LDAP alias referral bug


I’m using LDAP for authentication a while now, but due to restructering of the LDAP tree we changed from one mail user tree to several trees with aliases to th real users.




— ou=users

| |

| — user1


— ou=groups



— dc=application


— ou=openfire


— alias to user1

Ok so the problem is the resolving from alias to the user dn, openfire always adds this base dn to the resolved user dn.


basedn: ou=openfire,dc=application,dc=company

alias to resolve: cn=user1,ou=openfire,dc=application,dc=company

openfire resolved user dn: cn=user1,ou=users,dc=company,ou=openfire,dc=application,dc=company

So for authentication that resolved user dn can’t work because it don’t exists!

I tried to set the ldap.alternateBaseDN to ‘’ but that didn’t work too, because openfire now try to auth with ‘cn=user1,ou=users,dc=company,’. Yes the comma behind dc=company is not my fault, but the dn which openfire uses to auth the user against LDAP, which isn’t a valid dn so the auth failes, too.

What can I do to get rid of these miss resolving. I think there is no easy fix because I think it’s java ldap library problem, but maybe someone got a nice hotfix.

Thanks in advance.


You are not going to be able to use the alias. Relax your baseDN to the domain level and use filters to limit results.

Thats no option because we would match users who are not allowed to get access to the jabber service. The provided basedn is the search base for allowed users. Otherwise we need to set attributes in the user layout to deny access.

If there is no way to use aliases in openfire we need to drop the idea of aliases and set attributes, but alias support in openfire makes no sense if it does not work.

Btw. I looked at the openfire code, the problem is in “LdapManager.java” function “checkAuthentication”:

env.put(Context.SECURITY_PRINCIPAL, userDN + “,” + baseDN);

With a resolved alias this doesn’t really work. I will try to fix it but since I’m not a java expert I would be very pleased if a Openfire dev could take a look.

If you create an active directory group and add valid users to that group then a baseDN at the domain level and a user filter like this would limit the users to said group only:

(&(objectClass=organizationalPerson)(memberOf=cn=WebISteam,ou=ChatGroups,ou=acco unts,dc=domain,dc=com))