Push Active Directory users to Database but Authenticate via Active Directory

Hi there,

since my last setup with ony LDAP runs too slow I need to reevaluate the openfire configuration.


  • LDAPS takes up to 10 minutes to search for users and groups (approx. 550 users, 75 groups).
  • Therefore each login also takes up to 10 minutes for the client user
    That’s too long. if I’m right I read that this is a known issue.

My Idea now is to pull users out of active directory via ldapsearch push them into database via script and use either:

  • Database authentication (Therefore I need to get the active directory password anyhow - even in hashed style. --> I mean that’s not possible is it?)

  • Authenticate with users in database via active directory (If thats possible that should be the better solution)

Question is it possible to have users in database and match them with users in active directory?

What version of openfire are you running? do you have ldap.connectionPoolEnabled = true?

Hi Speedy,

I’m running Openfire 4.0.2.

I tried both.

ldap.connectionPoolEnabled = true

ldap.connectionPoolEnabled = false

Either way I had the same latency.

can you disable ldapS and try regular ldap to see if you are getting the same latency?

when you log into the admin console; are you able to view the users list quickly?

In fact we wanted to use ldaps due to security reasons nevertheless I’m gonna try out your recommendation and let you know asap.

We first need to adjust our ACL rules.

Thanks so far.

Okay I implemented LDAP instead of LDAPS and it works much faster. Nevertheless the passwords get submitted in plaintext.

So this is no option for us.

What about the requested ideas? Any help?

how much faster compared to when using ldapS? I agree that ldaps is more secure and should be used…but this will help with the troubleshooting.

For example…as you stated with ldaps it would take 10 mins. if it takes 1 with out ssl, than there is likely an issue with pool connections not working correctly.

Hi Speedy,

LDAP is much faster takes up to 10 sec. LDAPS used to take 2 - 4 minutes.

Unfortunately LDAP is no option for us. Security department doesn’t allow such implementation and I can understand. Plaintext passwords are quite unsecure.

Any Ideas how to proceed?

sounds like an issue with connection pooling. are you using tls or ssl? is this a clean install or an upgrade?

Thanks Speedy,

your hint was right. I always had “ldap.startTlsEnabled” set true. That cause too much overhead. Without startTLS but SSL being enabled it works fine.

Thank you. Now our implementation should work.

yep…that would do it. If I remember the code correctly, I think connection pooling is disabled when using TLS, but I"m sure as to why. I’m sure there is a reason though!