How to Setup Authentication Groups with LDAP/AD

Document created by speedy Champion on Feb 27, 2015Last modified by speedy Champion on Apr 27, 2016
Version 5Show Document
  • View in full screen mode

In this example I'll be using the following:

 

AD domain = AD-DOMAIN.local

access group = Openfire Access Group

roster groups = _IM Group1, _IM Group2

 

(*note - I'll be using _IM as part of a wildcard search, so all my groups start with _IM for that reason)

 

 

First create your security groups:

1. Create a Domain Local Security Group. In our example call it Openfire Access Group. In this example, I've placed the group in the user container

 

2. Create regular security groups (usually Global). In this example: _IM Group1 and _IM Group2.

 

3. Make _IM Group1 and _IM Group2 members of the Openfire Access Group

 

 

4. Add your users to the _IM groups

NOTE: be sure to include your openfire admin account in a group, or you will not be able to log into the admin page.

 

 

5. Next, set your system properties in openfire:

 

 

ldap.baseDN

DC=AD-DOMAIN,DC=local

 

 

ldap.groupSearchFilter

(&(objectClass=group)(cn=_IM*))

*This will only list groups that start with _IM

 

 

ldap.searchfilter(&(objectclass=organizationalPerson)(|(memberOf:1.2.840.113556. 1.4.1941:=CN=Openfire Access Group,CN=Users,DC=AD-DOMAIN,DC=local))(!(userAccountControl:1.2.840.113556.1.4. 803:=2)))

* watch out for cut and paste issues.  Sometimes an extra spaces will be added in the string that will need to be removed. There should be no spaces in memberOF or userAccountControl.

 

*This string will only allow, and display users that are members of the Openfire Access Group (including members of nested groups) that we created earlier. Disabled user accounts are excluded.

 

Restart Openfire.

 

At this point, only the _IM groups will be listed, as will only the users of the groups.

 

6. Enable Contact List Sharing for shared rosters. (optional)

Attachments

    Outcomes