We’re running a noticeably sized installation (~500 concurrent users) using ActiveDirectory LDAP for user information, including “group sharing”. With this we encountered an annoying issue: AD stores information about members of a group as a full DN, say:
- Group A
- CN=User A, OU=Department A, OU= Org, DC=example
- CN=User B, OU=Department A, OU=Org, DC=example
Now when OpenFire tries to match login name (sAMAccountName) to those names it searches only for the first part, so issues search for “CN=User A”. Now the problem is when there are two people with same name and last name in different departments: LDAP allows this, as full DN is unique, yet search for just CN does not return a single result, but multiple, therefore users end up in wrong groups. The attached patch modifies the search to look for the full DN, but as it is from what I know will work only against AD.
patch-src_java_org_jivesoftware_openfire_ldap_LdapGroupProvider.java.zip (583 Bytes)