Binding Openfire to Active Directory LDAP

Version 11

    These are directions for Openfire 3.5.x and below.  Openfire 3.6.x and above are quite different.  For one most of the settings are now stored in the database and are edited via the Openfire admin website, by editing the appropriate System Property.

     

    Binding to AD is fairly straight forward when using the Openfire setup wizard.  The problem comes with complex AD configurations (Forrest with 2 or more Trees for example), or improper naming in your AD structure.  Do not use spaces or other special characters ({,[,},},*,&,$, etc) in your AD naming structure.  LDAP is a web protocol.  These characters are not truely valid and could lead to problems.  To start you will need to know the full domain name of the top most part of your Forrest you wish to use.  Active Directory 2003 and higher allows for different pre Windows 2000 names for the domain.  You can not use the pre Windows 2000 simple name, unless it is a true domain name (company.com, company,local, etc).  I will use the following picture for reference:

     

     

     

     

     

    Note the follow for our AD setup:

    • Domain:  intra.domain.com

    • Pre Windows 2000 Domain:  INTRA

    • OU containing our User Accounts:  domainAccounts

    • OU for our Groups (sub OU of domainAccounts): domainGroups

      • Sub OUs for specific groups: DistributionGroups, SecurityGroups, LDAPGroups

      • All groups in LDAPGroups begin with LDAP (i.e. LDAPgroup1)

    • Binding account username:  ldapbind

     

    The BaseDN used to bind under this configuration: OU=domainAccounts,DC=intra,DC=domain,DC=com

     

    The AdminDN can be any of the following:

     

    The port would be the standard 389

     

    We would want to filter the results for the groups to only include groups from the OU LDAPGroups which all have the prefix LDAP

     

     

    
    <![CDATA[[&(objectClass=group)(cn=LDAP*))]]>
    
    

     

     

     

     

     

     

     

    Modify the vCard mappings in the openfire.xml to get a complete vCard for business in Spark

     

    <vcard-mapping><![CDATA[
    <vCard xmlns="vcard-temp">
      <N>
         <FAMILY>{sn}</FAMILY>
         <GIVEN>{givenName}</GIVEN>
      </N>
      <EMAIL>
        <INTERNET></INTERNET> 
        <USERID>{mail}</USERID>
      </EMAIL> 
      <FN>{displayName}</FN> 
      <NICKNAME>{displayName}</NICKNAME> 
      <PHOTO>
        <TYPE>image/jpeg</TYPE> 
        <BINVAL>{jpegPhoto}</BINVAL>
      </PHOTO> 
      <ADR>
        <HOME></HOME> 
        <STREET>{homePostalAddress}</STREET>
      </ADR> 
      <ADR>
        <WORK></WORK> 
        <STREET>{postOfficeBox}</STREET> 
        <LOCALITY>{l}</LOCALITY> 
        <REGION>{st}</REGION> 
        <PCODE>{postalCode}</PCODE>
         <CTRY>{c}</CTRY>
      </ADR> 
      <TEL>
        <HOME></HOME> 
        <VOICE></VOICE> 
        <NUMBER>{homePhone}</NUMBER>
      </TEL> 
      <TEL>
        <WORK></WORK> 
        <VOICE></VOICE> 
        <NUMBER>{telephoneNumber}</NUMBER>
      </TEL> 
      <TEL>
        <WORK></WORK> 
        <CELL></CELL> 
        <NUMBER>{mobile}</NUMBER>
      </TEL> 
      <TEL>
        <WORK></WORK> 
        <PAGER></PAGER> 
        <NUMBER>{pager}</NUMBER>
      </TEL> 
      <TEL>
        <WORK></WORK> 
        <FAX></FAX> 
        <NUMBER>{facsimileTelephoneNumber}</NUMBER>
      </TEL>
      <TITLE>{title}</TITLE>
      <URL>{wWWHomePage}</URL>
      <ORG>
        <ORGNAME>{company}</ORGNAME>
         <ORGUNIT>{department}</ORGUNIT>
      </ORG>
    </vCard>]]></vcard-mapping>

     

    Forrest with Multiple Trees

     

    For more complicated AD Forrests, such as one with 2 or more sub domains you will need to set your BaseDN to the top of the Forrest.  In our example domain it would be:  DC=intra,DC=domain,DC=com  but you need to change the port to 3268.  This will allow you to access users from all the domains in the Forrest.  Filters will be of the utmost importance to limit what accounts and groups show in the Openfire admin website.

     

     

    Other Sample Filters

     

    Sample user filter to limit accounts to specific Security Groups (you cannot limit by OU):

     

    <searchFilter><![CDATA[(&(objectClass=organizationalPerson)(|(memberOf=cn=LDAPGroup1,ou=accounts,dc=domain,dc=com)(memberOf=cn=LDAPGroup2,ou=SecondaryAccounts,dc=domain,dc=com)))]]>

    Here is a group filter to go with this prefixed groups structure:

     

    <groupSearchFilter><![CDATA[(&(objectClass=group)(cn=LDAPGroup*))]]></groupSearchFilter>