Ignite Realtime: LDAP and AD - Limiting Users

Skip navigation

Up to Discussions in Openfire Support

5281 Views 9 Replies Latest reply: Oct 9, 2009 2:17 PM by AlphaTwin

jexbigin

68 posts since
Jun 12, 2009

Currently Being Moderated

Jun 14, 2009 6:56 PM

LDAP and AD - Limiting Users

After my initial problem with using firefox to configure openfire, I'm now trying to limit the users returned from AD that can use openfire.

Current AD:

company.local (dc)

---users

administrator

---company1 (ou)

---users (ou)

---dept_1 (ou)

user_a (cn)

user_b (cn)

---dept_2 (ou)

user_c (cn)

user_d (cn)

user_e (cn)

---dept_3 (ou)

user_f (cn)

---dept_4 (ou)

user_g (cn)

---dept_5 (ou)

user_h (cn)

---dept_6 (ou)

user_i (cn)

---security groups (ou)

---applications (ou)

xmpp_users (cn) - a security group

The xmpp_users group contains dept_1 and dept_2.

How can I limit the user list to only those users who resolve to members of xmpp_users? Setting BaseDN to dc=company,dc=local gives me all accounts including computers. I have tried this filter

(&(objectClass=organizationalPerson)(memberof=CN=XMPP_Users,OU=Applications,OU=S ecurity Groups,OU=Company1,DC=company,DC=local)) but it means I can't add any administrators.

I can filter the groups to only show dept_1 and dept_2 using a similar filter.

Is also possible to have a group that contains openfire admins?

Like (0)

curtwilson
11 posts since
Dec 5, 2008

Currently Being Moderated

Jun 14, 2009 9:44 PM (in response to jexbigin)
Re: LDAP and AD - Limiting Users

The following is what I did to limit the users and groups that were returned from Active Directory into Openfire:

1) Create security group called, "Openfire Users"
2) Create security group called, "Openfire Groups"
3) Add users in AD to the "Openfire Users" security group that you want to have access
4) Add security groups in AD (such as: IT, Accounting, Department1, Department2, etc...) that define the users in step 3 to the "Openfire Groups"
5) Configure Openfire Setup with the following:
base dn: DC=company,DC=local
user filter: (memberOf=CN=Openfire Users,CN=Users,DC=company,DC=local)
group filter: (memberOf=CN=Openfire Groups,CN=Users,DC=company,DC=local)

Notes:
- I had to setup my "Openfire Groups" security group as a "Domain Local" type, so that other security groups (Global) could be properly added as members.
- I recommend setting up a few users into "Openfire Users" and a few groups into "Openfire Groups" and testing the configuration within the Openfire Setup to verify that everything is working properly, before you spend too much time doing this for 100s of users.

The Openfire Setup will allow you to choose Admin users who can manage Openfire, after you have setup LDAP. But the Admin users cannot be maintained through AD.

-- Curt

Report Abuse

Like (0)
- jexbigin
  68 posts since
  Jun 12, 2009
  
  Currently Being Moderated
  
  Jun 14, 2009 10:03 PM (in response to curtwilson)
  Re: LDAP and AD - Limiting Users
  
  So, you couldn't have AD groups as members of the openfire_users CN ? I have a number of departments and would rather just add a user to the department group if they move in/out of departments and not have to directly manager the openfire users.
  
  Brian
  
  Report Abuse
  
  Like (0)
  - curtwilson
    11 posts since
    Dec 5, 2008
    
    Currently Being Moderated
    
    Jun 14, 2009 10:31 PM (in response to jexbigin)
    Re: LDAP and AD - Limiting Users
    
    That sounds like that could work. To a degree it just comes down to how you want to manage your users and groups. You may have to setup your "openfire_users" as a "Domain Local" security group type, so other security groups can be added as members.
    
