LdapGroupProvider - drops users with duplicate display names, different OUs


I hope this is the right place to report a problem with LdapGroupProvider in Openfire 3.9.3.

SUMMARY: Active Directory users with duplicate display name are not listed properly in a group. Account list is reduced to the 1st matching entry. For example, the following three entries:

CN=John Doe,OU=OU1,DC=example,DC=com

CN=John Doe,OU=OU2,DC=example,DC=com

CN=John Doe,OU=OU3,DC=example,DC=com

will result in only the first user listed, 2 others dropped.

The problem appears to be in LdapGroupProvider::processGroup function, where a search is performed by essentially using only the first part of the DN, without checking for potential multiple results.

// Create an LDAP name with the full DN.

LdapName ldapName = new LdapName(username);

// Turn the LDAP name into something we can use in a

// search by stripping off the comma.

StringBuilder userFilter = new StringBuilder();


userFilter.append(ldapName.get(ldapName.size() - 1));

userFilter.append(MessageFormat.format(manager.getSearchFilter(), “*”));


NamingEnumeration usrAnswer = ctx.search("",

userFilter.toString(), searchControls);

if (usrAnswer != null && usrAnswer.hasMoreElements()) {

Attribute usernameAttr = ((SearchResult)usrAnswer.next()).getAttributes().get(manager.getUsernameField() );

if (usernameAttr != null) {

// The problem is here, when search returns multiple results. The line below truncates all duplicate entries into one account.

username = (String)usernameAttr.get();



It looks like this logic is incorrect. I hope someone can help fixing this.

I apologize if this is an already known issue.

Noticing the issue on my end as well.

I can see my User Account in the Openfire User Summary page. I also show the column on the right to have the correct groups I’m a member of.

However if I click one of those groups in the column, I don’t see my username listed to be a member. Odd. But, I see a different sAMAccount listed that shares the same First & Last Name as my user account.

Similar issue from the Spark client. In my group list, only 1 AD account is shown that has my First/Last name, but the other AD account with a different sAMAccountname but identical First and Last name doesn’t show up ever.

The displayname attribute is actually unique but it’s seen as a duplicate because of the duplicate First and Last name.

Am on Openfire 3.10.2 running on Windows 2012 R2.

I have documented the problem with a detailed explanation and a fix at Resolve an issue with Openfire when some users are not seen in LDAP directory

The problem occurs because when a search for a user using CN part returns multiple results, then only the first result is used to populate a group.

One needs to modify the code in 2 places for the search to work properly. The link above has a modified openfire.jar (code base 3.10.3), that you can try to see if it helps.

The patch is attached.
LdapGroupProvider.patch.zip (936 Bytes)

Could you kindly submit this as a Pull Request against our github openfire repo?

I tried, see pull request #474, but it looks like this fails:

/home/travis/build/igniterealtime/Openfire/build/build.xml:664: Test org.jivesoftware.openfire.keystore.CheckChainTrustedTest failed