LDAP Group Mystery

pdxcarlos · August 18, 2006, 9:45pm

I’'m having a problem with some users being excluded from the LDAP group that I setup.

Note: I have replaced the names to protect the innocent.

Environment:

Directory Server(s): Windows Server 2003 Active Directory

Wildfire Server: Windows Server 2003; Wildfire version 3.0.1

All users are in a group called IMUsers that I placed under the built in Groups OU. All users are enabled and they have active accounts. Users’’ primary OU is called “MyDomainUsers”.

Here is the LDAP portion of my wildfire.xml file:

<host>dc1.mydomain.com,dc2.mydomain.com</host>

<baseDN>DC=mydomain,DC=com</baseDN>

<usernameField>sAMAccountName</usernameField>

<nameField>displayName</nameField>

<adminDN>myadmin@mydomain.com</adminDN>

<adminPassword>thepassword</adminPassword>

<debugEnabled>false</debugEnabled>

<posixMode>false</posixMode>

<![CDATA[

(&(objectCategory=Person)(objectClass=user)(memberOf=CN=IMUsers,OU=Gro ups,DC=mydomain,DC=com)

(!(userAccountControl:1.2.840.113556.1.4.803:=2))(sAMAccountName=))
]]>
</searchFilter>
<groupNameField>cn</groupNameField> <groupMemberField>member</groupMemberField> <groupDescriptionField>description</groupDescriptionField> <groupSearchFilter>
<![CDATA[ (&(objectClass=group)(cn=IMUsers)(member=))

]]>

</groupSearchFilter>

</ldap>

Here is the provider portion of the wildfire.xml file:

<user>

<className>org.jivesoftware.wildfire.ldap.LdapUserProvider</className& gt;

</user>

<group>

<className>org.jivesoftware.wildfire.ldap.LdapGroupProvider</className >

</group>

<auth>

<className>org.jivesoftware.wildfire.ldap.LdapAuthProvider</className& gt;

</auth>

</provider>

I have the debug log turned on. Here is what I’'ve noticed; users that show up in the group roster show the following:

2006.08.18 13:52:20 Trying to find a user’'s DN based on their username. sAMAccountName: john, Base DN: DC=mydomain,DC=com…

Users that don’'t show up in the group roster show the following:

2006.08.18 11:36:16

Trying to find a user’'s DN based on their username. sAMAccountName: cn=jane smith,ou=mydomainusers,dc=mydomain,dc=com, Base DN: DC=rmls,DC=com…

After that message, this shows:

2006.08.18 11:36:16 User DN based on username ‘‘cn=jane smith,ou=mydomainusers,dc=mydomain,dc=com’’ not found.

2006.08.18 11:36:16 Exception thrown when searching for userDN based on username ‘‘cn=jane smith,ou=mydomainusers,dc=mydomain,dc=com’’

org.jivesoftware.wildfire.user.UserNotFoundException: Username cn=jane smith,ou=mydomainusers,dc=mydomain,dc=com not found

at org.jivesoftware.wildfire.ldap.LdapManager.findUserDN(LdapManager.java:511)

at org.jivesoftware.wildfire.ldap.LdapManager.findUserDN(LdapManager.java:439)

at org.jivesoftware.wildfire.ldap.LdapUserProvider.loadUser(LdapUserProvider.java: 69)

at org.jivesoftware.wildfire.user.UserManager.getUser(UserManager.java:171)

at org.jivesoftware.wildfire.ldap.LdapGroupProvider.populateGroups(LdapGroupProvid er.java:483)

at org.jivesoftware.wildfire.ldap.LdapGroupProvider.getGroups(LdapGroupProvider.ja va:210)

at org.jivesoftware.wildfire.group.GroupManager.getSharedGroups(GroupManager.java: 232)

at org.jivesoftware.wildfire.roster.RosterManager.getSharedGroups(RosterManager.ja va:169)

at org.jivesoftware.wildfire.roster.Roster.<init>(Roster.java:89)

at org.jivesoftware.wildfire.roster.RosterManager.getRoster(RosterManager.java:94)

