powered by Jive Software

Myster AD User showing differently in Group/User lists

I have a strange issue that I either don’t know how to search for, or can’t find anything related to. I have single sign-on up and working with Active Directory, OpenFire 3.6.3, only 13 users right now, all using Spark 2.5.8. This is part of a planned larger deployment on Citrix servers for thin clients in testing still.

Now the strangeness: I have a user who has worked for the company twice in the same position, old user name first initial, last name, new user name first initial, last name, then the number 2; flast and flast2.

The old user account in AD is only a member of Domain Users

The new user account in AD is a member of a global security group created for OpenFire, SSSpark for short among others.

The user filter I am using is set to only members of the AD group ‘Published’, containing all active users; (memberOf=CN=Published,OU=Our_ Users,DC=domain,DC=com)(objectClass=user).

The group filter is set as (|(CN=SSSpark)) with more groups to be added later in deployment. This was to avoid headaches as our AD is set up unusually for this use.

BaseDN is DC=domain,DC=com

In web admin, under the users list I see the entire company’s active users. The only listing for this particular user is flast2, which is correct.

In the edit group members listing for SSSpark group, it shows everyone by their domain login name except the user stated, who is showing as flast@server.domain.com with the * by it, which says at the bottom “* Note: Remote users or entities should accept presence subscriptions automatically”

Any ideas?

Update: After receiving permission to delete the old user in AD and clearing OpenFire’s cache, everything is showing correctly. The issue is now resolved, but I still would like an answer for the following:

Why did a user who would not make it (and did not, according to the user list) through the user filter, show up in a group that the user was not a member of, while the correctly named user was listed in the users list, but not as a member of the group? e.g.

FLast - old account - only member of Domain Users - not listed in Users on OpenFire - shows as a member of SSSpark in Groups as FLast@server.domain.com

FLast2 - new account - member of SSSpark - listed in Users on OpenFire - does NOT show as a member of SSSpark in OpenFire Groups

and, after deleting the old user account in AD, everything shows correctly. The only thing the two user account had in common was first and last name and display name - there was not even an Exchange property in common.

The only behavoir I can think of that could produce this result is a query of the cn of each group member, then a query for either the first found match of that cn found in AD, which would produce the issue in our case if the search was either for the oldest object first or the object closest to the root of the BaseDN first. Either way assumes a unique cn in AD, which may be true in many cases, but certainly not all; especially when one user has different accounts with the same cn but different user logons. This should be fairly easy to duplicate given this information and I would be willing to test for any developers who want to contact me.