We use LDAP integration with our Openfire implementation. Our organization commonly uses groups within groups that we pull into Openfire. In the group lists in the admin console, I can see that the child groups are actually considered users, even though they’re not in the general user list. This is causing Openfire to spit out the following types of errors in the logs:
2008.09.04 10:06:02 [org.jivesoftware.openfire.roster.Roster.(Roster.java:177)] Groups ([xxxxx]) include non-existent username (yyyyy)
2008.09.04 10:06:03 [org.jivesoftware.openfire.roster.Roster.(Roster.java:177)] Groups ([xxxxx]) include non-existent username (zzzzz)
2008.09.04 10:06:03 [org.jivesoftware.openfire.roster.Roster.(Roster.java:177)] Groups ([aaaaa]) include non-existent username (bbbbb)
This is causing our logs to become very very large, as it is constantly writing these errors. Is there any way to prevent or ignore these errors or somehow not have Openfire pull in other group names within an ldap group?
Currently Openfire does not support nested groups. You should only use groups that contain just users. This may come in later versions of Openfire.
Thank you for the clarification. I had a feeling that was the case. Is there anyway to tell openfire to ignore these errors, or is this simply something we’re going to have to deal with?
There is no way that I am aware of to tell openfire to ignore this. What I did to overcome this is moved my groups to a location in my directory tree outside the scope of my BaseDN (this will generally have no affect on your groups). Then I created a new OU within the BaseDN for groups specifically created for Openfire. In my structure I have 5 main OUs in the root of the tree UserAccounts, UserComputers, UserGroups, UserResources, and SecondaryAccounts. I target UserAccounts for my BaseDN, and have created my openfire groups OU there. By re-organizing my directory in such a way I have eliminated to problems of computers, and unwanted accounts/groups showing in openfire. The reorganization also allowed me to eliminate invalid characters from my tree. Since the structure of a tree is virtual there is very little to worry about when doing a re-organization. My only concern was maintaining policy links, which this structure made much easier.