at org.jivesoftware.wildfire.user.User.getRoster(User.java:289)

at org.jivesoftware.wildfire.handler.IQRosterHandler.manageRoster(IQRosterHandler. java:187)

at org.jivesoftware.wildfire.handler.IQRosterHandler.handleIQ(IQRosterHandler.java :104)

at org.jivesoftware.wildfire.handler.IQHandler.process(IQHandler.java:48)

at org.jivesoftware.wildfire.IQRouter.handle(IQRouter.java:268)

at org.jivesoftware.wildfire.IQRouter.route(IQRouter.java:96)

at org.jivesoftware.wildfire.spi.PacketRouterImpl.route(PacketRouterImpl.java:67)

at org.jivesoftware.wildfire.net.SocketReader.processIQ(SocketReader.java:247)

at org.jivesoftware.wildfire.net.ClientSocketReader.processIQ(ClientSocketReader.j ava:51)

at org.jivesoftware.wildfire.net.SocketReader.process(SocketReader.java:213)

at org.jivesoftware.wildfire.net.BlockingReadingMode.readStream(BlockingReadingMod e.java:156)

at org.jivesoftware.wildfire.net.BlockingReadingMode.run(BlockingReadingMode.java: 62)

Here is what I don’‘t understand. According to this in the log (Trying to find a user’‘s DN based on their username. sAMAccountName:) it should be trying to find a user by their sAMAccountName, but for the ones that don’'t work it appears to be using their distinguishedName instead of their sAMAccountName.

I’‘ve verified this information using Softerra’'s LDAP Browser 2.6.

Does anyone know why this would be happening?

Thanks,

Carlos

pdxcarlos · August 21, 2006, 6:51pm

Anyone know why this is happening? This is a showstopper for our Wildfire installation.

pdxcarlos · August 22, 2006, 1:15am

I found a temporary workaround for this.

I had to relax my search filter.

It’'s now:

<![CDATA[

(&(objectCategory=Person)(objectClass=user)

(!(userAccountControl:1.2.840.113556.1.4.803:=2))(sAMAccountName=)) ]]> </searchFilter> Instead of: <searchFilter> <![CDATA[ (&(objectCategory=Person)(objectClass=user)(memberOf=CN=IMUsers,OU=Gr oups,DC=mydomain,DC=com) (!(userAccountControl:1.2.840.113556.1.4.803:=2))(sAMAccountName=))

]]>

</searchFilter>

Now, I can only surmise that this is a bug in the software because using the LDAP browser, I’'m able to type in the query of: (&(objectCategory=Person)(objectClass=user)(memberOf=CN=IMUsers,OU=Gr oups,DC=mydomain,DC=com)(!(userAccountControl:1.2.840.113556.1.4.803:=2))

and return the users that I want.

I should note that this is only a work around since it does load up ALL of the users in my domain (BAD) but users can’'t see them in their IM client (because the group search works properly).

Carlos

bugmenot · August 22, 2006, 2:27am

Hi Carlos,

I’'m using both a search filter and group search filter to limit my IM users:

<![CDATA[

    (&
    (objectClass=group)
    (memberOf=CN=IMAccess,CN=Users,DC=mydomain,DC=com)
    (member=)

)

]]>

With the exception of the DCs at the end, this is from a working install which is in use right now.

Message was edited by: bugmenot user

pdxcarlos · August 22, 2006, 9:49pm

bugmenot user,

Thanks for your input.

I finally fixed it. I turns out that it was a permissions issue with the user that I setup to read from the Active Directory. Once I modified the permissions, it worked. Since the documentation says that the user doesn’‘t need special rights I didn’'t give my user any specific rights therefore it was using the “Authenticated Users” group to read the permissions.

Unfortunately, the “Authenticated Users” group didn’'t have the following rights to some of the missing users:

Read Account Restrictions

Read Group Membership

Read Logon Information

Read Phone and Mail Options

Read Remote Access Information

Once I added these permissions to the user (in Windows Server 2003 Active Directory it’'s under the security tab for the user), I was able to see the user, search for the user, and see the user in the group roster.

Carlos