Group Mapping LDAP

I recently set up a windows server to run openfire, I tried to tie it in with an LDAP server and for the most part everything seems to be working fine, it finds all the users and any info for them. The only problem is that when it comes to the group mapping part I do not know any of the info to put in, the defaults are all there, cn, member, description, but the test fails and if I save it doesn’t find any of the groups. On another similar post someone said to go in to advanced settings and alter the BASE DN but the advanced only has posix mode and group filter, they are also still at their defualts.

I really have no idea where to go from here. If anyone has any tips, maybe on how I might find the the correct info on my LDAP server, or other things to try that would really help. I really don’t ever remember changing anything like this from the defaults on the LDAP server but I guess I must have.

I know the question is a little vague, sorry if its a stupid question, but thanks in advance for any help.

Also I do have an old server running wildfire, I didnt set it up but I have been looking the the config files to try and find the correct settings but am having no luck. Does anyone know where openfire saves the configuration for the group mapping, I have been searching everywhere so I could compair the two but even running a search for things like “objectClass” comes up with no results. If anyone has a hint as to where I might find the config file that would be a huge help. Also mabey if anyone has an example of what the fields should look like that might help me know what Im looking for as I go through my old servers config.

Message was edited by: JustInCase2090

1 Like

Softerra’s LDAP Browser (http://www.ldapadministrator.com/download.htm) or LDP (Windows Support Tools) should give you additional insight into your LDAP server’s configuration/settings.

It’s okay to define this stuff post setup too, via the admin web page. It sounds like you’re still in the setup wizard, based on your post. Sorry if my assumption is incorrect. If you search this site for ‘LDAP’ you should be able to find all the info you need to come up to speed and get your environment going… Best of luck! You’ll get there

OK I downloaded the program and it seems to be running fine, however Im still a little unsure of what Im looking for.

I can click on a user and see “memberOf” but they are ussually in more than one group, and Im not sure how to transition it in to the setup as the path to each is very differnt asside from they each seem to follow the format CN=*****************DC=company,DC=local.

I can also click on the groups button and see all the groups and everyone in each group. At this point I think Im looking for what to put in to the “member field” area I am almost sure the “group field” should remain as “cn” but if that was the case then wouldnt my current setting be making all the groups show up but without any members.

My ldap.groupMemberField is set to member and my ldap.groupNameField is set to CN - these are the recommended settings, per the install guide for an AD LDAP server.

I’m not sure that I understand what you mean by, “if that was the case then wouldn’t my current setting be making all the groups show up but without any members.” Where? Spark client? Admin Console?

Here’s a brief overview of what I did, I hope this helps…

  • Created a ‘service’ account for LDAP access and assigned the necessary permissions via ADSIedit.msc.

  • Set my base DN to the top level of AD (example: DC=MyDomain,DC=local).

  • Created a global security group in AD for all the users whom I wanted to grant IM access to (example OpenFireUsers). Added appropriate users to said group.

  • Created an OU for all OpenFire groups, placed OpenFireUsers group in OpenFire OU.

  • Set my user filter to the OpenFireUsers group, example:
    (&(objectClass=organizationalPerson) (memberOf=CN=OpenFireUsers,OU=OpenFire,DC=MyDomain,DC=local)

  • Created OpenFire specific groups based on department/role (example OpenFireTeacher, OpenFireTeacherAid, OpenFireAdminStaff) in the OpenFire OU. Added users to their job/department specific goup.

  • Set my group filter to a very generic/simple filter (example: (objectClass=Group) mostly bc I was having some issues that I’ve yet to work out. This will display all groups within AD under the Users/Groups, Groups tab of the Admin Console. I just selected the groups that i wanted to share and to whom I wanted to share them with and then simplified the groups display name (example Teachers, Teacher Aids, Admin Staff).

  • In Spark your groups, by default, will only show up if a member of the group is logged in or if you go to Contacts->Show Empty Groups.

If none of this helps or is coming from far left field, please try to be more concise in articulating the problem you’re trying to solve and where you’re trying to solve it. Best of luck.

What type of LDAP server? The old config is in a fire called openfire.xml found in the openfire install directory then the config folder. If it is wildfire, just look for the same thing but using wildfire.

Well first I have to say thank you. My problem was I had made my Base DN, too specific by adding OU=Users,OU=Employees, so like you said I made it more broad and cut it just to DC=Company,DC=local, and now all of the groups are all showing up.

While this will work I am now just trying to cut it down to just one jabber access group that has any groups I want inside of it. The path to this group is CN=JabberAccess,OU=Security Groups,DC=Company,DC=local. I think you said you set your filter in two different places, first to the specific openfire group then to the broad (objectClass=Group). I only have the option to enter a filter in the group area. I tried to write it how you wrote yours but it came up with an error. I was just wondering if you would know what I have to put in the filter area for it to only see people in that group.

However, like I said my main problem is fixed , so thank you very much for your help. Now Im just trying to clean up the group view so that not every group appears, only the groups I list in “Jabber Access”.

I found that file but it doesn’t seem to contain any of the information that I used in the setup. At this point I did solve my original problem with not seeing any groups now I’m just trying to fix another minor issue. I would start a new thread but I really feel it should be simple and just a repeat of other threads.

When we used wildfire they had set up a group in LDAP called JabberAccess. This group contained copies of any groups that they wanted Jabber to see. Currently my setup is broad and openfire sees every user and group in LDAP as my Base DN is set to “DC=company,DC=local” and my other filters are at their defaults. I would like to use their old group but I’m not sure how I would have to change my filters. I tried the “(&(objectClass=group)(CN=JabberAccess,OU=Security Groups,DC=company,DC=local))” and a couple other variations but all of them come up with an error.

I have read a ton of other similar posts but none of the solutions seemed to work. I would like to have it set that only people in a group in the JabberAccess group can log in but if it would be easier to just limit the groups and leave the users alone that works also. I can make a new thread if needed but I figured Id see if you had a quick fix or link to another thread.

Thanx

I think I know what your having a problem with. If so I had a similar issue. (http://www.igniterealtime.org/community/thread/38835)

If the first part is you want only the users you put in you JabberAccess security group either directy or indirectly then the users BaseDN can be quite wide but the filter would be along the lines of

(&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=JabberAccess,OU=Compan yName,DC=Company,DC=local)) – this will return all the users that are members of JabberAccess either by direct membership or membership of a meber group.

For the groups, you can put in a filter like (&(objectClass=group)(CN=JabberAccess,OU=CompanyName,DC=Company,DC=local)) and not change anything.

Brian

Thanks, I was able to set it up like kind of like you said. I ended up setting my group filter to “(&(objectClass=group)(memberOf=CN=JabberAccess,OU=Security Groups,DC=company,DC=local))” so now it only imports the groups inside the access group.

I couldn’t get the user filter to work correctly but I decided to leave it as it. Now that I have the group settings correct if a person does not belong to any of the access groups they can sign in but wont be able to see who’s online. This way if I haven’t added the person they can still sign in but they will need to manually add contacts.

Thanks for all the help, I finally have the sever set up.

Good to hear. I just wish I could get mine to retain its setting at the end of the configuration (http://www.igniterealtime.org/community/thread/38868).

What browser did you do your configuartion through and what JRE version(s) did you have installed. I have had problems with some combinations (http://www.igniterealtime.org/community/thread/38827)

Brian

I used Internet Exploere 7 through the install and to connect to the admin console. Im not sure what JRE Im using on that server, but I think I got it off this site when I install the client.

I never tried using Firefox so Im not sure what kinda of effect that would have, sorry I really am kind of new to the use of any jabber stuff.