LdapGroupProvider.processGroup has a performance problem under AD. Since the members list is stored with the DN for the user, the entries from the list do not match the pattern (?i)(^${ldap.usernameField}=)([^,]+)(.+), and thus openfire ends up doing a new ldap search for each username. This is time consuming when you have a large number of groups and users.
Just attempting to load the group-summary page causes OpenFire to get a list of all groups, and then since we’re on AD, it needs to do a user lookup for each member of each group. A cache would be handy here since we might already have looked up the DN from a previous group…
Suggestions:
-
Add something so the pattern is “(?i)(^(?:${ldap.usernameField}|${ldap.groupUsernameField})=)([^,]+)(.+)” and could match on cn= like AD uses. Or even have it where if ${ldap.groupUsernameField} is defined it uses that over ${ldap.usernameField}.
-
Have LdapGroupProvider use a cache for the users that it looks up.