    -- Curt
    
    Report Abuse
    
    Like (0)
jexbigin
68 posts since
Jun 12, 2009

Currently Being Moderated

Jun 16, 2009 7:32 PM (in response to jexbigin)
Re: LDAP and AD - Limiting Users

I found the solution;

The user filter needs to be:

(&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=openfire_Users,OU=Appl ications,OU=Security Groups,OU=CompanyA,DC=Company,DC=local))

It gave me the correct limited list of users with the test button.

I just need to see why I came across another
HTTP ERROR: 500
INTERNAL_SERVER_ERROR
RequestURI=/setup/setup-admin-settings.jsp
Caused by:
java.lang.NullPointerException
after the group settings.

Brian

Report Abuse

Like (0)
- jexbigin
  68 posts since
  Jun 12, 2009
  
  Currently Being Moderated
  
  Jun 21, 2009 8:28 PM (in response to jexbigin)
  Re: LDAP and AD - Limiting Users
  
  I think I found the cause of the error myself. It appears to be a timeout related issue as I went through the whole install again without looking for extra details, filled in everything as I was wanting it and all went fine.
  
  Report Abuse
  
  Like (0)
  - jexbigin
    68 posts since
    Jun 12, 2009
    
    Currently Being Moderated
    
    Jun 21, 2009 8:29 PM (in response to jexbigin)
    Re: LDAP and AD - Limiting Users
    
    I now have a working server after a few more reinstalls due to plugin corruptions.
    
    All good for now.
    
    Report Abuse
    
    Like (0)
- AlphaTwin
  12 posts since
  Oct 8, 2009
  
  Currently Being Moderated
  
  Oct 9, 2009 1:13 PM (in response to jexbigin)
  Re: LDAP and AD - Limiting Users
  
  Sorry to resurect a long dead thread but I have almost the same problem and near certain it's with my User Filter.
  
  Can you tell me what the "memberOf:1.2.840.113556.1.4.1941" is for in your string.
  
  I think that may be my problem because I just copied what you have but not sure what it is and if it works with my setup.
  
  Here's what I tried to use:
  (&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=INSTANT MESSAGING - SECURITY,OU=INSTANT MESSAGING,OU=SECURITY GROUPS,OU=GROUPS,DC=PBTRUCK,DC=COM))
  
  But it still doesn't find any users in that Group. I'm in LDAP Hell here .
  
  Thanks
  Eric
  
  Report Abuse
  
  Like (0)
  - jexbigin
    68 posts since
    Jun 12, 2009
    
    Currently Being Moderated
    
    Oct 9, 2009 2:11 PM (in response to AlphaTwin)
    Re: LDAP and AD - Limiting Users
    
    This is MS AD. The memberOf:1.2.840.113556.1.4.1941 allows the supplied DN to be iterated for all members so if you put groups in it, the groups members will be found. See http://msdn.microsoft.com/en-us/library/aa746475%28VS.85%29.aspx
    
    What I did was download a free ldap browser that allow queries. Can't remember which one worked best as all the ones I tried had pros and cons. One of them shower the memberof format which I then looked up on msdn. If it is not an AD install, you may need to use DN instead of DC.
    
    Do you have any error messages come up?
    
    Brian
    
    Report Abuse
    
    Like (0)
    - AlphaTwin
      12 posts since
      Oct 8, 2009
      
      Currently Being Moderated
      
      Oct 9, 2009 2:17 PM (in response to jexbigin)
      Re: LDAP and AD - Limiting Users
      
      This link might help as to what I'm doing:
      http://www.igniterealtime.org/community/message/196868#196868
      
      I'm pretty sure I've got everything correct except this damn User Filter. Probably wouldn't hurt if I knew a bit more about LDAP. I'll go download an LDAP browser. I use ADSI Edit in my MMC console but it doesn't have the functionality I'm looking for.
      
      Thanks for the reply
      Eric
      
      Report Abuse
      
      Like (0)

Go to original post

Legend

Correct Answers - 10 points
Helpful Answers - 5 points