I am using OpenFire 3.3.2 installed via RPM on RedHat AS 3 with LDAP authentication configured for Active Directory. We have created a shared contact list (roster) using an existing LDAP group (let’'s call it DeptIT). The DeptIT LDAP group contains 46 users, but some of them show up differently in the group members list in the OpenFire administrative interface and do not appear at all in the client.
Using tcpdump watching the communications between my OpenFire server and my AD, I can see what appears to be communications populating this group. First, there is a search for the members of the group DeptIT, which returns the DNs of all 46 group members. Next, there are 46 individual queries - one for each member of the group. This search is looking for the sAMAccountName attribute of the user, with a simple CN (ie; CN=bob) filter and our base DN. The query uses no other filters (even though we have a searchFilter specified in the config). Usually, the query produces only one response per person, but for a few people (the ones missing from the roster!) LDAP produces 2 responses. In the case of the missing people, the first response received is a computer registered with the domain that has the same starting CN as the user (ie; CN=bob,CN=computer,DC=xxx,DC=yyy and CN=bob,OU=staff,OU=accounts,DC=xxx,DC=yyy). If the response comes back with the person listed first, they show up in the roster.
I can see two possible fixes, but do not know how to implement either; 1) have OpenFire use the complete DN of the user when it’'s performing the second search or 2) have OpenFire use the “searchFilter” from the config so that only users (and no computers) come back in the response. Any ideas??