Binding Openfire to Active Directory LDAP

These are directions for Openfire 3.5.x and below. Openfire 3.6.x and above are quite different. For one most of the settings are now stored in the database and are edited via the Openfire admin website, by editing the appropriate System Property.

Binding to AD is fairly straight forward when using the Openfire setup wizard. The problem comes with complex AD configurations (Forrest with 2 or more Trees for example), or improper naming in your AD structure. Do not use spaces or other special characters ({,[,},},*,&,$, etc) in your AD naming structure. LDAP is a web protocol. These characters are not truely valid and could lead to problems. To start you will need to know the full domain name of the top most part of your Forrest you wish to use. Active Directory 2003 and higher allows for different pre Windows 2000 names for the domain. You can not use the pre Windows 2000 simple name, unless it is a true domain name (company.com, company,local, etc). I will use the following picture for reference:

Note the follow for our AD setup:

  • Domain: intra.domain.com

  • Pre Windows 2000 Domain: INTRA

  • OU containing our User Accounts: domainAccounts

  • OU for our Groups (sub OU of domainAccounts): domainGroups

    • Sub OUs for specific groups: DistributionGroups, SecurityGroups, LDAPGroups

    • All groups in LDAPGroups begin with LDAP (i.e. LDAPgroup1)

  • Binding account username: ldapbind

The BaseDN used to bind under this configuration: OU=domainAccounts,DC=intra,DC=domain,DC=com

The AdminDN can be any of the following:

The port would be the standard 389

We would want to filter the results for the groups to only include groups from the OU LDAPGroups which all have the prefix LDAP

<![CDATA[[&(objectClass=group)(cn=LDAP*))]]>

Modify the vCard mappings in the openfire.xml to get a complete vCard for business in Spark

<vcard-mapping><![CDATA[
<vCard xmlns="vcard-temp">
  <N>
     <FAMILY>{sn}</FAMILY>
     <GIVEN>{givenName}</GIVEN>
  </N>
  <EMAIL>
    <INTERNET></INTERNET>     <USERID>{mail}</USERID>
  </EMAIL>   <FN>{displayName}</FN>   <NICKNAME>{displayName}</NICKNAME>   <PHOTO>
    <TYPE>image/jpeg</TYPE>     <BINVAL>{jpegPhoto}</BINVAL>
  </PHOTO>   <ADR>
    <HOME></HOME>     <STREET>{homePostalAddress}</STREET>
  </ADR>   <ADR>
    <WORK></WORK>     <STREET>{postOfficeBox}</STREET>     <LOCALITY>{l}</LOCALITY>     <REGION>{st}</REGION>     <PCODE>{postalCode}</PCODE>
     <CTRY>{c}</CTRY>
  </ADR>   <TEL>
    <HOME></HOME>     <VOICE></VOICE>     <NUMBER>{homePhone}</NUMBER>
  </TEL>   <TEL>
    <WORK></WORK>     <VOICE></VOICE>     <NUMBER>{telephoneNumber}</NUMBER>
  </TEL>   <TEL>
    <WORK></WORK>     <CELL></CELL>     <NUMBER>{mobile}</NUMBER>
  </TEL>   <TEL>
    <WORK></WORK>     <PAGER></PAGER>     <NUMBER>{pager}</NUMBER>
  </TEL>   <TEL>
    <WORK></WORK>     <FAX></FAX>     <NUMBER>{facsimileTelephoneNumber}</NUMBER>
  </TEL>
  <TITLE>{title}</TITLE>
  <URL>{wWWHomePage}</URL>
  <ORG>
    <ORGNAME>{company}</ORGNAME>
     <ORGUNIT>{department}</ORGUNIT>
  </ORG>
</vCard>]]></vcard-mapping>

Forrest with Multiple Trees

For more complicated AD Forrests, such as one with 2 or more sub domains you will need to set your BaseDN to the top of the Forrest. In our example domain it would be: DC=intra,DC=domain,DC=com but you need to change the port to 3268. This will allow you to access users from all the domains in the Forrest. Filters will be of the utmost importance to limit what accounts and groups show in the Openfire admin website.

Other Sample Filters

Sample user filter to limit accounts to specific Security Groups (you cannot limit by OU):

<searchFilter><![CDATA[(&(objectClass=organizationalPerson)(|(memberOf=cn=LDAPGroup1,ou=accounts,dc=domain,dc=com)(memberOf=cn=LDAPGroup2,ou=SecondaryAccounts,dc=domain,dc=com)))]]>

Here is a group filter to go with this prefixed groups structure:

<groupSearchFilter><![CDATA[(&(objectClass=group)(cn=LDAPGroup*))]]></groupSearchFilter>

The LDAP filter you specify does not limit searches to specific OUs, only specific group memberships. Filtering by OU is not possible in Active Directory unless you use the ou attribute, which is not populated by default for new user accounts.

for me this didn’t work exactly. this line: ]]>

was broke for me. I had to change it to: ]]>

after that it worked like a champ

you are right I do not know why clearspace added the escape characters in there.

the group query is working fine, but unfortunately the query itself has 448 character limitation (because i need to add a lot of groups in openfire), and the openfire query itself limited to 250 characters. I don’t know if this is active directory restriction or something else, if anybody knew about this, please let me know.

thanks for the article :slight_smile:

Great article Todd, very helpful

Todd, i have a question about ldapbind user. So far i’ve only managed to connect with domain admin. But i want to use other limited user. We already have users, which are used in other software to pull LDAP groups and users. I have tried to put one of these users in Admin DN, but i get auth error. Maybe my syntax is wrong. Say this user is ‘binduser’ and it sits in ou=CUsers and CUsers sits in ou=Company. So my Admin DN should look like: cn=binduser,ou=Company,ou=CUsers,dc=domain,dc=com ?

Ok, with a help of my collegue i have nailed this. My base dn was wrong too. It should be: ou=CUsers,ou=Company,dc=domain,dc=com

and admin dn: cn=binduser,ou=CUsers,ou=Company,dc=domain,dc=com

Does This:

<searchFilter><![CDATA[(&(objectClass=organizationalPerson)(|(memberOf=cn=LDAPGroup1,ou=accounts,dc=domain,dc=com)(memberOf=cn=LDAPGroup2,ou=SecondaryAccounts,dc=domain,dc=com)))]]>

Go in the LDAP.SearchFilter property ? If not what property does it do in?

I want to only allow one Active Directory group to be able to log in to the jabber

Hi All,

I was able to configure my openfire server but I’m using the “Default - Store users and groups in the server database.” The option for simple deployments, is there a way to reconfigure my current setup to Active Directory LDAP using the conf/openfire.xml?

At the moment I having 200+ clients on my network.

Looking forward on your inputs and advise.