Openfire LDAP authentication and restrictions

Adam_Tyler · December 23, 2014, 5:03pm

Hello all. New Openfire server user and I had a quick question regarding restricting login for users when using LDAP. LDAP authentication is successfully configured in my environment, but I was curious how to restrict login or allow login for specific groups of users? When I configured LDAP integration I used the root base DN of the entire domain and it appears that populated ever user account in my database.

Also in regard to Openfire groups… What are they used for? It seems that end users can “group” contacts on the fly and type in whatever they want. How do the “groups” configuration from the admin console differ from this? Is there a way to populate end user clients with their own department’s contacts for example?

Regards,

Adam Tyler

Adam_Tyler · February 27, 2015, 5:19pm

Hello all… I seemed to have answered my own question here and thought it would be a good idea to post my fix. I ended up going through the LDAP setup again and entering two new LDAP queries to narrow the scope of deployment. in addition to restricting login for certain users it did also help with the responsiveness of the Users/Groups tab in the admin console. Before this change they loaded horribly slow. I am using LDAPS and have seen some posts about issues with that…

Step 1: was to create a new security group in AD that all Openfire users would be a member of. The idea being that users who are not members will not be pulled into the user list automatically and would not be able to log in. My group name was simply called Openfire-EnabledUsers

Step 2: was to support roster auto-populate or so I call it. I didn’t want every single AD group pulled into the group list of the admin console. This made configuring groups for Openfire inefficient and made the admin console tabs load slowly. So I created a group for every department that I might want to populate in the roster. For example “Openfire-Accounting” and “Openfire-Maintenance”.

Finally step three was to reconfigure the LDAP integration from the Openfire admin console. I still used the base DN for the entire domain, but I added the following LDAP queries on the subsequent config pages:

ldap.groupSearchFilter: (&(objectcategory=group)(CN=Openfire*))

Keep in mind all groups used to manage Openfire users would need to start with Openfire…

ldap.searchFilter: (&(objectcategory=user)(memberof=CN=Openfire-EnableUser,OU=Security,OU=All Groups,DC=domainname,DC=local))

This is the change which requires all users to be a member of “Openfire-EnableUser” group.

speedy · February 27, 2015, 9:11pm

Looks like you figured this out, but I wrote up a doc on this a while ago. You might find the additional search filter handy

How to Setup Dynamic Groups and Shared Rosters with LDAP/AD

Adam_Tyler · February 27, 2015, 9:24pm

Ah! Wish I had found your guide before the manual process I went through… Search must have failed me… Thanks for the info!

speedy · February 27, 2015, 10:10pm

ooops. I was updating the document and just deleted it by mistake. thats been on par with my day.