HELP! Weird LDAP user issue

I have a user that is OpenFire does not like. My setup is

Windows Server 2003

Active Directory LDAP autentication

Openfire 3.3

Openfire reads her fine and she can sign in, If I look at her on the Openfire Admin page she is listed and is showing to be a member of the group in AD I have put her in…BUT if I go to that group in admin, she is not listed there. When she logs in, she cannot see anyone and does not appear in any groups.

Here’s where it gets weird. I recreated her account in AD and same issue. I recreate a slightly different name (ie: jsmith2) and it works!

There is something about her name that is just not working. It is as if it has blocked that name from being a member of any groups. Is that even possible? Everything about her AD account is fine and has been recreated 3 times now.

Has anyone seen this and more importantly, anyone know what the issue is?

Are you using exchange? If so try to recreate the user without an exchange mailbox.

thanks for the reply,

No we are not. This is just a basic AD for our VPN users. Her AD account is fine from what I can see and recreating it should fix it but doesnt. Open fire sees her correctly and shows all of her info, just wont put her in any groups.

OK, so lets try deleting the user from AD again. Then clear all Openfire caches. Then check the user list to see if she is still listed. If she is reboot the openfire server. Check user list again if gone then recreate the user account. If this does not work I would try to edit the database directly and remove her account from the database.

Thanks again…

Ok I deleted her from AD. Cleared out the database, cleared out the cache and confirmed she was no where to be found.

I re-added her, then added her to the correct AD group.

I checked back with OpenFire Admin and she was listed under users and was listed correctly BUT is still not showing up in her group. I have also tried adding her to all of my groups and she appears in none.

A server restart does not fix it.

What is the format of her username? How many users are we talking about on the server and how many in the group?

her username is 8 characters long. There are 45 members in her group. There are 900 users in the system with about 60 logged on at any one time.

I can add new users not problem Lets say her username is mtstravel. I can add mtstravel1 and it works perfectly. Thats what is driving be crazy.

so her username is purely alphanumeric? Also what database are you using to store the data for openfire? Is there a possibility to reinstall the openfire server or at the very least set up a sandbox server on a XP workstation to see if the error reproduces itself? There are limitations of the embeded server or so the programmers tell me. It could be related to that.

I am using MySQL and her name is just alpha (first initial last name)

I re-installed the chat server the other night (to test the time it would take to rebuilt) and the result was the same. If it was happening to random users I could understand it, but this seems to be tied only to one username and only tied to her assigned group (everything else works)

I only have the one server in my network and so I cannot test her locally here since my server is internal.

I am truly stumped.

There could be a corruption in the mysql database. Have you tried to physically remove her info from the mysql database. The reason for this logic is that everytime you delete and create an account in windows it gets a different identifier in window even if the username is the same. LDAP connects do not generally distinguish this data. Plus the default qualifier for Openfire AD LDAP is the username field of AD. There is a good chance her user data is not being removed from MySQL when the account is deleted. When it is recreated in AD it just uses the corrupt account data again.

Yes, I ran a seach on the database for her name and deleted al instances of it. I did that in the previous step and it did not correct the issue,

Can you humor me and install Openfire on an XP client machine (using the embeded datase). Configure it to use LDAP and see if it has the same issues. If it does then you have an issue with AD, since you ruled out the server and the database. If it is AD it could be the MaxPageSize setting or the user account (which i doubt at this point, but you never know with windows).

I never did ask if you were using LDAP group filters on the Openfire server LDAP config. That may also be a factor.

Other than these last suggestions I am at a loss. We have gone through most of the thing I can trouble shoot via a forum.

Thanks for all of your help.

I can install on an XP machine but I will not be able to have it authenticate with my AD server since it only allows internal connections.

I am using Group filters but (from what I know) that only affects the groups it sees (I am filtering all groups that start with chat-). No other user has this issue. so i dont think its that.

It is something to do with her actual username. If I go into AD and change it by 1 letter, everything works.

Its driving me bonkers

You don’t have an XP machine on the same network as the AD server? It seems odd to me that her account is having this issue. When you create her account do you add all the groups she is a member of at that point? Maybe try one at a time. Would you be willing to share what her username is specifically?

you are not the first one with this issue by the way (http://www.igniterealtime.org/community/thread/28762). i do not think anyone has solved the issue. it is just so odd that one id would have this issue.

just to follow up.

I was able to correct this issue by renaming the user. Recreating the entry does not work. It can be a simple rename (ie John Smith to John.Smith/John Smith(extra space) / John_Smith)

This issue was seen on about 5 of our 1000 users.