AD LDAP user/group filter problems

Hi all,

Well, I’ve searched through as many threads as I can find without joy, so either I’m doing something stupid or something that can’t be done I guess

Basically, I’ve got an AD setup (not managed by me so I’d rather not go asking for new groups to be sorted out if I can avoid it!)

-company.local

–Group1



–Group2

—City1

----Users

----PCs

—City2

–Lots of other OUs

–Groups

–Group1

–Group2

–Group3

—GroupName1 (CN)

So, if I set the baseDN to DC=company,DC=local I can connect OK but I get tons of useless accounts, PCs, etc. I thought I could go with that but apply a User Filter to just show users from Group2,City1,Users by having (objectClass=organizationalPerson)&(OU=Users,OU=City1,OU=Group2,DC=company,DC=l ocal) but I get no joy on finding users with that. But if I specify the baseDN down to that level, then I do just get those users.

I was reasonably happy with that approach, but could get problematic if I wanted to add in City2 as well, but I thought I’d worry about that later. So then I tried to add in groups, and I’m hitting a problem as if I specify the baseDN down to City1, then GroupName1 sits way outside that base and I dont seem able to find it. But even if I try the higher baseDN, I still dont seem able to specify the group down using the Group Filter - in a similar way to the User Filter problem I’m having. So maybe I’ve made a wrong assumption on syntax or something?

Any help would be massively appreciated!!

I did not delete this answer because beginners like me can learn of mistakes.

So you should ignore this reply and pay attention to my other reply…

Perhaps this helps:

Try…

(&(objectClass=organizationalPerson)(distinguishedName=CN={0},OU=Users,OU=City1, OU=Group2,DC=company,DC=local))

or…

(&(objectClass=organizationalPerson)(distinguishedName=CN={0},OU=City1,OU=Group2 ,DC=company,DC=local))

instead of…

(objectClass=organizationalPerson)&(OU=Users,OU=City1,OU=Group2,DC=company,DC=lo cal)

I have a solution but first I want to tell you about my mistake in my last answer.

The mistake:

It is not possible to search the LDAP pathname using wildcards. So, you can also check that if you use for instance “Softerra LDAP Browser”. If you use something like “distinguishedName=CN=,OU=City1,OU=Group2 ,DC=company,DC=local" (without the ") as a filter, then you don’t get a result. You only get results if you use "distinguishedName=” (without the ")

A solution:

If you have special values for a specific attribut of the users entries, you can solve the problem. An example: If you have a value like userOnly in the attribut objectClass only in your user entries you can use a search filter like (objectclass=userOnly)

Before you use a new configuration file, you should delete your openfire database and create a new one. You can use perl if you use i.e. MySQL database and if you have a lot of groups and want to use contact list sharing. This is my searchfilter in openfire.xml…

Good luck!

Florian

Thanks for your help Florian!

I’d come to a similar conclusion, and also had to change the baseDN so it was at the top of my AD as I wanted to use groups which sat outside that specific DN.

So I did something similar to what you suggested, using (!(objectClass=computer)) for my user filter to get rid of loads of computer entries and leaving me with pretty much what I wanted, and then (&(objectClass=group)(description=Mail*)) to find mailing lists for my groups.

Works a treat!! Now if only there was a working opensource cluster plugin that didnt need oracle…

Here is how I like to do it

http://community.igniterealtime.org/message/204068#204068