13 thoughts on “Openfire Active Directory Authentication”

1. Thank You!
   I have been pulling my hair out to get this working. Now it is working 🙂

2. This was a massive help, thanks a lot! I have lost 3 hours trying to work out what values it was looking for, and with this example it too 3 minutes! I wish documentation was this clear!! Thanks again!

3. yeah, it helped 🙂

4. Yippee! Glad it helped people 🙂

5. I am getting some error while configuring openfire with active directory 2008. I put

   When I gave CN, DN, OU the same mentioned above I got this error.

   [LDAP: error code 8 – 00002028: LdapErr: DSID-0C0901FC, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v1db0]

   I am trying to figure out problem. Please Help Me.
   Thanks !

6. Hi Talha,

   I quick bit of Googling gave me this link :
   http://www.ilient.com/Sysforums/posts/list/5530.page

   Basically you need to turn on LDAP over SSL when using the LDAP wizard.

7. CentOS 6.0 – 64bit — had to add libldb.i686 for JVM

   Openfire 3.7.0

   Name : mysql
   Arch : x86_64
   Version : 5.1.52
   Release : 1.el6_0.1

   Server set-up
   http://127.0.0.1:9090 for initial configuration, for admin GUI after configuration http://127.0.0.1:9091

   I opened firewall ports
   22
   5222
   7777
   9090 – this can be blocked after configuration as port 9091 will be used thereafter for admin
   To get this ‘switched off’ enter ‘-1’ in the openfire.xml file
   9091

   JVM
   Increase JVM memory by adding DAEMON_OPTS=”-Xms256m -Xmx512m” to /etc/sysconfig/openfire

   Connection Settings
   baseDN: dc=foo,dc=local

   adminDN: cn=mr.foo,cn=Users,dc=foo,dc=local — mr.foo@foo.local also worked for me

   User Mapping
   Username Field: sAMAccountName

   Search Fields — I left this blank

   Advanced Settings > User Filter: (&(objectClass=organizationalPerson)(mail=*)) — add everybody with an email address, if they have no email address in AD they they will not be added
   or (&(objectClass=organizationalPerson)(cn=*)) — add everyone with a Name entry in AD

   Group Mapping
   Group Field: cn — the default

   Member Field: member — the default

   Description: description — the default

   Advanced Settings > Group Filter: (&(objectClass=group)(cn=MrFoo_GroupDivision)) — I had a test group in AD created

   Some of my notes for setting up Openfire 3.7.0 on CentOS 6.0 64-bit with Active Directory, and some of the gotchas.

   1) If you have more than 1000 AD user entries (I did) the drop down option in management GUI allows you sort by 1000 “Total Users: 1,000 — Sorted by Username — Users per page:1000” … well it doesn’t work, it will display a 1000 users but if you have more you are not offered any way via the GUI to view the next 1000, no little arrow to click forward, no page number 2…etc…etc. I believe there is a fix for this though, I read it some where.

   2) Getting locked out (not the old bug that seem to exist v3.6.4) after editing. Okay, everything was ticking along nicely, I added myself as the “Administrator” user for Openfire and it allowed me to do everything one expected, I rebooted the server, stop/started Openfire to test if everything came back up, it did, I could still login as Admin, all working perfectly, I then did the following and got locked out.

   Openfire > Server > Server Manager > System Properties, I wanted to edit the ldap.searchFilter, so clicked the “Edit” icon, made may edit and saved, restarted Openfire, and then I couldn’t login to Openfire, the login page was displayed, but it refused to accept my credentials, I tried stop/start again, all to no avail. In the end I decided to start over as it only takes a few minutes to configue Openfire (it might have been possible to delete/change the mysql db directly, I couldn’t be bothered), so I just set “true” to “false” and retarted from scratch…just to test I did the same thing again, edited the field, and got locked out again…so this could be a bug.

8. Setting the line to “true” or “false” in the openfire.xml allows you to start over again.

9. Okay, this is what you need to do if you have more than 1000 AD/LDAP entries.

   Go to Server > Server Manager > System Properties > Add new property
   And add the following:

   Property Name: ldap.pagedResultsSize
   Property Value: 1000

   Stop & start Openfire and you should now have more entries in the drop down menu, plus click-able page numbers.

10. This really saved me. Thank you!! 🙂

11. Pingback: Openfire IM Server | Basher.net

12. Hi..
    I want to list all the users logged in to Openfire by using the PHP. I am using xmpp class, But I am not able to get all the users. I am only getting the users which are in my group. How can I retrieve all the other users from other groups.
    I ll be very thankful..
    Thanks in advance..

13. If I understand your question correctly, you would have to change the user or group filter.

    In the example above we are only getting people and groups that are in

    Userfilter : (&(memberOf=CN=openfire,OU=Foo Groups,DC=foo,DC=com))
    Groupfilter : (&(memberOf=CN=openfire,OU=Foo Groups,DC=foo,DC=com))

    So make sure your group filter includes the other users’ group or create a group that covers the other groups and filter on that.

    ie add all the other groups into the openfire group or find something else common that you can choose which contains everyone you need.

Comments are closed.