Skip navigation
Up to Discussions in Openfire Support
7658 Views 10 Replies Latest reply: Jun 23, 2009 11:20 AM by JustInCase2090 RSS
JustInCase2090 Bronze
JustInCase2090
6 posts since
Jun 10, 2009
Currently Being Moderated

Jun 11, 2009 2:24 PM

Group Mapping LDAP

I recently set up a windows server to run openfire, I tried to tie it in with an LDAP server and for the most part everything seems to be working fine, it finds all the users and any info for them. The only problem is that when it comes to the group mapping part I do not know any of the info to put in, the defaults are all there, cn, member, description, but the test fails and if I save it doesn't find any of the groups. On another similar post someone said to go in to advanced settings and alter the BASE DN but the advanced only has posix mode and group filter, they are also still at their defualts.

 

I really have no idea where to go from here. If anyone has any tips, maybe on how I might find the the correct info on my LDAP server, or other things to try that would really help. I really don't ever remember changing anything like this from the defaults on the LDAP server but I guess I must have.

 

I know the question is a little vague, sorry if its a stupid question, but thanks in advance for any help.

 

 

 

Also I do have an old server running wildfire, I didnt set it up but I have been looking the the config files to try and find the correct settings but am having no luck. Does anyone know where openfire saves the configuration for the group mapping, I have been searching everywhere so I could compair the two but even running a search for things like "objectClass" comes up with no results. If anyone has a hint as to where I might find the config file that would be a huge help. Also mabey if anyone has an example of what the fields should look like that might help me know what Im looking for as I go through my old servers config.

 

Message was edited by: JustInCase2090

Tags: ldap, openfire, configure, group, mapping
  • dankdub Bronze
    dankdub
    13 posts since
    Jun 2, 2009
    Currently Being Moderated
    Jun 11, 2009 12:47 PM (in response to JustInCase2090)
    Re: Group Mapping LDAP

    Softerra's LDAP Browser (http://www.ldapadministrator.com/download.htm) or LDP (Windows Support Tools) should give you additional insight into your LDAP server's configuration/settings.

     

    It's okay to define this stuff post setup too, via the admin web page. It sounds like you're still in the setup wizard, based on your post. Sorry if my assumption is incorrect. If you search this site for 'LDAP' you should be able to find all the info you need to come up to speed and get your environment going... Best of luck! You'll get there

    • JustInCase2090 Bronze
      JustInCase2090
      6 posts since
      Jun 10, 2009
      Currently Being Moderated
      Jun 11, 2009 4:58 PM (in response to dankdub)
      Re: Group Mapping LDAP

      OK I downloaded the program and it seems to be running fine, however Im still a little unsure of what Im looking for.

       

      I can click on a user and see "memberOf" but they are ussually in more than one group, and Im not sure how to transition it in to the setup as the path to each is very differnt asside from they each seem to follow the format CN=*****************DC=company,DC=local.

       

      I can also click on the groups button and see all the groups and everyone in each group. At this point I think Im looking for what to put in to the "member field" area I am almost sure the "group field" should remain as "cn" but if that was the case then wouldnt my current setting be making all the groups show up but without any members.

      • dankdub Bronze
        dankdub
        13 posts since
        Jun 2, 2009
        Currently Being Moderated
        Jun 12, 2009 10:05 AM (in response to JustInCase2090)
        Re: Group Mapping LDAP

        My ldap.groupMemberField is set to member and my ldap.groupNameField is set to CN - these are the recommended settings, per the install guide for an AD LDAP server.

         

        I'm not sure that I understand what you mean by, "if that was the case then wouldn't my current setting be making all the groups show up but without any members." Where? Spark client? Admin Console?

         

        Here's a brief overview of what I did, I hope this helps...

         

        • Created a 'service' account for LDAP access and assigned the necessary permissions via ADSIedit.msc.
        • Set my base DN to the top level of AD (example: DC=MyDomain,DC=local).
        • Created a global security group in AD for all the users whom I wanted to grant IM access to (example OpenFireUsers). Added appropriate users to said group.
        • Created an OU for all OpenFire groups, placed OpenFireUsers group in OpenFire OU.
        • Set my user filter to the OpenFireUsers group, example:

                (&(objectClass=organizationalPerson) (memberOf=CN=OpenFireUsers,OU=OpenFire,DC=MyDomain,DC=local)

        • Created OpenFire specific groups based on department/role (example OpenFireTeacher, OpenFireTeacherAid, OpenFireAdminStaff) in the OpenFire OU. Added users to their job/department specific goup.
        • Set my group filter to a very generic/simple filter (example: (objectClass=Group) mostly bc I was having some issues that I've yet to work out. This will display all groups within AD under the Users/Groups, Groups tab of the Admin Console. I just selected the groups that i wanted to share and to whom I wanted to share them with and then simplified the groups display name (example Teachers, Teacher Aids, Admin Staff).
        • In Spark your groups, by default, will only show up if a member of the group is logged in *or* if you go to Contacts->Show Empty Groups.

