?
Solved

AD User account not found in GC search on port 3268

Posted on 2009-02-24
24
Medium Priority
?
1,654 Views
Last Modified: 2013-12-24
Hello all -
have a 3rd party application that queries our 2003 Active directory domain for User account information.  I have configured the application to query port 3268.  I have set the Base DN: to the root of the forest.  
I can search every user in the forest successfully except  4 random User accounts that are not found by the application.  The accounts are active and I see nothing peculiar about them in ADSIEdit.  The accounts vary in age (3 are over 5 years old and the other is less than 6 months)
If I change the port to 389, and point the Base DN: to the child domain the accounts reside in, they are found by the application. (389 finds all accounts in child domain plus the 4 'trouble' accounts)
I have tried querying many different GC's in our organization all with the same results (finds all other domain accounts except these 4...)
It seems that there is something preventing these 4 accounts from being found in a Global Catalog search (3268).
Any ideas or pointers for trouble shooting this is VERY much appreciated.
0
Comment
Question by:Globalknowledge
  • 11
  • 6
  • 4
  • +1
24 Comments
 
LVL 7

Expert Comment

by:Dusan_Bajic
ID: 23725053
Are there multiple domains in the forest? If so, do you get the same result when you query GC on DC where accoutns reside?
0
 

Author Comment

by:Globalknowledge
ID: 23725114
there are multiple domains in the forest (6 total) and the same results occur on any Global Catalog DC in any of those domains - including the root. Port 389 resolves the 4 people (and other users in the specified Base DN) but 3268 still represses just those 4 users.

I suspect that there are other users that will pop up with the same issue at a later date, but these are the only identified ones thus far.
0
 
LVL 7

Expert Comment

by:Dusan_Bajic
ID: 23725472
Are users active and experience no problems? Can you recall anything unusual being done with these accounts (restoring from backup or something like that?)
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
LVL 2

Expert Comment

by:moorereason
ID: 23725597
Can you tell what LDAP query the application is making?  Can you very the results with a manaul query (ie. with something like the Softerra LDAP Browser)?
0
 

Author Comment

by:Globalknowledge
ID: 23725610
All of the users are working correctly, appear in the Global Address List (Exchange) and have no issues accessing domain resources.  As far as the Users are concerned, they are experiencing no issues.  The accounts havent been edited (at least not manually) by myself or any other admins.

0
 

Author Comment

by:Globalknowledge
ID: 23725936
Softerra LDAP Browser is able to navigate to the 4 user accounts with no issues.  I just installed and connected to a GC DC outside of the users' domain (DC in Root) over 3268 and was able to do a quick search for the users.  So it appears that Softerra can see them.

I have a hard time believing that the 3rd party application is restricting certain users from the search, but I see nothing specifically wrong with the AD user accounts.  Any other thoughts?
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 23726011
That is really odd.
Are you using the same account for this test as the 3rd party app is using.
0
 
LVL 7

Expert Comment

by:Dusan_Bajic
ID: 23726030
Any unusual characters in account names or other properties?
0
 
LVL 2

Expert Comment

by:moorereason
ID: 23726107
The ideal situation is to try to replicate exactly what the 3rd party app is doing.  By that, I mean figure out what queries the 3rd party application is using.  If it were me, I'd install Wireshark on the application server to sniff the LDAP traffic and go from there.
0
 

Author Comment

by:Globalknowledge
ID: 23726256
I am launching Softerra using a 'run as' to speciify the same credentials that the 3rd party server is using.

I have looked at the ADSIEdit properties of all 4 of the accounts versus 'working' accounts and there is nothing odd about them.  No special characters, extra spaces or anything...  Every attribute falls in line with working accounts.

I will try the Wireshark app and see what that produces.  

Thanks for the tips - keep them coming! I know this ultimately has to be a simple fix.  The 3rd party app (Openfire IM chat 3.6.3) support state that they think the AD accounts are corrupt.  I personally disagree with them.  I will also try to determine the LDAP query that Openfire is using to query the users from AD.
0
 
LVL 2

Expert Comment

by:moorereason
ID: 23726312
Aww...Openfire.  You may not need Wireshark.

