How to Setup Authentication Groups with LDAP/AD

Version 5

    In this example I'll be using the following:

     

    AD domain = AD-DOMAIN.local

    access group = Openfire Access Group

    roster groups = _IM Group1, _IM Group2

     

    (*note - I'll be using _IM as part of a wildcard search, so all my groups start with _IM for that reason)

     

     

    First create your security groups:

    1. Create a Domain Local Security Group. In our example call it Openfire Access Group. In this example, I've placed the group in the user container

     

    2. Create regular security groups (usually Global). In this example: _IM Group1 and _IM Group2.

     

    3. Make _IM Group1 and _IM Group2 members of the Openfire Access Group

     

     

    4. Add your users to the _IM groups

    NOTE: be sure to include your openfire admin account in a group, or you will not be able to log into the admin page.

     

     

    5. Next, set your system properties in openfire:

     

     

    ldap.baseDN

    DC=AD-DOMAIN,DC=local

     

     

    ldap.groupSearchFilter

    (&(objectClass=group)(cn=_IM*))

    *This will only list groups that start with _IM

     

     

    ldap.searchfilter(&(objectclass=organizationalPerson)(|(memberOf:1.2.840.113556. 1.4.1941:=CN=Openfire Access Group,CN=Users,DC=AD-DOMAIN,DC=local))(!(userAccountControl:1.2.840.113556.1.4. 803:=2)))

    * watch out for cut and paste issues.  Sometimes an extra spaces will be added in the string that will need to be removed. There should be no spaces in memberOF or userAccountControl.

     

    *This string will only allow, and display users that are members of the Openfire Access Group (including members of nested groups) that we created earlier. Disabled user accounts are excluded.

     

    Restart Openfire.

     

    At this point, only the _IM groups will be listed, as will only the users of the groups.

     

    6. Enable Contact List Sharing for shared rosters. (optional)