Right now the ldap configuration contains ldap.baseDN. I would like to have a different group DN to help limit the searches. The problem I am having right now is my current ldap tree has an organizationalUnit for my login groups (ou=group,dc=foo,dc=bar) and a different organizationalUnit for openfire (ou=OpenFireGroups,dc=foo,dc=bar). Right now I have to set the "owner" attribute to OpenFire and create a groupSearchFilter (&(cn=)(objectClass=groupOfNames)(owner=OpenFire)). You could keep the ldap.baseDN for backwords compatibility and add something like ldap.userDN for user lookup and ldap.groupDN for group lookup. I could then have something like
<ldap> <userDN>ou=People,dc=foo,dc=bar</userDN> <groupDN>ou=OpenFireGroups,dc=foo,dc=bar</groupDN></ldap>