We're running a noticeably sized installation (~500 concurrent users) using ActiveDirectory LDAP for user information, including "group sharing". With this we encountered an annoying issue: AD stores information about members of a group as a full DN, say:
CN=User A, OU=Department A, OU= Org, DC=example
CN=User B, OU=Department A, OU=Org, DC=example
Now when OpenFire tries to match login name (sAMAccountName) to those names it searches only for the first part, so issues search for "CN=User A". Now the problem is when there are two people with same name and last name in different departments: LDAP allows this, as full DN is unique, yet search for just CN does not return a single result, but multiple, therefore users end up in wrong groups. The attached patch modifies the search to look for the full DN, but as it is from what I know will work only against AD.
Well, other LDAP implementation should use the same syntax/structure i think, so should work not only with MS AD.
I am not sure about this functional change to how ldapName is used in the search query...
Well, this fixes the issue for me, but it's a quick and dirty hack for a specific situation, indeed it is not really suitable for all uses.
Sadly it would not work with OpenLDAP based tree, as distinguishedName from what I know is present only in AD, by default at least, and search by DN is not possible - but when you know full DN you can just query that instead of searching, as I saw in discussions you can do (in ldapsearch terms) -b $DN -sub one and get values you're interested in.