Status/presence with LDAP rosters

redkeen · March 6, 2006, 5:33pm

Gaston

I am not able to provide you with VM image, but I have added a new comment to Jira, where you can find a sample LDIF, which reflects the Active Directory content I use as user registry for Wildfire. Note that I included only essential attributes.

Ilya Kanonirov

redkeen · March 14, 2006, 7:26am

Last weekend I tried to update Wildfire from 2.5.0 to 2.5.1 in both ways upgrading the existing instance and installing it from scratch (using the embedded HSQLDB). In spite of a promising bugfix JM-584 and many others, presence update still does not work.

Gaston, I am really interested in the fix. Does information I provide you with help in resolving the issue at all?

Ilya Kanonirov

redkeen · March 14, 2006, 3:07pm

Okay, my colleagues decided to debug Wildfire 2.5.1 in Eclipse, so I got a new info for you.

org.jivesoftware.wildfire.roster.Roster.broadcastPresence(Roster.java:469)

if (item.getSubStatus() == RosterItem.SUB_BOTH

|| item.getSubStatus() == RosterItem.SUB_FROM) {[/b]

We changed the second condition to item.getSubStatus() == RosterItem.SUB_TO[/b], and we got it worked, I mean the roster owner’'s presence is updated for each roster item.

You guys should check this place carefully.

I really hope this helps you to find out the cause of the problem.

Ilya Kanonirov

Gaston_Dombiak · March 14, 2006, 4:36pm

Hey Ilya,

After seeing your modification I infer that the subscription status is TO between your users instead of BOTH (if they should be able to see each other). Having an incorrect in wildfire.xml has the correct value based on your LDAP configuration?

Another thing you might also want to do is remove from the jiveRoster table all entries that were incorrectly generated due to old shared group problems the server was having. Basically, you should have to detect entries that were not added to the user to his roster and remove them. As always, make sure to have a backup of the db (and that the server is stopped) before doing any db modifications.

Regards,

– Gato

redkeen · March 14, 2006, 6:26pm

Gaston, thank you for the response.

Yes, since we use AD, the users are stored by their entire DN inside groups, e.g. “member: CN=Kanonirov, Ilya O.,OU=General Department,OU=Office,DC=acme,DC=com”

So the ldap.posix mode is not present in wildfire.xml at all (i.e has the false value). I see all users in groups as expected through Wilfire Admin Console.

I will re-install the Wildfire 2.5.1 from scratch, re-check the problem and back to you with results.

Ilya Kanonirov

Dave_Wong · March 14, 2006, 7:01pm

This change also seems to have resolved my WF presence issues. Testing the changes now but so far, so good. Will report back if there are any negative results.

WF 2.5.1 on SLES 9 (using W2K3 AD LDAP and Mysql DB)

Spark 1.1.2 on Linux, Windows, OSX

Pandion 2.5 on Windows

Gajim 0.9.1 on Linux

Gush 1.3 on Windows, 1.2 on Linux

redkeen · March 15, 2006, 6:42am

Gaston

The clean installation of Wildfire 2.5.1 does not help. The problem still exists.

Please be aware of this fact.

Ilya Kanonirov

Adam_Tauno_Williams · March 16, 2006, 12:53pm

We’'ve upgraded to 2.5.1 and still have the problem. We also deleted the contents of the jiveroster and jiveusergroup tables (with the server shut down). Still no change in this behaviour.

Our POSIX mode is set like:

Groups and their members appear just fine in both the admin console and the clients, but presence information is not updated. This is on an up-to-date SuSE Pro 9.3 box using a PostrgeSQL database and OpenLDAP DSA.

A group looks like:

dn: cn=training,ou=Groups,ou=JIVE,ou=SubSystems,o=Morrison Industries,c=US

cn: training

businessCategory: jiveGroup

objectClass: groupOfNames

objectClass: top

member: cn=Carl Barnosky,ou=People,ou=Entities,ou=SAM,o=Morrison Industries,c= US

member: cn=Rick Dirkse,ou=People,ou=Entities,ou=SAM,o=Morrison Industries,c=US

member: cn=Mark Hauger,ou=People,ou=Entities,ou=SAM,o=Morrison Industries,c=US

member: cn=David Satterlee,ou=People,ou=Entities,ou=SAM,o=Morrison Industries,c=US

member: cn=Jeffery Webster,ou=People,ou=Entities,ou=SAM,o=Morrison Industries,c=US

member: cn=Dale Ward,ou=People,ou=Entities,ou=SAM,o=Morrison Industries,c=US

member: cn=Lewis Gaddie,ou=People,ou=Entities,ou=SAM,o=Morrison Industries,c=US

member: cn=Anthony Hoag,ou=People,ou=Entities,ou=SAM,o=Morrison Industries,c=US

Adam_Tauno_Williams · March 27, 2006, 7:16pm

An above message contains the quote:

After seeing your modification I infer that the subscription status is TO between your

users instead of BOTH (if they should be able to see each other). Having an incorrect

before doing any db modifications.

How does one “detect entries that were not added to the user to his roster”. The fields of the table contains codes, but it it is not clear what each code means to the server in terms of subscription.

We’‘ve have tried dumping all the contents of jiveRoster but that doesn’'t seem to have effected this issue.

Horst · March 30, 2006, 12:51am

After having read this post, I think I’'m getting very near to the problem with non-working status/presences updates with LDAP.

