powered by Jive Software

Problem w/ non-AD LDAP Group members

Not sure why our ldap is layed out like this, but some users have a uid in their dn, and others have an fid as follows…

fid=969597220614,ou=Staff,ou=CompanyPeople,o=Company,c=US

uid=jdoe,ou=Staff,ou=CompanyPeople,o=Company,c=US

The users w/ a uid get populated into JM groups, but the other users do not. Anything I can add to the config file to resolve this by chance?

What’‘s in your LDAP search filter? You just need to change that so it matches either type of directory entry. Mind you, do the entries with "fid"s have a uid attribute? If they don’'t, you might want to add one (or, alternatively, make an entirely new attribute for their IM screen name, add it to all entries and configure Jive to use that instead of “uid” as the usernameField).

Have a read of the LDAP guide at http://jivesoftware.org/builds/messenger/docs/latest/documentation/ldap-guide.ht ml if you haven’'t already - it explains all the stuff you can fiddle with.

Have fun,

Cos,

Here’'s how LDAP groups are populated

1)[/b] - Select the group object and return all of it’'s members

2)[/b] - Using the user searchFilter[/b], see if each user has access to JM

3)[/b] - If they pass the searchFilter[/b] test, add them to the group

So, if you searchFilter[/b] is uid=[/b], any group members that happen to be listed by their fid[/b] will not pass the searchFilter[/b] test, and therefore, won’‘t be included in a group. In other words, if a user is not listed in the User Summary page, they won’'t be in a group either.

Is this behavior what you are seeing or are you seeing something else?

Ok. Let me explain this better.

performing an LDAP query on uid=jdoe[/b] will return

uid=jdoe,ou=Staff,ou=CompanyPeople,o=Company,c=US

performing an LDAP query on uid=jsmith[/b] will return

fid=969597220614,ou=Staff,ou=CompanyPeople,o=Company,c=US

I don’'t know why our LDAP is like this, but the only users that get identified by their UID in their DN are those who were employed 7+ yrs ago. Every user added since then is identified by this FID number in their DN.

The group search is a bit problematic though. The member[/b] field of a group in our environment contains the user’'s full DN. So it only populates the users that have their UID in the their DN record (which by the way takes a very long time to load also).

Users get populated just fine in the User Summary section because each user has a UID field in their record and the search completes successfully.

What happens if you search for fid=969597220614[/b]?

I get the following error.

Sorry. No matches for fid=969597220614 and user of anonymous.[/i]

Our LDAP doesn’‘t like queries of items in the user’'s DN. Maybe that is true of other LDAPs as well.

In typical situations if a user has a DN like,

fid=969597220614,ou=Staff,ou=CompanyPeople,o=Company,c=US

They will also have fid=969597220614 as an attribute. Your situation is very irregular. But as hrothgar pointed out, the reason why these users are not being populated in groups is because a search for fid=969597220614 returns nothing. If you could populate all “fid” users with their proper fid attribute I believe that they would be populated.

since I didn’‘t post my entire LDAP section here…it wasn’'t clear for you to see the problem. I did get some internal help here and get it though.

users do have an fid[/b] field in their record, but it is hidden from anonymous queries. I didn’‘t have an adminDN and password in our config file so it wouldn’'t populate the users.

Let me explain better.

Our user summary is populated based on a uid search which we allow anonymous queries.

Our group summary populates the users based on the member field which contains the user’'s full DN. some users have their uid in the DN and others are identified by an fid. The fid cannot be queried anonymously. Once I put credentials into the config file, it correctly populated the users for all groups.

Thanks for the help!!