Hello,
I hope this is the right place to report a problem with LdapGroupProvider in Openfire 3.9.3.
SUMMARY: Active Directory users with duplicate display name are not listed properly in a group. Account list is reduced to the 1st matching entry. For example, the following three entries:
CN=John Doe,OU=OU1,DC=example,DC=com
CN=John Doe,OU=OU2,DC=example,DC=com
CN=John Doe,OU=OU3,DC=example,DC=com
will result in only the first user listed, 2 others dropped.
The problem appears to be in LdapGroupProvider::processGroup function, where a search is performed by essentially using only the first part of the DN, without checking for potential multiple results.
// Create an LDAP name with the full DN.
LdapName ldapName = new LdapName(username);
// Turn the LDAP name into something we can use in a
// search by stripping off the comma.
StringBuilder userFilter = new StringBuilder();
userFilter.append("(&(");
userFilter.append(ldapName.get(ldapName.size() - 1));
userFilter.append(MessageFormat.format(manager.getSearchFilter(), "*"));
userFilter.append(")");
NamingEnumeration usrAnswer = ctx.search("",
userFilter.toString(), searchControls);
if (usrAnswer != null && usrAnswer.hasMoreElements()) {
Attribute usernameAttr = ((SearchResult)usrAnswer.next()).getAttributes().get(manager.getUsernameField() );
if (usernameAttr != null) {
// The problem is here, when search returns multiple results. The line below truncates all duplicate entries into one account.
username = (String)usernameAttr.get();
}
}
It looks like this logic is incorrect. I hope someone can help fixing this.
I apologize if this is an already known issue.