I’m using an LDAP server, where the group membership only includes the user Id as the group member, so I end up with my group members shown as
and so on, instead of a name. I was debugging the LdapGroupProvider class and was wondering how to address this problem.
I guess there are two options
Make the user manager grab the user Id when it fetches users from ldap and the group provider can correlate against the local user cache
Make the group provider do a lookup of the user by it’s group membership id.
Neither of these are trivial, (1) would require changes to the user management - I’m not sure the size of this and (2) would require some way to configure this operation mode and then further searches to lookup the memberships.
Even having done this, I’m not sure of the implications of group handling in the rest of Openfire and also the issue of performance might make this impractical.
Does anyone have any comments on whether there is a simpler way to address this or what might be the best approach. The LDAP server is cast in stone, so there’s nothing that can be done there.
Can you show me your ldap.* properties? I assume you are running with ldap.posixMode=true
Basically the LDAP manager does follow the process you have described (it loads user entry for each group member out of cache or the server), it just uses ldap.usernameField to construct JID (username@domain). In case of local groups (what I have) only userid (local part of JID) is shown, not even a name.
Do I understand correctly - you’d like to have ldap.nameField displayed in addition to the userid?
The twM group member attribute in the group needs to cause a seach of that member for a matching twId attribute, which may be a user, or it may be a nested group object. If it is a user object, it should then either be able to get the ldap.usernameField or the ldap.emailField, which is then the user part of the JID. If using email, of course it will have to use the LHS of the mail address - I know Openfire can and will only support a single domain.
Currently we are using ldap.usernameField to make the JID, but in practice, we’d want to use the LHS of the mail address, which is something I don’t think we can do.
It’s not so important to have the name displayed in the admin console for group members, that’s not our issue.
I suppose changing ldap.usernameField to mail won’t make it?
I guess what could be done in this case is to ask GroupManager to store some structure instead of just JIDs in the list of group members. This would have to be changed across all group management implementations, not only LDAP’s
Using mail as the username field does not work. You cannot add any admin users. If you use the left hand side of the mail address, it can’t find it and if you use the full email address it gives an exceptio onscreen saying it’s an invalid JID