Well, I’ve searched through as many threads as I can find without joy, so either I’m doing something stupid or something that can’t be done I guess
Basically, I’ve got an AD setup (not managed by me so I’d rather not go asking for new groups to be sorted out if I can avoid it!)
-company.local
–Group1
–Group2
—City1
----Users
----PCs
—City2
–Lots of other OUs
–Groups
–Group1
–Group2
–Group3
—GroupName1 (CN)
So, if I set the baseDN to DC=company,DC=local I can connect OK but I get tons of useless accounts, PCs, etc. I thought I could go with that but apply a User Filter to just show users from Group2,City1,Users by having (objectClass=organizationalPerson)&(OU=Users,OU=City1,OU=Group2,DC=company,DC=l ocal) but I get no joy on finding users with that. But if I specify the baseDN down to that level, then I do just get those users.
I was reasonably happy with that approach, but could get problematic if I wanted to add in City2 as well, but I thought I’d worry about that later. So then I tried to add in groups, and I’m hitting a problem as if I specify the baseDN down to City1, then GroupName1 sits way outside that base and I dont seem able to find it. But even if I try the higher baseDN, I still dont seem able to specify the group down using the Group Filter - in a similar way to the User Filter problem I’m having. So maybe I’ve made a wrong assumption on syntax or something?
I have a solution but first I want to tell you about my mistake in my last answer.
The mistake:
It is not possible to search the LDAP pathname using wildcards. So, you can also check that if you use for instance “Softerra LDAP Browser”. If you use something like “distinguishedName=CN=,OU=City1,OU=Group2 ,DC=company,DC=local" (without the ") as a filter, then you don’t get a result. You only get results if you use "distinguishedName=” (without the ")
A solution:
If you have special values for a specific attribut of the users entries, you can solve the problem. An example: If you have a value like userOnly in the attribut objectClass only in your user entries you can use a search filter like (objectclass=userOnly)
Before you use a new configuration file, you should delete your openfire database and create a new one. You can use perl if you use i.e. MySQL database and if you have a lot of groups and want to use contact list sharing. This is my searchfilter in openfire.xml…
I’d come to a similar conclusion, and also had to change the baseDN so it was at the top of my AD as I wanted to use groups which sat outside that specific DN.
So I did something similar to what you suggested, using (!(objectClass=computer)) for my user filter to get rid of loads of computer entries and leaving me with pretty much what I wanted, and then (&(objectClass=group)(description=Mail*)) to find mailing lists for my groups.
Works a treat!! Now if only there was a working opensource cluster plugin that didnt need oracle…