Openfire Active Directory Authentication

Oh the joy and the pain of this….

After a very long time I have now got this working how I want it but it was painful getting the right runes to make the two play nicely.

What I wanted:

  • To have a group in AD that could access and authenticate to Openfire
  • To have a groups in Openfire that were defined by an AD group.

AD Structure

  • All of our users are in a group called “Foo Users”
  • All of our groups are in “Foo Groups”
  • All of our Openfire users are in a group called “openfire” which  is inside “Foo Groups”
  • Our Openfire groups are in “Openfire Groups” which is in “Foo Groups” (I made “Openfire Groups” a universal group, this may or may not be needed).
  • I then made the “openfire” group a member of “Openfire Groups”
  • Our domain is called

The authentication

  • ldap.baseDN : dc=”foo”,dc=”com”
  • adminDN : cn=”administrator”,cn=”Users”,dc=”foo”,dc=”com”
  • Userfilter : (&(memberOf=CN=openfire,OU=Foo Groups,DC=foo,DC=com))
  • Groupfilter : (&(memberOf=CN=openfire,OU=Foo Groups,DC=foo,DC=com))

Hope this helps someone  🙂

13 thoughts on “Openfire Active Directory Authentication

  1. This was a massive help, thanks a lot! I have lost 3 hours trying to work out what values it was looking for, and with this example it too 3 minutes! I wish documentation was this clear!! Thanks again!

  2. I am getting some error while configuring openfire with active directory 2008. I put

    When I gave CN, DN, OU the same mentioned above I got this error.

    [LDAP: error code 8 – 00002028: LdapErr: DSID-0C0901FC, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v1db0]

    I am trying to figure out problem. Please Help Me.
    Thanks !

  3. CentOS 6.0 – 64bit — had to add libldb.i686 for JVM

    Openfire 3.7.0

    Name : mysql
    Arch : x86_64
    Version : 5.1.52
    Release : 1.el6_0.1

    Server set-up for initial configuration, for admin GUI after configuration

    I opened firewall ports
    9090 – this can be blocked after configuration as port 9091 will be used thereafter for admin
    To get this ‘switched off’ enter ‘-1’ in the openfire.xml file

    Increase JVM memory by adding DAEMON_OPTS=”-Xms256m -Xmx512m” to /etc/sysconfig/openfire

    Connection Settings
    baseDN: dc=foo,dc=local

    adminDN:,cn=Users,dc=foo,dc=local — also worked for me

    User Mapping
    Username Field: sAMAccountName

    Search Fields — I left this blank

    Advanced Settings > User Filter: (&(objectClass=organizationalPerson)(mail=*)) — add everybody with an email address, if they have no email address in AD they they will not be added
    or (&(objectClass=organizationalPerson)(cn=*)) — add everyone with a Name entry in AD

    Group Mapping
    Group Field: cn — the default

    Member Field: member — the default

    Description: description — the default

    Advanced Settings > Group Filter: (&(objectClass=group)(cn=MrFoo_GroupDivision)) — I had a test group in AD created

    Some of my notes for setting up Openfire 3.7.0 on CentOS 6.0 64-bit with Active Directory, and some of the gotchas.

    1) If you have more than 1000 AD user entries (I did) the drop down option in management GUI allows you sort by 1000 “Total Users: 1,000 — Sorted by Username — Users per page:1000” … well it doesn’t work, it will display a 1000 users but if you have more you are not offered any way via the GUI to view the next 1000, no little arrow to click forward, no page number 2…etc…etc. I believe there is a fix for this though, I read it some where.

    2) Getting locked out (not the old bug that seem to exist v3.6.4) after editing. Okay, everything was ticking along nicely, I added myself as the “Administrator” user for Openfire and it allowed me to do everything one expected, I rebooted the server, stop/started Openfire to test if everything came back up, it did, I could still login as Admin, all working perfectly, I then did the following and got locked out.

    Openfire > Server > Server Manager > System Properties, I wanted to edit the ldap.searchFilter, so clicked the “Edit” icon, made may edit and saved, restarted Openfire, and then I couldn’t login to Openfire, the login page was displayed, but it refused to accept my credentials, I tried stop/start again, all to no avail. In the end I decided to start over as it only takes a few minutes to configue Openfire (it might have been possible to delete/change the mysql db directly, I couldn’t be bothered), so I just set “true” to “false” and retarted from scratch…just to test I did the same thing again, edited the field, and got locked out again…so this could be a bug.

  4. Setting the line to “true” or “false” in the openfire.xml allows you to start over again.

  5. Okay, this is what you need to do if you have more than 1000 AD/LDAP entries.

    Go to Server > Server Manager > System Properties > Add new property
    And add the following:

    Property Name: ldap.pagedResultsSize
    Property Value: 1000

    Stop & start Openfire and you should now have more entries in the drop down menu, plus click-able page numbers.

  6. Pingback: Openfire IM Server |

  7. Hi..
    I want to list all the users logged in to Openfire by using the PHP. I am using xmpp class, But I am not able to get all the users. I am only getting the users which are in my group. How can I retrieve all the other users from other groups.
    I ll be very thankful..
    Thanks in advance..

  8. If I understand your question correctly, you would have to change the user or group filter.

    In the example above we are only getting people and groups that are in

    Userfilter : (&(memberOf=CN=openfire,OU=Foo Groups,DC=foo,DC=com))
    Groupfilter : (&(memberOf=CN=openfire,OU=Foo Groups,DC=foo,DC=com))

    So make sure your group filter includes the other users’ group or create a group that covers the other groups and filter on that.

    ie add all the other groups into the openfire group or find something else common that you can choose which contains everyone you need.

Comments are closed.