Specifiy Specific Active Directory Groups for accounts

Openfire Openfire Support
1

I have put in Openfire as an installation for testing. Once I got over the installation with AD hurdle it was pretty much gravy, but I have some questions before I move this to a proper working enviroment.

1: When I dumped the AD into the local database, it gave me all the users. I’d rather just have it from two groups, let’s name them (Not the real names) TechOne and TechServ. The Domain is IMS.LOCAL and I know the IP and Name of the Controller.

2: This one is probably more spark related, but is there a way to log in by specifying the domain instead of the server? I’m already using SSO and that works out but I have to specifiy the server straight away.

3: Lastly, in the interest of standards compliance, does any installation of openfire phone out to the internet by default? If so, how can I disable this? We’re not using any sort of WAN or virtualization so that might make it easier.

Try to keep the answers dumb and thorough. I’m a programmer, not a system admin.

Thanks.

2

You have to use group filters and search filters to accomplish what you are trying to do. the “groups” are for roster groups and not really for access to openfire. however, you can create a dynamic authorization group to accomplish what you want to do. I also HIGHLY recommend using a backend database, such as mssql or mysql before doing any of this. That way, you can easily revert any changes back if you lose access to the GUI via the database tables.

for this example, I’ll be making the following assumptions

AD domain = IMS.local

access group = Openfire Access Group

roster groups = _IM TechOne, _IM TechServ

to create the dynamic access group, you need to create a Domain Local Security Group. In our example call it Openfire Access Group. Place this in your User container
Created regular security groups, in our example _IM TechOne and _IM TechServ. Make them a member of the Openfire Access Group

Add your users to the _IM groups (including your openfire admin account)

next, set your system properties in openfire

ldap.baseDN
DC=IMS,DC=local

ldap.groupSearchFilter
(objectClass=group)(cn=_IM*)

ldap.searchfilter
(&(objectclass=organizationalPerson)(|(memberOf:1.2.840.113556.1.4.1941:=CN=Open fire Access Group,CN=Users,DC=IMS,DC=local)))

That should do it. Let me know if you have any problems.

3

So comming back, here’s the image I’m sitting on that’s giving me problems:

http://christophergorman.net/images/openfire/LDAP%20Info.jpg

I want to know what I’m supposed to put in these fields to restrict access to only the group “Fireball” (Security Group on DC with no assigned rights). Though everytime I press test I get a guy who’s not in said group or it errors out (as in this case you see).

4

you need to put in your ldapsearchfilter there, not the group search filter.

5

So this:

(&(objectclass=organizationalPerson)(|(memberOf:1.2.840.113556.1.4.1941:=CN=Open fire Access Group,CN=Users,DC=IMS,DC=local)))

Needs to go into the User Filter field?

6

for the time being, you should just accept the defaults. once you get through the setup, you can change the filter. I’ve never messed with the filters during the inital setup, I’ve always make my changes later.

7

First and foremost make sure your group name and ou structures have no spaces in the names. It will make things easier.

Here is a sample filter for members of a group:

(&(objectClass=organizationalPerson)(|(memberOf=cn=LDAPGroup1,ou=accounts,dc=domain,dc=com)(memberOf=cn=LDAPGroup2,ou=SecondaryAccounts,dc=domain,dc=com)))





You can see more in in my doc:  http://www.igniterealtime.org/community/docs/DOC-1554
8

Alright. I’ve figured out something. Using LDP from the Windows XP Service Pack 2 Support Tools I decided to go domain browsing with it and to my irk the group I made (Fireball) doesn’t show up. I can’t quite figure out why, does my domain admin I’m searching the AD with need to be part of the group or something?