Push Active Directory users to Database but Authenticate via Active Directory

Tobias2 · June 9, 2016, 1:59pm

Hi there,

since my last setup with ony LDAP runs too slow I need to reevaluate the openfire configuration.

Issue:

LDAPS takes up to 10 minutes to search for users and groups (approx. 550 users, 75 groups).
Therefore each login also takes up to 10 minutes for the client user
That’s too long. if I’m right I read that this is a known issue.

My Idea now is to pull users out of active directory via ldapsearch push them into database via script and use either:

Database authentication (Therefore I need to get the active directory password anyhow - even in hashed style. --> I mean that’s not possible is it?)
or
Authenticate with users in database via active directory (If thats possible that should be the better solution)

Question is it possible to have users in database and match them with users in active directory?

speedy · June 9, 2016, 2:15pm

What version of openfire are you running? do you have ldap.connectionPoolEnabled = true?

Tobias2 · June 9, 2016, 2:27pm

Hi Speedy,

I’m running Openfire 4.0.2.

I tried both.

ldap.connectionPoolEnabled = true

ldap.connectionPoolEnabled = false

Either way I had the same latency.

speedy · June 9, 2016, 2:33pm

can you disable ldapS and try regular ldap to see if you are getting the same latency?

when you log into the admin console; are you able to view the users list quickly?

Tobias2 · June 10, 2016, 9:52am

In fact we wanted to use ldaps due to security reasons nevertheless I’m gonna try out your recommendation and let you know asap.

We first need to adjust our ACL rules.

Thanks so far.

Tobias2 · June 15, 2016, 3:10pm

Okay I implemented LDAP instead of LDAPS and it works much faster. Nevertheless the passwords get submitted in plaintext.

So this is no option for us.

What about the requested ideas? Any help?

speedy · June 15, 2016, 4:51pm

how much faster compared to when using ldapS? I agree that ldaps is more secure and should be used…but this will help with the troubleshooting.

For example…as you stated with ldaps it would take 10 mins. if it takes 1 with out ssl, than there is likely an issue with pool connections not working correctly.

Tobias2 · June 17, 2016, 9:14am

Hi Speedy,

LDAP is much faster takes up to 10 sec. LDAPS used to take 2 - 4 minutes.

Unfortunately LDAP is no option for us. Security department doesn’t allow such implementation and I can understand. Plaintext passwords are quite unsecure.

Any Ideas how to proceed?

speedy · June 17, 2016, 5:48pm

sounds like an issue with connection pooling. are you using tls or ssl? is this a clean install or an upgrade?

Tobias2 · June 20, 2016, 6:37am

Thanks Speedy,

your hint was right. I always had “ldap.startTlsEnabled” set true. That cause too much overhead. Without startTLS but SSL being enabled it works fine.

Thank you. Now our implementation should work.

speedy · June 20, 2016, 1:32pm

yep…that would do it. If I remember the code correctly, I think connection pooling is disabled when using TLS, but I"m sure as to why. I’m sure there is a reason though!