powered by Jive Software

Group membership is None in Openfire console

I was able to successfully to connect to our AD and Openfire imported all of the users and groups. All of the imported users belong to one or more groups. Here is the issue:

userA belongs to groupA (verified in Active Directory). Both userA and groupA have been imported to Openfire

I click on userA under Users/Groups tab, the very last property of userA says Groups: None

If I click on a Group Summary, and then on groupA name, under Members of this Group, I see userA.

Most of the users have the groups property reporting correctly. Meaning, if I click on a user, I will see Groups: groupA, groupB, etc.

Out of 20 users, 4 show None in the group property.

In Spark, these 4 users are displayed correctly, in the groups they belong to.

I’ve tried removing the group membership in AD, and restarting Openfire, but that didn’t help.

I am getting the same error as posted in this thread:

Clearly, the issue hasn’t been resolved (I am using the latest version of Openfire). Are developers aware of it?

Here is the error from my log files:

2007.08.28 17:59:47 org.jivesoftware.openfire.ldap.LdapGroupProvider.getGroupNames(LdapGroupProvide r.java:383) Error getting groups for user: user@mydomain.com

javax.naming.NamingException: LDAP: error code 1 - 000020EF: SvcErr: DSID-020A0B25, problem 5012 (DIR_ERROR), data -1017; remaining name ‘’

All four users that show None as their group membership have the error posted above.

The 4 users that I’ve mentioned: they are all the members of more than 20 groups. All other users are the members of less than and including 20 groups.

I just performed a test on one of the users that was a member of exactly 20 groups (his group membership was displayed correctly in User Properties). I added him to one more group, bringing the number of groups to 21, and 15 minutes later his Groups: property changed to None. It looks like Openfire checks group membership every 15 minutes.

I tested this hypothesis on another Openfire server, and it doesn’t look like being a member of 21 groups creates a problem there.

Anyone else have this issue or could test this for me? Also, developers are being awfully quiet, what gives?

Any ideas what’s causing this? It messes up the presence status (we use Asterisk plug-in and it shows some of the 4 users as being always on the phone) and makes Spark difficult to use for everyone.

I am looking for some help from the devs here. My company is considering purchasing Enterprise license, but with this issue I’ll have to tell the company president Openfire is not ready yet.

I’ve enabled debugging and noticed the following:

My user account in Active Directory is a member of less than 20 groups, and, hence, shows in Openfire console as a member of the Tech group (this group is created in Active Directory). When I log in to Spark, debug.log shows this:

2007.09.17 11:33:43 Trying to find a user’s DN based on their username. sAMAccountName: timur.shevekhman, Base DN: ou=Corporate,dc=domainname,dc=com…2007.09.17 11:33:43 Creating a DirContext in LdapManager.getContext()…
2007.09.17 11:33:43 Created hashtable with context values, attempting to create context…
2007.09.17 11:33:43 … context created successfully, returning.
2007.09.17 11:33:43 Starting LDAP search…
2007.09.17 11:33:43 … search finished
2007.09.17 11:33:43 In LdapManager.checkAuthentication(userDN, password), userDN is: CN=“Timur Shevekhman”,OU=“All Domain Users”…
2007.09.17 11:33:43 Created context values, attempting to create context…
2007.09.17 11:33:43 … context created successfully, returning.

Notice a line in italic.

Now, a user with None membership (and a member of over 20 groups) exits Spark and logs back in:

2007.09.17 11:45:10 Trying to find a user’s DN based on their username. sAMAccountName: user2, Base DN: ou=Corporate,dc=domainname,dc=com…2007.09.17 11:45:10 Creating a DirContext in LdapManager.getContext()…
2007.09.17 11:45:10 Created hashtable with context values, attempting to create context…
2007.09.17 11:45:10 … context created successfully, returning.
2007.09.17 11:45:10 Starting LDAP search…
2007.09.17 11:45:10 … search finished
2007.09.17 11:45:10 Creating a DirContext in LdapManager.getContext()…
2007.09.17 11:45:10 Created hashtable with context values, attempting to create context…
2007.09.17 11:45:10 … context created successfully, returning.

Notice the italic line is missing.

Its as if the LDAP search doesn’t finish successfully. Some of the Security groups in our domain are pretty long. Is it possible the hash table runs out of the space to store all of the LDAP context?

