Parsing ldap group members wierdness

Hi,

We are using openfire v 3.6.4 in our environment. We are using Active directory for users and groups. There are around 400 users and around 100 Active Directory groups. This setup has been working properly for all the users (except three).

For three users: These users are able to login to openfire and chat with others properly. The only issue arises when populating “group based buddies”.

I will start with one user as an example: When we search for this user using “user search” (present under users and groups page of admin console), openfire gets all the details properly (status, groups etc.). But, when we try to search for any group (in which user is part of), this user doesn’t show up under the members of that group. openfire logs the below mentioned error messages when it is trying to retrive the group members. This happens with all the groups a user is part of. - this behavior is same for these three users (not sure why), but all others work properly.

I can post the values of various ldap related properties (including search filters etc.), but I really don’t see an issue here because the setup has been working properly for all other users. Any inputs to resolve this would be highly appreciated.

2010.01.04 09:45:04 LdapManager: Trying to find a user’s DN based on their username. sAMAccountName: cn=FIRST LAST,ou=users,ou=LOCATION,ou=us,ou=north america,dc=corp,dc=COMPANY,dc=com, Base DN: dc=“corp”,dc=“COMPANY”,dc=“com”
2010.01.04 09:45:04 LdapManager: Creating a DirContext in LdapManager.getContext()…
2010.01.04 09:45:04 LdapManager: Created hashtable with context values, attempting to create context…
2010.01.04 09:45:04 LdapManager: … context created successfully, returning.
2010.01.04 09:45:04 LdapManager: Starting LDAP search…
2010.01.04 09:45:04 LdapManager: … search finished

2010.01.04 09:45:04 LdapManager: User DN based on username ‘cn=FIRST LAST,ou=users,ou=LOCATION,ou=us,ou=north america,dc=corp,dc=COMPANY,dc=com’ not found.
2010.01.04 09:45:04 LdapManager: Exception thrown when searching for userDN based on username 'cn=FIRST LAST,ou=users,ou=LOCATION,ou=us,ou=north america,dc=corp,dc=COMPANY,dc=com’
org.jivesoftware.openfire.user.UserNotFoundException: Username cn=FIRST LAST,ou=users,ou=LOCATION,ou=us,ou=north america,dc=corp,dc=COMPANY,dc=com not found
at org.jivesoftware.openfire.ldap.LdapManager.findUserDN(LdapManager.java:711)
at org.jivesoftware.openfire.ldap.LdapManager.findUserDN(LdapManager.java:637)
at org.jivesoftware.openfire.ldap.LdapUserProvider.loadUser(LdapUserProvider.java: 80)
at org.jivesoftware.openfire.user.UserManager.getUser(UserManager.java:213)
at org.jivesoftware.openfire.ldap.LdapGroupProvider.processGroup(LdapGroupProvider .java:381)
at org.jivesoftware.openfire.ldap.LdapGroupProvider.getGroup(LdapGroupProvider.jav a:95)
at org.jivesoftware.openfire.group.GroupManager.getGroup(GroupManager.java:278)
at org.jivesoftware.openfire.group.GroupManager.getGroup(GroupManager.java:257)
at org.jivesoftware.openfire.group.GroupCollection$UserIterator.getNextElement(Gro upCollection.java:103)
at org.jivesoftware.openfire.group.GroupCollection$UserIterator.hasNext(GroupColle ction.java:66)
at org.jivesoftware.openfire.admin.group_002dedit_jsp._jspService(group_002dedit_j sp.java:479)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:97)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:487)
at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1093)
at com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:11 8)
at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:52)
at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1084)
at org.jivesoftware.util.LocaleFilter.doFilter(LocaleFilter.java:66)
at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1084)
at org.jivesoftware.util.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingF ilter.java:42)
at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1084)
at org.jivesoftware.admin.PluginFilter.doFilter(PluginFilter.java:70)
at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1084)
at org.jivesoftware.admin.AuthCheckFilter.doFilter(AuthCheckFilter.java:146)
at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1084)
at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:360)
at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181)
at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:726)
at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:405)
at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollect ion.java:206)
at org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:114)
at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
at org.mortbay.jetty.Server.handle(Server.java:324)
at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:505)
at org.mortbay.jetty.HttpConnection$RequestHandler.headerComplete(HttpConnection.j ava:829)
at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:514)
at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:211)
at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:380)
at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:395)
at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:488)

Thanks,

Satish

I also took a quick look at the “processGroup” function (openfire_src/src/java/org/jivesoftware/openfire/ldap/LdapGroupProvider.java). If i understand correctly, this function extracts the userDN part from full DN and finds the exact username of every ‘member’ of each group.

But looking at the logs, I am guesing that (due to some reason) openfire is failing to find the proper username(sAMAccountName) of these users. This is because openfire is trying to find the full DN (bold letters in the above quote), instead of the actual username(sAMAccountName) - this is wrong. Could this be because that openfire didn’t properly get the userDN part from the DN (cn=FIRST LAST,ou=users,ou=LOCATION,ou=us,ou=north america,dc=corp,dc=COMPANY,dc=com)??

Can anyone shed some light on this??

Thanks

Was there ever a solution for this issue? I’m getting the same thing from the LDAPManager.

those three users group membership was not changed recently?

We had same issues (group population on the client) when users moved around groups, but openfire restart and/or client relogin was fixing it was fixing it right away.

also a quick search of this site

http://community.igniterealtime.org/search.jspa?peopleEnabled=true&userID=&conta inerType=&container=&spotlight=true&q=LdapManager%3A+Exception+thrown+when+searc hing+for+userDN+based+on+username

reveals few posts that may be helpful to diagnose the issue.