Potential ldap bug?


I setup openfire because i saw some good reference to it’s ease of active directory authentication. So i installed it onto a Windows box and it went incredibly smooth! However, our users are not stored in the cn=Users. The bug i believe i noticed is that one cannot authenticate when a CN has a space in it.

for example…the following functions just fine.


the following example does not work. presumably because of the space in the CN name…


we cannot easily change this to remove the space, as a number of other systems tie into this already, and while it currently works just rine using DC=DOMAINNAME… it’s a bit sloppy when PC names, system accounts, and whatnot will show up in users searches.

would anyone know of a workaround?

Thank You.

I’m not sure at all that spaces in the base DN are not accepted - I’m pretty sure when I was playing around with the setup I had spaces and it worked just fine. However what I’ve ended up with (as our AD is a mess) is using the domain as the base DN - dc=DOMAINNAME and then using LDAP filters to cut down on the number of users and groups returned. At the moment I just use (objectCategory=Person) which cuts it down a bit, but you could probably use memberOf, mailnickname etc to filter it down a lot more.


Tie openfire into a specific group, put users you want to use openfire in the group.

Use this as a starting reference: http://www.igniterealtime.org/community/docs/DOC-1554

You can not use a CN in the baseDN. It should be an OU. CN is a designation for group names and users. OUs are the folders that contain the groups and users.

So…: ou=DOMAIN Users,dc=DOMAINNAME should work. Spaces should not be an issue but that being said you should not use spaces, slashes or other such characters in AD naming. Just because Microsoft is dumb enough to allow it does not mean you should use it.

We have our base DN tied to ourdomain.com.

We filter by (&(objectClass=user)(memberOf=CN=GROUP,OU=,OU=,OU=,OU=,dc=SubDomain,dc=Doma in,dc=com))

Group filter by (&(objectClass=group)(memberOf=CN=GROUP,OU=,OU=,OU=,OU=,dc=SubDomain,dc=Dom ain,dc=com))

Are you really using wildcards in your filters? I have not been able to get wildcards to work in the user filter in the past.

Should have copied and pasted OU in each of those, I just put a * as a spaceholder.

Todd Getz,

Thank you for pointing out my misconfiguration in how i used CN, and that i need to use OU=