Make full DN search in LDAP

Description

We're running a noticeably sized installation (~500 concurrent users) using ActiveDirectory LDAP for user information, including "group sharing". With this we encountered an annoying issue: AD stores information about members of a group as a full DN, say:

Group A
CN=User A, OU=Department A, OU= Org, DC=example
CN=User B, OU=Department A, OU=Org, DC=example

Now when OpenFire tries to match login name (sAMAccountName) to those names it searches only for the first part, so issues search for "CN=User A". Now the problem is when there are two people with same name and last name in different departments: LDAP allows this, as full DN is unique, yet search for just CN does not return a single result, but multiple, therefore users end up in wrong groups. The attached patch modifies the search to look for the full DN, but as it is from what I know will work only against AD.

Environment

AD LDAP

Activity

Show:
wroot
April 20, 2012, 7:52 PM

Well, other LDAP implementation should use the same syntax/structure i think, so should work not only with MS AD.

Daryl Herzmann
April 21, 2012, 2:33 AM

I am not sure about this functional change to how ldapName is used in the search query...

viq
April 24, 2012, 1:17 PM

Well, this fixes the issue for me, but it's a quick and dirty hack for a specific situation, indeed it is not really suitable for all uses.

Sadly it would not work with OpenLDAP based tree, as distinguishedName from what I know is present only in AD, by default at least, and search by DN is not possible - but when you know full DN you can just query that instead of searching, as I saw in discussions you can do (in ldapsearch terms) -b $DN -sub one and get values you're interested in.

Incomplete

Assignee

Guus der Kinderen

Reporter

wroot

Expected Effort

None

Components

Affects versions

Priority

Minor
Configure