powered by Jive Software

Users online in "Users" tab, but not in "Groups" tab

My users are able to login successfully, and I can see them logged in the “User Summary”, but when I look at a group that they are in, they are offline. They, obviously, cannot see any other users in their roster, either.

Each user has a red asterisk next to their “path” in the group summary that says this:

  • Note: Remote users or entities should accept presence subscriptions automatically.

Each user is listed this way: " cn=(username),ou=accounts,dc=xxx,dc=xx,dc=xxx@bl-libg-ghost * "

(The domain info is removed) Is the @servername supposed to be on there?

I’m experiencing a similar issue. I have some users that have blank rosters. Their able to login without issue, but no one their roster.

My setup is Active Directory 2003 servers, OpenFire 3.5.1 (upgraded 04/29 to see if it would help, was 3.5.0) & SQL2000.

Example: I can have 2 users in the same OU and members of the same security groups, one will work fine with roster populated and the other will have blank. Digging into this I found that if I go view the user in user summary, I can see they’re Group Memberships, which updates with AD changes, but when i check the Roster it’s empty? When I check in Group Summary either the account is not a member of the group or has the red astirix (* Note: Remote users or entities should accept presence subscriptions automatically.) and shows no presence.

To me it would seem that the Roster membership is not being updated with AD changes. I’ve read through some similar posts but haven’t found any remedy to this issue. Any pointers or help would be appreciated… if I missed any important information let me know and I’ll post it.


Do you have computer accounts which same named with these user account in AD?

If yes, rename these computer accounts and then try again.

computer accounts and user accounts do not match in any instance. I did not mention however that agents havin the issue or empty roster are using Spark via Citrix. That being said it does not matter if they are using Spark via Citrix or local machine. I also get the issue when creating new accounts. Contacts won’t show up for the user even if I add them manually from the Console User Roster… still diggin. This issue is hindering my deployment to a new server we setup specifically for IM. We were running WildFire with local DB (non AD integrated) without issue for approx 2 years. We ran OpenFire for the past 6mths without issues until we moved the largest group over… they started reporting empty rosters.

Any help or pointers appreciated… I feel comfortable with coding and SQL so can head down that road as well… just need a map ;o)

OK… if I create an account on the DC the OpenFire service is configured to, wait about an hour, then login to Spark using the new account I get a roster. If I attempt to login to Spark right after creating the account am able to authenticate, but no roster. Once this happens (no roster) there is nothing I can do to get this corrected other then delete the account and create from scratch following the above procedure.

I’m not sure of the correlation between AD and SQL tables, but it would seem that there is a lag between the time OpenFire pulls the information from AD. Thus when I login before this “pull from AD” takes place, I get empty roster since the data tables are empty??

I’m scratching my head any info would be appreciated… tks muchly

I’m still having this issue and I’m sure someone out there experienced similar. Running AD, OF3.5.1 and Spark 2.5.8 and some newly setup accounts are able to login however have nothing in their rosters. Newly setup accounts are those that have been added to specific OF Security Groups to manage access to the server and Rosters. When I check the server console, user properties of a “blank roster” user that is logged is I see the proper groups they are a member of in AD however when view the Roster of that person it is empty. Users can however use the search function to add a “friends” list.

This is becoming more and more frequent as we’re moving users off the old WildFire server to the new OpenFire server that’s AD integrated. I had to put a hold on migration until this issue is resolved… Needless to say this is getting pretty frustrating. To bandaid the issue as I noted above I created a new AD account for the effected user and let is sit for an hour or so before letting the user login and then all was fine. This is not an option going forward as we have too much tied into AD accounts and quite frankly not a solution.

Someone out there must have experienced the same or similar instance? I’m open to any hints or pointing in the right direction. If I need to provide any specific information to help troubleshoot please let me know… Thanks.

Issue is resolved…

In our environment, it is possible that 1 user have several accounts in different OU’s. Although the AD login is unique, this caused duplicate sAMAccountName’s (the Name field in ADUC). If there is a duplicate sAMAccountName it looks like OF cannot figure out which account to use and thus cannot pull the users information. To correct this issue we’ve renamed the sAMAccountName to be unique rather then try and pull from another field.

Hope this is helpfull for other users…:wink:

I am having the exact problem on my implementation as well.

My users sometime see their Rosters and sometimes they dont.

I am really having diifculty in figuring out how to solve this as I am not very well versed in LDAP\AD customization and someone else in our department does that. I went to them and advised them to see if duplicate sAMAccountname are present in the AD - and we couldnt find any.

Would you mind explainging how you were able to find out duplicate SAMAccountNames and how and what steps did you perform ( queries, changes etc) to change the sAMAccountName - bear in mind we have more the 500 employees so - going in and changing all the sAMAccountName is frustrating - but the main question is how to find out if I am having duplicate sAMAccoutnName and how to change these if duplicates exsist.

it was tedious at first and I know how you feel since we have about 800 current IM users and continuing. How we correct it now is do a user search in ADUC for an effected user, example I would query John Smith. If this person has more then 1 account they will all show up. The sAMAccountName = the Name column in the query results window. This field needs to be unique.

In our particular example we have users with 2 accounts: Office account and Home account, won’t get into logistics, but that’s how it is ;o) Our issue was even though the AD Login ID was unique, the “Name” or “sAMAccountName” was not which seems to confuse OpenFire and produces blank roster. Rename one of the “Name” fields so it’s unique and have the end user reboot and all should be well.

I’ve received lots of help from this community so if I can assist in any way to give back let me know. Hope this helps.


Thanks for the reply man.

In my scenerio - this doesnt seem to be the case - when I searched for the effected user - the search came back back with only one account - unless Iam performing the search in some wrong way - I performa search by using the custom search facility in ADUC - do you have some different way?

It sounds like we have all have similar issues, but is everyone also seeing the same issue with the names showing up in the group screen with this:

  • Note: Remote users or entities should accept presence subscriptions automatically.

Each user is listed this way: " cn=(username),ou=accounts,dc=xxx,dc=xx,dc=xxx@bl-libg-ghost * "

Okay, so it seems that we are all just sitting here, with no answer.

Let me refine my original post to try to provoke an answer out of somebody. If I go to the Users tab, I see ALL of the users, and those that are online. That screen works perfectly. If I go to the Groups tab, navigate to an AD group that those online users are in, it shows them as OFFLINE. Therefore, they obviously aren’t showing up in each others’ rosters, as they are offline according to the server.


Ok I know this is a bit late to the party but I I resloved my issue that may be causing your issues. * Note: Remote users or entities should accept presence subscriptions automatically. The Problem I had was another Admin had merged two OUs and and renamed them with a \ in the middle of the name. Bosses are smrt. I renamed the group to from \ to - and that solved my issue. After I did this I didn’t have any ldap errors. Also for the Java programers I figure out the object called on the *Note~ error is group.edit.note object. I couldn’t track it back any farther.


You may have a weird OU name that causes problems.