         

        If none of this helps or is coming from far left field, please try to be more concise in articulating the problem you're trying to solve and where you're trying to solve it. Best of luck.

        • JustInCase2090 Bronze
          JustInCase2090
          6 posts since
          Jun 10, 2009
          Currently Being Moderated
          Jun 17, 2009 10:17 AM (in response to dankdub)
          Re: Group Mapping LDAP

          Well first I have to say thank you. My problem was I had made my Base DN, too specific by adding OU=Users,OU=Employees, so like you said I made it more broad and cut it just to DC=Company,DC=local, and now all of the groups are all showing up.

           

          While this will work I am now just trying to cut it down to just one jabber access group that has any groups I want inside of it. The path to this group is CN=JabberAccess,OU=Security Groups,DC=Company,DC=local. I think you said you set your filter in two different places, first to the specific openfire group then to the broad (objectClass=Group). I only have the option to enter a filter in the group area. I tried to write it how you wrote yours but it came up with an error. I was just wondering if you would know what I have to put in the filter area for it to only see people in that group.

           

          However, like I said my main problem is fixed , so thank you very much for your help. Now Im just trying to clean up the group view so that not every group appears, only the groups I list in "Jabber Access".

      • sixthring KeyContributor
        sixthring
        3,797 posts since
        Apr 2, 2007
        Currently Being Moderated
        Jun 13, 2009 6:53 AM (in response to JustInCase2090)
        Re: Group Mapping LDAP

        What type of LDAP server?  The old config is in a fire called openfire.xml found in the openfire install directory then the config folder.  If it is wildfire, just look for the same thing but using wildfire.

        • JustInCase2090 Bronze
          JustInCase2090
          6 posts since
          Jun 10, 2009
          Currently Being Moderated
          Jun 17, 2009 11:15 AM (in response to sixthring)
          Re: Group Mapping LDAP

          I found that file but it doesn't seem to contain any of the information that I used in the setup. At this point I did solve my original problem with not seeing any groups now I'm just trying to fix another minor issue. I would start a new thread but I really feel it should be simple and just a repeat of other threads.

           

          When we used wildfire they had set up a group in LDAP called JabberAccess. This group contained copies of any groups that they wanted Jabber to see. Currently my setup is broad and openfire sees every user and group in LDAP as my Base DN is set to "DC=company,DC=local" and my other filters are at their defaults. I would like to use their old group but I'm not sure how I would have to change my filters. I tried the "(&(objectClass=group)(CN=JabberAccess,OU=Security Groups,DC=company,DC=local))" and a couple other variations but all of them come up with an error.

           

          I have read a ton of other similar posts but none of the solutions seemed to work. I would like to have it set that only people in a group in the JabberAccess group can log in but if it would be easier to just limit the groups and leave the users alone that works also. I can make a new thread if needed but I figured Id see if you had a quick fix or link to another thread.

           

          Thanx

          • jexbigin Bronze
            jexbigin
            68 posts since
            Jun 12, 2009
            Currently Being Moderated
            Jun 17, 2009 5:45 PM (in response to JustInCase2090)
            Re: Group Mapping LDAP

            I think I know what your having a problem with.  If so I had a similar issue. (http://www.igniterealtime.org/community/thread/38835)

             

            If the first part is you want only the users you put in you JabberAccess security group either directy or indirectly then the users BaseDN can be quite wide but the filter would be along the lines of

            (&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=JabberAccess,OU=Compan yName,DC=Company,DC=local))  -- this will return all the users that are members of JabberAccess either by direct membership or membership of a meber group.

             

            For the groups, you can put in a filter like (&(objectClass=group)(CN=JabberAccess,OU=CompanyName,DC=Company,DC=local)) and not change anything.

             

            Brian

            • JustInCase2090 Bronze
              JustInCase2090
              6 posts since
              Jun 10, 2009
              Currently Being Moderated
              Jun 18, 2009 10:37 AM (in response to jexbigin)
              Re: Group Mapping LDAP

              Thanks, I was able to set it up like kind of like you said. I ended up setting my group filter to "(&(objectClass=group)(memberOf=CN=JabberAccess,OU=Security Groups,DC=company,DC=local))" so now it only imports the groups inside the access group.

               

              I couldn't get the user filter to work correctly but I decided to leave it as it. Now that I have the group settings correct if a person does not belong to any of the access groups they can sign in but wont be able to see who's online. This way if I haven't added the person they can still sign in but they will need to manually add contacts.

               

              Thanks for all the help, I finally have the sever set up.

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points