Bug with disabled users


When i lock user in AD it gets disappeared from Openfire, but if his DN not contains any spaces or special characters, Openfire starts to spam error messages like this:

2015.07.31 18:08:53 org.jivesoftware.openfire.roster.Roster - Groups ([jabber_o_fin]) include non-existent username (cn=sasha,ou=finance,ou=office,dc=pup,dc=local)

When user DN contains spaces in any place - all is ok.

Problem code part:

try {

JID userJID;

int position = username.indexOf("@" + serverName);

// Create JID of local user if JID does not match a component’s JID

if (position == -1) {

// In order to lookup a username from the manager, the username

// must be a properly escaped JID node.

String escapedUsername = JID.escapeNode(username);

if (!escapedUsername.equals(username)) {

// Check if escaped username is valid



// No exception, so the user must exist. Add the user as a group

// member using the escaped username.

userJID = server.createJID(escapedUsername, null);


else {

// This is a JID of a component or node of a server’s component

String node = username.substring(0, position);

String escapedUsername = JID.escapeNode(node);

userJID = new JID(escapedUsername + “@” + serverName);




catch (UserNotFoundException e) {

// We can safely ignore this error. It likely means that

// the user didn’t pass the search filter that’s defined.

// So, we want to simply ignore the user as a group member.

if (manager.isDebugEnabled()) {

Log.debug("LdapGroupProvider: User not found: " + username);



in src/java/org/jivesoftware/openfire/ldap/LdapGroupProvider.java (294-325 strings)

username in this context contains sAMaccountname for enabled users and full DN for disabled users.

If full DN contains any spaces, escapedUsername will not equal username and user will be checked by userManager.getUser(escapedUsername);

but if no spaces in DN - escapedUsername will equal username and user will be added by “userJID = server.createJID(escapedUsername, null);” with jid like this: CN=Sasha,OU=Finance,OU=Office,DC=pup,DC=local

My LDAP search filters are very simple:

user search filter -

(&(sAMAccountName={0})(objectClass=organizationalPerson)(!(userAccountControl:1. 2.840.113556.1.4.803:=2))(memberOf:1.2.840.113556.1.4.1941:=CN=jabber_access,OU= Global_groups,DC=pup,DC=local))

group search filter -


Already wrote this problem in another topic with no success:

LDAP groups problem (dn used as username)

Please fix this, thanks.

Please, help me, how to write bugs to get it fixed in future?

The only way - to teach java and make pull requests?


Another little up

can somebody help?

This forums are alive now?

The forums are “alive”, but there are only volunteers here. No full-time developers or support stuff. So it could take very long until someone experienced will take a look at your issue.

I’m not a developer, nor am experienced with LDAP. Not many LDAP experienced people between a few volunteer developers here. So your question may never be answered. That’s how things are here.