LDAP Auth based on groups

Stray · September 16, 2008, 7:33pm

Good Afternoon All,

Question – I’m pulling spark auth from LDAP (AD to be exact). It works like a champ, but my next problem is I need to restrict logins to a group. For example, you’re not in the group, you’re not logging in. I’ve tried a few things such as pointing the basedn to the group (I was really hopeful) and searched the forums but I’m not coming up with any good answers.

Has anyone got this to work? If so, How?

Thanksr

Stray · September 16, 2008, 8:41pm

Great ! I’m to stupid to post inside of the right group!!! Please move this to the openfire support page if an admin just happens to run over this…

NO_MESSAGES_OR_FRIEN · September 17, 2008, 12:33pm

you need to use a user filter. This is an example of one such filter:

<searchFilter> <![CDATA[[&(objectClass=organizationalPerson)(memberOf=cn=WebISteam,ou=ChatGroups,ou=accounts,dc=domain,dc=com))]]></searchFilter>

Stray · September 17, 2008, 1:05pm

Agreed - How do I implement that? Here is what I’ve tried:

I added that to my openfire.xml conf file, between the jive tags and upon restart it restarted the new install wizard, removing the filter returned life back to normal. I’m guessing there needs to be an additional xml tag set to make that work.

Added it to the ldap.searchfilter under Server -> Server Manager -> System Properties. I’ve added my tag in the following format :

[CDATA[[&(objectClass=organizationalPerson)(memberOf=CN=G.LOC.SparkUsers,OU=USER GROUPS,OU=LOC,OU=US,DC=Location,DC=corp))]]

That leads me to two questions

When I change these settings are these made to the running system, or do I have to restart the openfire server process?
Some dip used a space in user groups. Not the world’s smartest move – Will this create issues?

Thanks!

NO_MESSAGES_OR_FRIEN · September 17, 2008, 1:48pm

Spaces could cause problems. I have attached an openfire.xml file from Openfire 3.5.2 to this message to show you where it goes. 3.6.0 is a whole new ball game though. You will need to put a filter in this system property:

Just like you did.

I cannot guarantee if old filters will work. I know my filter worked prior to 3.6.0.

Yes you need to restart openfire after changing the filter.
openfire.xml (4123 Bytes)

Stray · September 17, 2008, 4:58pm

In spark 3.6.0 it worked like a champ. Thanks for your reply!

For those trying to figure this out:

update the ldap.searchfilter and ldap.groupsearchfilter with

(&(objectClass=organizationalPerson)(memberOf=CN=G.LOC.SparkUsers,OU=Groups,OU=L OC,OU=US,DC=COMPANY,DC=corp))

(Of course, your LDAP string for the group will be different then mine, but the objectClass=organizationPerson shouldn’t change)

Restart openfire and login.

Thanks for the help!

Eric_Honaker · October 1, 2008, 7:31pm

Spaces caused me problems until I used the System Properties fields instead of “Server Settings->Profile Settings.” In System Properties, just enclose the space-containing values in double-quotes.