I’ve added my self to several more security and distribution groups in Active Directory, bringing the total number of groups that I am a member of to 22

My group membership in Openfire changed to None.

I got the following error in error.log

2007.09.17 13:21:56 org.jivesoftware.openfire.ldap.LdapGroupProvider.getGroupNames(LdapGroupProvide r.java:383) Error getting groups for user: timur.shevekhman @ domainname.com
javax.naming.NamingException: [LDAP: error code 1 - 000020EF: SvcErr: DSID-020A0B12, problem 5012 (DIR_ERROR), data -1017 ]; remaining name ''
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.searchAux(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(Unknown Source)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown Source)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown Source)
at javax.naming.directory.InitialDirContext.search(Unknown Source)
at org.jivesoftware.openfire.ldap.LdapGroupProvider.getGroupNames(LdapGroupProvide r.java:367)
at org.jivesoftware.openfire.group.GroupManager.getGroups(GroupManager.java:343)
at org.jivesoftware.openfire.group.GroupManager.getGroups(GroupManager.java:326)
at org.jivesoftware.openfire.admin.user_002dproperties_jsp._jspService(user_002dpr operties_jsp.java:297)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:97)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:491)
at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1074)
at com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:11 8)
at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:52)
at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1065)
at org.jivesoftware.util.LocaleFilter.doFilter(LocaleFilter.java:65)
at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1065)
at org.jivesoftware.util.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingF ilter.java:41)
at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1065)
at org.jivesoftware.admin.PluginFilter.doFilter(PluginFilter.java:69)
at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1065)
at org.jivesoftware.admin.AuthCheckFilter.doFilter(AuthCheckFilter.java:98)
at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1065)
at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:365)
at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:185)
at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181)
at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:689)
at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:391)
at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollect ion.java:146)
at org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:114)
at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:139)
at org.mortbay.jetty.Server.handle(Server.java:285)
at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:457)
at org.mortbay.jetty.HttpConnection$RequestHandler.headerComplete(HttpConnection.j ava:751)
at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:500)
at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:209)
at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:357)
at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:329)
at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:475)

and, when I checked the debug.log file, I had this at the exactly the same time:

2007.09.17 13:21:56 Trying to find a user’s DN based on their username. sAMAccountName: timur.shevekhman, Base DN: ou=Corporate,dc=domainname,dc=com…
2007.09.17 13:21:56 Creating a DirContext in LdapManager.getContext()…
2007.09.17 13:21:56 Created hashtable with context values, attempting to create context…
2007.09.17 13:21:56 … context created successfully, returning.
2007.09.17 13:21:56 Starting LDAP search…
2007.09.17 13:21:56 … search finished
2007.09.17 13:21:56 Trying to find a user’s DN based on their username. sAMAccountName: timur.shevekhman, Base DN: ou=Corporate,dc=domainname,dc=com…
2007.09.17 13:21:56 Creating a DirContext in LdapManager.getContext()…
2007.09.17 13:21:56 Created hashtable with context values, attempting to create context…
2007.09.17 13:21:56 … context created successfully, returning.
2007.09.17 13:21:56 Starting LDAP search…
2007.09.17 13:21:56 … search finished
2007.09.17 13:21:56 Creating a DirContext in LdapManager.getContext()…
2007.09.17 13:21:56 Created hashtable with context values, attempting to create context…
2007.09.17 13:21:56 … context created successfully, returning.
2007.09.17 13:21:56 Trying to find a user’s DN based on their username. sAMAccountName: timur.shevekhman, Base DN: ou=Corporate,dc=domainname,dc=com…
2007.09.17 13:21:56 Creating a DirContext in LdapManager.getContext()…
2007.09.17 13:21:56 Created hashtable with context values, attempting to create context…
2007.09.17 13:21:56 … context created successfully, returning.
2007.09.17 13:21:56 Starting LDAP search…
2007.09.17 13:21:56 … search finished
2007.09.17 13:21:56 Creating a DirContext in LdapManager.getContext()…
2007.09.17 13:21:56 Created hashtable with context values, attempting to create context…
2007.09.17 13:21:56 … context created successfully, returning.

Well, I’ll continue talking to myself

gato, first of all thank you for all the help you offered in the chat the other day.

I tried looking at GetGroupNames function in LdapGroupProvider class, and more specifically, lines 362-366, but I am not sure I can figure out the LDAP query built by that code.