Following situation:

I’'m running 2 different wildfire/jive servers with different LDAP servers.

Main differences are first one (A) has only one group, second one (B) several groups - alle shared as individual rosters.

The probably important thing is, the LDAP servers are organized quite differently.

Server A: (still version 2.3.0)

I’'m like all others in shared group “Group1” and presence-updates look to work.

Using Psy as client, selecting any user doing “Check Status” it says:

“Subscription: both[/b]”

Server B: (2.5.1 or either build 20060315)

Let me be in “Group2”. Doing “Check Status” on either an user in the same group or another it says:

“Subscription” to[/b]"

(Surely, on neither server or case, there was made any subscription/authorization by hand.)

As stuff is working with Server A, I’'ll just go a bit deeper with configuration of server B:

ldap-config:

"

e.g.: uniqueMember = “uid=userxyz”

That is the reason I have to set posix to false, because when setting it to true, it can’'t find the members for the groups, and all groups are empty.

I know the LDAP setup is a bit nasty, and I’'ll try to have it improved.

May this be the reason for all the problems and how could it be solved.

The different Subscription types look very suspicious.

Horst · April 7, 2006, 3:45pm

Just tested 2.6.0 and with that groups don’'t work at all anymore.

For some reason, wildfire cuts the last character of the usernames.

My setup is still as within the post above, error message is:

2006.04.07 17:28:08 [org.jivesoftware.wildfire.roster.Roster.(Roster.java:148)] Groups () include non-existent username (klfi0)

But the username acutally is klfi01.

Adam_Tauno_Williams · April 13, 2006, 2:51pm

Let me be in “Group2”. Doing “Check Status” on either an user in the same

group or another it says: “Subscription” to"

I see this in PSI, a check status says “Subscription: to”. Is there a way to forcibly change this?

Users records are: cn=Full Name,dc=domain,dc=org

The actual username is stored on every user-record as attribute: “uid”

e.g.: uid = “userxyz”

Same here.

Group records are: ou=Group1,dc=domain,dc=org

The group members are stored as attribute: “uniqueMember”

The value of an attribute “uniqueMember” is: "uid=e.g.: uniqueMember = “uid=userxyz”

Well, that looks clearly wrong; but our setup is not that way. “member” attributes contain the VALID DNs of the user objects, and it still doesn’’ work. (The groups work, but presence notification of group members does not).

Adam_Tauno_Williams · April 13, 2006, 2:59pm

Just tested 2.6.0 and with that groups don’'t work at all anymore.

For some reason, wildfire cuts the last character of the usernames.

Do you know if this was fixed in 2.6.1? The changelog doesn’'t seem to mention anything like this.

dc1 · April 13, 2006, 3:22pm

I upgraded to wildfire 2.6.0. All clients are using spark 1.1.3. wildfire is installed on fedora 5 with mysql. we are using ldap integration(windows 2003 DC). we are having presence issues. It seems random. One day, you can’‘t see this user, the other day, you can’'t see a different user. Our user are getting frustrated. Please help.

Jeff_McAdams · April 13, 2006, 5:30pm

I’'ll throw this in here, on the off chance that it might give some more info.

Running into this as well, variety of clients involved, Novell eDirectory for the LDAP server (which I haven’'t seen anyone mention, yet, so that would tend to indicate that its not anything inherent about the specific LDAP servers involved).

The problem manifests itself here as occasional presense updates not getting sent to the clients correctly. As with others, the sessions page shows the correct presense, and logging the client out and back in, gets the updated presense. In Psi, hovering over the contact shows “Subscription: to” for those people added through the shared roster group (I only have one group that matches my groupSearchFilter…seemed the best way to limit the impact on the LDAP server). No posixMode entry in my properties or config file, all objects in the LDAP tree are referenced by full DN’'s.

Wildfire version 2.6.1 is what I’'m running.

I wouldn’‘t say this is a show-stopper bug for us (we’'re new, corporately, to using an IM system as an official service of the company in general), but it is quite annoying.

–

Jeff

xmpp:jmcadams@appriss.com

Gaston_Dombiak · April 13, 2006, 6:18pm

Hey Jeff,

Can you provide more information about your shared groups configuration? Are they public, only visible to group members, to other groups, etc.? Which users are having trouble getting the presence of which other users? All this information will help me better reproduce the problem. BTW, is this problem reproducible? Do you see any error in the log files?

Thanks,

– Gato

Jeff_McAdams · April 13, 2006, 6:33pm

Ah, I knew there was info that I meant to include that I didn’'t.

Like I said, I only have one group that is getting past my groupSearchFilter:

groupname of “Users” (obviously)

That group is set as “Show group in all users’’ rosters.”

I’‘m only losing presense updates occasionally, and I haven’'t found any particular pattern to who I lose them on.

The problem is sort of reproducible…it seems that I can look at my client and it rarely matches up witht he presense information in the admin console…but I haven’‘t been able to build a scenario where I can reliably change the presense on one user and have it not show up at another…but, then, I haven’'t had much time to really try to develop something like that, yet, either.

I see nothing in any of the logs that seems even the slightest bit relevant.

–

Jeff

Adam_Tauno_Williams · April 18, 2006, 8:56pm

We’'ve also upgraded to 2.6.1 and still see the same issue; groups are set to “show in all users rosters”, and they do, with correct membership, but presence notification does not occcur.