powered by Jive Software

LDAP group oddities

I’'ve recently gotten an OpenFire 3.3.0 server set up and have configured it to use LDAP. I changed my group ilter so that only groups that start with OITS or DG-OITS will show up,and that works fine for the most part. But I have 2 oddities that have occured.

First, there are two users that exist in a particular group who don’'t show up in that group at all. If I go into Openfire and look at the group, it lists 19 members. But there are actually 21 members of that group. However if I go search for the 2 missing users in the Openfire user search, it shows that they are members of that group. So for some reason, the code that looks in a group and finds the members of that group is not registering them as members of that group, however the code that looks at the user and finds out which groups they belong to works fine.

The other oddity is that I have a user who has two accounts, an Admin ID and a non-Admin ID. Actually, most of us are set up this way, with no problems. For all of the users, our non-admin IDs are in a particular group, while our Admin IDs are not in that group (I’‘ve verified that it’'s the same for this problem user). However when I look at the contact for this user in Spark (or in the OpenFire Groups interface) it shows his Admin ID as belonging to the group, and his non-Admin ID as not belonging to it. In Active Directory it shows correctly. But in OpenFire and Spark his IDs are reversed somehow.

I’‘ve cleared all of the caches in Openfire, and it has not corrected the problem. For the first two users above, I added them to another group that should show up in OpenFire and they still don’'t show up.

It’‘s just these 3 users who seem to be showing up oddly. I don’‘t know if it’‘s some code weirdness or what, but I figured I’'d let people know. We can obviously work around the problem by adding the 2 users manually, and having the 3rd user log in with his Admin ID. But it just seems strange that it should happen in the first place.

I’‘ve experience this exact same “twilight zone-ish” problem…when going to the individual user details, it shows they are in said group(s), but when going the specific group, they are M.I.A. I’‘ve cleared the cache, uninstalled the server, and re-installed, tried a fresh install on a completely different machine (actually testing windows AND a linux machine)…all with the same results. another oddity is that i can create an identical type user (for example - user with problem is “test.user” and the identical user is “test.user1” and the duplicated user WILL show up in the correct groups. I’'ve tried to rename user accounts in Active Directory and finagle (sp?) it to appear, but the computer is smarter than I am.

I’‘ve also discover yet ANOTHER wierdness - today, a user that WAS showing in the various groups suddenly “disappeared” from the group. It is the same symptoms as with the previous example - go to user details and it shows in the groups, but go to group details and not there. This is occuring with the latest users i’‘ve created, so i’‘m not sure if it’'s a windows thing or Openfire thing or a combination of the two.

If it helps any - OpenFire is installed on both a Win 2003 machine and a Linux (mandriva). Both are running OpenFire 3.3.1 pulling from our AD (groups and users). Any help would be greatly appreciated.

kurt

I’‘ve seen this too, I think I know why, but don’'t know how to fix it. I did a tcpdump of the traffic to the ldap server when a group member was loading the roster. I can see a search for the members of the group and the ldap server returning all the DNs of the members. Then, I can see ldap searches for each of the group members - this search is for each sAMAccountName just with the base DN set and a simple filter (CN=). In the case of ALL the people who are not showing up, there are multiple results returned by this search. For us, this is a computer with the same name as the person and the person. In the case of the missing people, they have the computer listed first in the search results and the person record second. Some searches come back with the person first, then the computer and these users show up in the roster. I would think this search for users would have the searchFilter applied to it, but it does not.

Message was edited by: roba