powered by Jive Software

AD LDAP group member search fix

We’re running a noticeably sized installation (~500 concurrent users) using ActiveDirectory LDAP for user information, including “group sharing”. With this we encountered an annoying issue: AD stores information about members of a group as a full DN, say:

  • Group A
    • CN=User A, OU=Department A, OU= Org, DC=example
    • CN=User B, OU=Department A, OU=Org, DC=example
      Now when OpenFire tries to match login name (sAMAccountName) to those names it searches only for the first part, so issues search for “CN=User A”. Now the problem is when there are two people with same name and last name in different departments: LDAP allows this, as full DN is unique, yet search for just CN does not return a single result, but multiple, therefore users end up in wrong groups. The attached patch modifies the search to look for the full DN, but as it is from what I know will work only against AD.
      patch-src_java_org_jivesoftware_openfire_ldap_LdapGroupProvider.java.zip (583 Bytes)

Thanks for the patch. Filed as OF-541

could someone provide instructions on how to patch and what file to backup in case something do go wrong.

I am a newbie. running ubuntu 10.04 openfire 3.70 - user groups are pulled from Active Directory.

P

This patch is for the source code, so you can’t just patch a file in your installation. Probably openfire.jar has to be recompiled after the patch and maybe then you can just replace it in your installation, but i’m not sure it will work.

Yes, recompiling and just replacing openfire.jar works, that’s what I’ve been doing.