Active Directory LDAP really slow with SSL

I have an Openfire instance running 3.7.0 connected to AD via port 389. Works fine, the user page comes back pretty much instantly after service recycle. I changed the ldap.port to 636 and ldap.sslEnabled to true to test ssl. The user list page takes >1min to load (about 500 users are valid from our 2500 user AD environment). tcpdump shows it using 636, but I see the source port incrementing rapidly - Seems as if Openfire is opening a new connection for each user lookup, or at least not pooling connections properly.

When I switch it back to 389/non-SSL and cycle, it works fine - User list page loads quickly and logins are quick also.

Is anyone else using AD with LDAP & SSL with similar performance to non-SSL?


Yes we are having the same issue.

I’m currently installing a new server authenticating with our AD, in LDAP everything is fine and fast, but in LDAPs, it’s horribly slow.

A tcpdump is showing the same as you. Ports are incrementing quickly. Tested it in LDAP and the connectionpoolenebled is working fine but not in ldaps.

Can a bug be opened for this? It would be nice to have this fixed.

To be honest, LDAP SSL is depreated now, and ignite should be doing TLS over 389.