Hello friends!
I’m having a very strange problem here, I’m using openfire 3.6.4 and Windows 2003 AD, as we have multiple domains we’re using the global catalog to quey the AD through 3268 port.
Everything works very fine, except for one user called “cdp” who is under a child domain.
We have the following structure:
domain.intra+
-------------------office1.domain.intra
-------------------office2.domain.intra
-------------------office3.domain.intra
-------------------office4.domain.intra
-------------------office5.domain.intra
I have built an OU under domain.intra where I created Universal Groups that holds the users and the rooster groups, like this:
Openfire_Users => This is an universal group that holds all the users allowed to login to Openfire, so I used the followinf as ldap.searchFilter:
(&(objectClass=organizationalPerson)(memberOf=CN=Openfire_Users,OU=Openfire,DC=d omain,DC=intra))
So, the user can be in any sub domain, but must be a member of this group to be able to login.
After this we created a group that holds the groups used to fill up the rosters:
Openfire_Groups => This is an universal group that holds other universal groups that acctualy has the members of the various departments, the the members of Openfire_Groups would be like the following groups:
Dept1_Users => This universal group is a member of Openfire_Groups and holds the users from department 1
Dept2_Users => This universal group is a member of **Openfire_Groups **and holds the users from department 2
Dept3_Users => This universal group is a member of Openfire_Groups and holds the users from department 3
Dept4_Users => This universal group is a member of Openfire_Groups and holds the users from department 4
So we have this as** ldap.groupSearchFilter**:
(&(objectClass=group)(memberOf=CN=Openfire_Groups,OU=Openfire,DC=domain,DC=intra ))
This way, only the users that are members from Openfire_Users and Groups that are members from Openfire_Groups are shown on the Administration Console, making things clear.
Well, like I said, everythings works well, but it seens impossible to get a user called cdp working on this scene, when I check the contents of the Dept1_Users (where the user cdp is located) I can see all users , but the user “cdp” looks like:
cn=cdp,ou=user_accounts,dc=domain,dc=intra@openfireserver.domain.intra*
*Remote users must accept presence subscription automatically
The strangest thing is that if I go to AD and rename “cdp” to anything alse, like “cdpi”, it works with no problem. Then if I reneme it back to “cdp” it stops working again.
This behaviour only occours when using the global catalog port (3268), using 389 the things works as they should.
I have built a test environment with a complete new AD 2003 server and Openfire (Red hat Linux) and it has shown the same strange behaviour.
Would it be a bug?
Thanks for any help, sorry for the long text.