 1

  • OU 2

so, in the configuration of the openfire server i worte on the base DN : dc=Users, cn=domain, cn=local

i realy need some help, i order to not get fired…!!!1

13

sorry, i copy worng the configuration,

my base DN is: cn=Users, dc=domain, dc=local.

this is the parameter that i put on the BASE DN, and i cannot configure the administrative account

14

Please start a new thread. This one is closed.