Look at conf\openfire.xml.  Set ldapDebugEnabled to "true" and then enable debugging in the admin console.  Also, what is your searchFilter string?
0
 

Author Comment

by:Globalknowledge
ID: 23726568
searchFilter string?  Not sure where to get that information from...  Sorry.
0
 
LVL 2

Expert Comment

by:moorereason
ID: 23726574
Check you openfire.xml file.
0
 

Author Comment

by:Globalknowledge
ID: 23726722
Openfire configuration is no longer stored in the Openfire.xml file.  It is located in the DB.  Let me work to get that info now.

Here is a link where one of the experts state that the openfire.xml file is no longer used for the config...
http://www.igniterealtime.org/community/message/182214#182214 
0
 

Author Comment

by:Globalknowledge
ID: 23746748
okay - here is the search configuration info

ldap.groupSearchFilter                (objectClass=group)
ldap.searchFilter                        (objectClass=organizationalPerson)
plugin.search.excludedFields      Username
plugin.search.serviceEnabled      true
plugin.search.serviceName         search
0
 
LVL 2

Assisted Solution

by:moorereason
moorereason earned 400 total points
ID: 23746854
So, if you search with Softerra LDAP Browser and use the Openfire searchFilter "(objectClass=organizationalPerson)", do you see the missing users in your query results?  If not, try to target a specific user with this query:

(&(objectClass=organizationalPerson)(SamAccountName=yourusername))
0
 
LVL 2

Expert Comment

by:moorereason
ID: 23746896
For what it's worth, I've supplied my searchFilter below.  You will notice that I'm checking for objectCategory and not objectClass.  I'm not sure why that would matter.

(&(objectCategory=Person)(memberOf=CN=JabberAccess,OU=Security Groups,OU=Groups,DC=example,DC=com))

Open in new window

0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 400 total points
ID: 23747061
Generally you want to use (objectCategory=person)(objectclass=user)
That will make sure it only searches for users and not contacts.
 Thanks
Mike
0
 

Author Comment

by:Globalknowledge
ID: 23750514
When using (objectClass=organizationalPerson) the 4 users still appear in Softerra...
I am completely lost as to why they do not appear in Openfire.  here is another bit of interesting info - If I change the port to 389 the 4 users are found in Openfire (of course only the users in the specified child domain appear as well).  But when I change it to 3268, the rest of the organization users appear except those 4.

I will change the query to (objectCategory=user) tomorrow on port 3268 and report the results
0
 

Author Comment

by:Globalknowledge
ID: 23759401
Okay - I have edited the search to (&(objectCategory=person)(objectclass=user)) and the same 4 people are not returning.

Can I use (objectclass=*) to attempt and pull everything in AD?
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 23759470
You could use that but not sure why you would want to
Just for another test download adfind
http://www.joeware.net/freetools/tools/adfind/index.htm
run
adfind -gcb -f "samaccountname=<username of one of the 4>"
Do they return in that command?
Thanks
Mike
0
 

Author Comment

by:Globalknowledge
ID: 23760008
I will test and post findings on Monday.

Thanks mkline71 and moorereason for following up on this thread.  Hopefully I (we) will get to the bottom of this soon.

0
 

Accepted Solution

by:
Globalknowledge earned 0 total points
ID: 23778009
Hello all - I have found the issue...  And it is due to the way Openfire Auto creates accounts when performing LDAP lookups.  

I have figured out why random users are not found in the LDAP search with Spark/Openfire.   Openfire is configured to search the entire forest (port 3268) for users in our organization  obviously this includes all of our child domains in the forest.

When Openfire queries AD, it completely ignores the child domain and only looks at the pre-windows 2000 user id.   If there are two user ids that match identically, Openfire does not know what to do with them, so the application simply does not return a result for that person.  

For Example - John Doe in Child domainA would have the pre-Windows login of 'domainA\doej'.  Jane Doe in Child domainB would have the pre-windows login of 'domainB\doej'.  Openfire ignores the 'domainX' information and will not create an Openfire account for the users since they both have the 'doej' username.

I am working to configure Openfire to include the domain in the Openfire login name, but havent tested as of yet, nor know what implications this will have to existing users.  I will update at a later date when I have that information.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 23778357
Good work, this will help others when they run into this issue in the future.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the most important things in an application is the query performance. This article intends to give you good tips to improve the performance of your queries.
Sometimes it necessary to set special permissions on user objects.  For instance when using a Blackberry server, the SendAs permission needs to be set. I see many admins struggle with the setting that permission only to see it disappear within a few…
This is a high-level webinar that covers the history of enterprise open source database use. It addresses both the advantages companies see in using open source database technologies, as well as the fears and reservations they might have. In this…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question