Oh the joy and the pain of this….
After a very long time I have now got this working how I want it but it was painful getting the right runes to make the two play nicely.
What I wanted:
- To have a group in AD that could access and authenticate to Openfire
- To have a groups in Openfire that were defined by an AD group.
AD Structure
- All of our users are in a group called “Foo Users”
- All of our groups are in “Foo Groups”
- All of our Openfire users are in a group called “openfire” which is inside “Foo Groups”
- Our Openfire groups are in “Openfire Groups” which is in “Foo Groups” (I made “Openfire Groups” a universal group, this may or may not be needed).
- I then made the “openfire” group a member of “Openfire Groups”
- Our domain is called foo.com
The authentication
- ldap.baseDN : dc=”foo”,dc=”com”
- adminDN : cn=”administrator”,cn=”Users”,dc=”foo”,dc=”com”
- Userfilter : (&(memberOf=CN=openfire,OU=Foo Groups,DC=foo,DC=com))
- Groupfilter : (&(memberOf=CN=openfire,OU=Foo Groups,DC=foo,DC=com))
Hope this helps someone 
Thank You!
I have been pulling my hair out to get this working. Now it is working
This was a massive help, thanks a lot! I have lost 3 hours trying to work out what values it was looking for, and with this example it too 3 minutes! I wish documentation was this clear!! Thanks again!
yeah, it helped
Yippee! Glad it helped people
I am getting some error while configuring openfire with active directory 2008. I put
When I gave CN, DN, OU the same mentioned above I got this error.
[LDAP: error code 8 - 00002028: LdapErr: DSID-0C0901FC, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v1db0]
I am trying to figure out problem. Please Help Me.
Thanks !
Hi Talha,
I quick bit of Googling gave me this link :
http://www.ilient.com/Sysforums/posts/list/5530.page
Basically you need to turn on LDAP over SSL when using the LDAP wizard.
CentOS 6.0 – 64bit — had to add libldb.i686 for JVM
Openfire 3.7.0
Name : mysql
Arch : x86_64
Version : 5.1.52
Release : 1.el6_0.1
Server set-up
http://127.0.0.1:9090 for initial configuration, for admin GUI after configuration http://127.0.0.1:9091
I opened firewall ports
22
5222
7777
9090 – this can be blocked after configuration as port 9091 will be used thereafter for admin
To get this ‘switched off’ enter ‘-1′ in the openfire.xml file
9091
JVM
Increase JVM memory by adding DAEMON_OPTS=”-Xms256m -Xmx512m” to /etc/sysconfig/openfire
Connection Settings
baseDN: dc=foo,dc=local
adminDN: cn=mr.foo,cn=Users,dc=foo,dc=local — mr.foo@foo.local also worked for me
User Mapping
Username Field: sAMAccountName
Search Fields — I left this blank
Advanced Settings > User Filter: (&(objectClass=organizationalPerson)(mail=*)) — add everybody with an email address, if they have no email address in AD they they will not be added
or (&(objectClass=organizationalPerson)(cn=*)) — add everyone with a Name entry in AD
Group Mapping
Group Field: cn — the default
Member Field: member — the default
Description: description — the default
Advanced Settings > Group Filter: (&(objectClass=group)(cn=MrFoo_GroupDivision)) — I had a test group in AD created
Some of my notes for setting up Openfire 3.7.0 on CentOS 6.0 64-bit with Active Directory, and some of the gotchas.
1) If you have more than 1000 AD user entries (I did) the drop down option in management GUI allows you sort by 1000 “Total Users: 1,000 — Sorted by Username — Users per page:1000″ … well it doesn’t work, it will display a 1000 users but if you have more you are not offered any way via the GUI to view the next 1000, no little arrow to click forward, no page number 2…etc…etc. I believe there is a fix for this though, I read it some where.
2) Getting locked out (not the old bug that seem to exist v3.6.4) after editing. Okay, everything was ticking along nicely, I added myself as the “Administrator” user for Openfire and it allowed me to do everything one expected, I rebooted the server, stop/started Openfire to test if everything came back up, it did, I could still login as Admin, all working perfectly, I then did the following and got locked out.
Openfire > Server > Server Manager > System Properties, I wanted to edit the ldap.searchFilter, so clicked the “Edit” icon, made may edit and saved, restarted Openfire, and then I couldn’t login to Openfire, the login page was displayed, but it refused to accept my credentials, I tried stop/start again, all to no avail. In the end I decided to start over as it only takes a few minutes to configue Openfire (it might have been possible to delete/change the mysql db directly, I couldn’t be bothered), so I just set “true” to “false” and retarted from scratch…just to test I did the same thing again, edited the field, and got locked out again…so this could be a bug.
Setting the line to “true” or “false” in the openfire.xml allows you to start over again.
Okay, this is what you need to do if you have more than 1000 AD/LDAP entries.
Go to Server > Server Manager > System Properties > Add new property
And add the following:
Property Name: ldap.pagedResultsSize
Property Value: 1000
Stop & start Openfire and you should now have more entries in the drop down menu, plus click-able page numbers.