Openfire doing big queries to our LDAP server


We noticed ununsual CPU usage on our LDAP server so I was ask to investigate. Searching in our LDAP log (Sun one 5.2) I found out that their was a particular request which was attempted every 15 to 30 seconds which was not indexed.

I thought that it was weird since every attribute in our LDAP that is actively used by applications have an index. Searching in the access log, I found out the culprit and it’s seem that the “bad” request is made by Openfire.

The request is a search on the base DN with a filter of uid=* with a SORT on uid.

Since we have more than 15 000 users in our LDAP server, the sorting is causing a problem with a threshold variable on our index that is limited to 4000. (note : changing this value isnt easy and should not be needed).

Also, in the Openfire error.log I found that :

2008.08.06 15:28:04 [org.jivesoftware.openfire.ldap.LdapUserProvider.getUsernames(LdapUserProvider. java:261)
javax.naming.OperationNotSupportedException: [LDAP: error code 53 - Search is not indexed]; remaining name ''
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.searchAux(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(Unknown Source)
at Source)
at Source)
at Source)
at org.jivesoftware.openfire.ldap.LdapUserProvider.getUsernames(LdapUserProvider.j ava:235)
at org.jivesoftware.openfire.user.UserManager.getUsernames(
at org.jivesoftware.openfire.roster.RosterManager.getSharedUsersForRoster(RosterMa
at org.jivesoftware.openfire.roster.Roster.getSharedUsers(
at org.jivesoftware.openfire.roster.Roster.(
at org.jivesoftware.openfire.roster.RosterManager.getRoster(

Apart from that, we do not have any problem with Openfire so I’m not sure why Openfire need to this request every 30 seconds.

EDIT : It’s seem that the LDAP server refuse to do the request hence the errors in the openfire log and the fact that it try to do it every 30 seconds I guess …

Could somebody from the team look into that please ?


David Paquet