powered by Jive Software

LDAP, Groups and rosters

Hello Everybody,

I Set up Jive 2.2.0 with LDAP authentication on Windows 2000 Server which is member server of 2003 Active Directory. Jive authenticates users and I can see users and groups from Active Directory in admin console .

First and most important problem is with geting roster (or contacts like Exodus says) when user member of visible group authenticates he doesn’‘t get contacts nor presence information. If he’'s member of invisible group (Disable sharing group in rosters) he can login succesfully an can get contacts list.

Problems also apears with showing rosters. When i set group settings from “Show group in all users’’ rosters” to “Disable sharing group in rosters” several times the group apears in rosters incorectly. First time its ok but second time it looses some of members. After restart of jive service group shows correctly and you can start again

Can anybody help to solve those above?


You are probably experiencing an “Illegal JID” exception of some kind. Enable LDAP debug in your XML file to see which user or group is causing the problem.

Once you know the cause of the problem you can use the search filters to filter out the user or group that is causing the problem.



Do you think the group LDAP code could be updated to escape the offending JID’'s? JID escaping is built into the JID class we have – you just have to proactively do it.


All users are escaped properly. In previous discussions we came to the conclusion that groups do not have to be escaped. Is this the case?


I think I see the problem. The code escapes the username to load it, but then adds the unescaped username to the member list. That’‘s how illegal JID exceptions can pop up. How does the following code look (from the populate group method of LdapGroupProvider)? I also added a comment to the top of it which I’'m not positive is true.

// A search filter may have been defined in the LdapUserProvider.

// Therefore, we have to try to load each user we found to see if

// it passes the filter.

try {

// In order to lookup a username from the manager, the username

// must be a properly escaped JID node.

String escapedUsername = JID.escapeNode(username);


// No exception, so the user must exist. Add the user as a group

// member using the escaped username.




I went ahead and checked in these changes although I don’‘t have a great way to test. This was filed as JM-378. I also filed and fixed JM-377 at the same time. Hopefully that latter change won’'t mess too many people up.


I’'m having a similar problem (at least I think).

I’'m using an AD LDAP server. My users can authenticate, and the administration console lists all users and all groups (with the correct users inside the groups).

However, I cannot manage to get the groups to appear on my users’’ rosters.

I have another server configured not to use AD groups, on which I entered a group manually. This time, no problem to get the group to show up in the rosters.

Is this related with the fix described above?

If you use user.getUsername() won’'t the resulting username still be escaped?



If you use user.getUsername() won’'t the resulting

username still be escaped?

Actually, no it won’‘t. However, perhaps it should be. I can’‘t really see any reason why this shouldn’‘t be the case, so it’‘s probably a bug that it’‘s not escaped. I’‘ll think about it a bit more to see if there’‘s something I’'m forgetting and then check in a fix.


Thanks for your answer I had several bad JIDs indeed