So far, I got (&(something that getGroupSearchFilter() returns)(member=CN=user DN). This looks awefully similar to the search filter I’m using, which is not the same as LDAP query, so I think I am doing something wrong.

If I run this LDAP query: (&(objectclass=group)(member=CN=userA,OU=All Domain Users,OU=Corporate,DC=domainname,DC=com)), I am returned a list of all groups that userA is a member of. (I run the query in Active Directory Users ang Computers snap-in, Action, Find, Custom Search, Advanced tab).

Hey Timur,

Hmm, I don’t think I got an email alert for your response. Anyway, I added the following code to LdapGroupProvider in line 367 to print the LDAP query that you are executing to get the user’s groups.

if (Log.isDebugEnabled()) {

Log.debug("Trying to find group names for user: " + user + " using query: " + filter.toString());

}

You can also debug GroupManager line 361 to check the value of groupNames. I don’t see how Openfire would empty that collection if the number of groups is bigger than X. I’m really curious about this problem. Let me know if the LDAP query is returning the correct values and if the groupNames variables does not include the LDAP answer.

Thanks,

– Gato

Gato,

Thanks for your response.

I am running version 3.3.3 now.

I’ve made my Active Directory account a member of 22 groups (some security, some distribution). About 10 minutes later, my group changed to None.

error.log -

2007.09.25 10:02:12 [org.jivesoftware.openfire.ldap.LdapGroupProvider.getGroupNames(LdapGroupProvid er.java:386)
] Error getting groups for user: timur.shevekhman @ companyname.com
javax.naming.NamingException: [LDAP: error code 1 - 000020EF: SvcErr: DSID-020A0B12, problem 5012 (DIR_ERROR), data -1017 ]; remaining name ‘’ at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source) at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source) at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source) at com.sun.jndi.ldap.LdapCtx.searchAux(Unknown Source) at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(Unknown Source) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown Source) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown Source)

debug.log -

2007.09.25 10:02:10 Creating a DirContext in LdapManager.getContext()…
2007.09.25 10:02:10 Created hashtable with context values, attempting to create context…
2007.09.25 10:02:10 … context created successfully, returning.
2007.09.25 10:02:11 Creating a DirContext in LdapManager.getContext()…
2007.09.25 10:02:11 Created hashtable with context values, attempting to create context…
2007.09.25 10:02:11 … context created successfully, returning.
2007.09.25 10:02:12 Trying to find a user’s DN based on their username. sAMAccountName: timur.shevekhman, Base DN: ou=Corporate,dc=domainname,dc=com…
2007.09.25 10:02:12 Creating a DirContext in LdapManager.getContext()…
2007.09.25 10:02:12 Created hashtable with context values, attempting to create context…
2007.09.25 10:02:12 … context created successfully, returning.
2007.09.25 10:02:12 Starting LDAP search…
2007.09.25 10:02:12 … search finished
2007.09.25 10:02:12 Creating a DirContext in LdapManager.getContext()…
2007.09.25 10:02:12 Created hashtable with context values, attempting to create context…
2007.09.25 10:02:12 … context created successfully, returning.
2007.09.25 10:02:12 Trying to find group names for user: timur.shevekhman @ companyname.com using query: (&(&(cn=*)(&(objectClass=group)(memberOf=CN=OpenfireUsers,OU=Security Groups,OU=Corporate,DC=domainname,DC=com)))(member=CN=“Timur Shevekhman”,OU=“All Domain Users”,ou=Corporate,dc=domainname,dc=com))
2007.09.25 10:02:14 session 37 timeout
2007.09.25 10:02:14 session 37 sent message PNG

I tried running the LDAP query in italic against my Active Directory (using Active Directory Users and Computers snap-in) and did get the correct groups, so it looks like the query created by Openfire is correct.

Not sure if I can do debugging. I have a ton of errors in the project (I used NetBeans and checked out the project from svn), probably because I am missing dependencies, etc, and I wouldn’t know one thing about how to fix them given the size of this project.

I’ve set up a test server with the exact same Active Directory configuration (same users, groups, OUs) as what our company has and I don’t have any issues. The only thing that is different is on the test server I use mySQL database, while, in production, we use Microsoft SQL 2005. Maybe thats the issue.

I have the same problem, i can’t resolve it. Please help me.

Do you also use MS SQL 2005?