We use OpenLDAP for Openfire user management. All users who are members of the
Openfire-Admin LDAP group get admin rights.
This works perfectly fine when we first start Openfire, but when we add a new user to the
Openfire-Admin group in LDAP,so the new user is a member of the group, it does not get admin rights in Openfire until we restart Openfire.
I tried clearing the cache but it didn’t help.
We are currently using version 4.7.5 but I tested it in version 5.0.4 and it didn’t work there either.
Here is an example with the newly added user opadmin6 who we added to the Openfire-Admin group. You can see that Openfire updated the group but didn’t give the user admin rights.
Since we want to avoid restarting Openfire, we are looking for a solution to this problem.
Can Openfire grant admin rights to a new LDAP user without restarting?
Thanks in advance for your help
I suspect that this is caused by caching. Openfire treats LDAP as a ‘read-only’ provider. It, by default, doesn’t get notified of updates that are applied to the directory directly.
As querying LDAP can easily become very expensive, there’s quite a bit of caching involved.
The combination of these two result in changes in LDAP to show up in Openfire only after cached values get refreshed. This should happen eventually, but can take many hours.
To test if this indeed is causing your issue, you could try manually resetting all caches that have ‘LDAP’ in their name in the Admin Console (Server > Server Manager > Cache Summary) after you updated the directory.
If that solves the problem, then we could work towards a more constructive fix. That can take various forms:
disable caching (e.g. set properties like ldap.authCache.enabled and ldap.userDNCache.enabled to false)
