Users/Groups tab in Openfire is taking long time

When I click on the Users/Groups tab in the openfire admin console, it is taking very long time to show either users or groups. I have our server integrated with custom database (SQL server) to retrieve users and groups from DB. We have around 130K users and 11K groups. Is this causing an issue? Please share your thoughts. If I tweak any of the cache settings would it help in resolving this issue. Please let me know how to change the cache settings.

Since loading is taking some time, I decided to load the group summary page by entering the URL directly on the browser text box. (http://openfirebserver.com:9090/group-summary.jsp ) . Then it did load all the records of groups (which is 11K groups) but was unable to show the groups. Here is the screenshot of how it looks. There are only page numbers but it does not show the groups upon clicking the page number.

Below is the error stack from the log file:

2016.02.25 19:03:28 ERROR [Jetty-QTP-AdminConsole-93]: org.jivesoftware.database.DbConnectionManager - Error in JDBC method rs.relative(rowNumber).

com.microsoft.sqlserver.jdbc.SQLServerException: The result set has no current row.

at com.microsoft.sqlserver.jdbc.SQLServerException.makeFromDriverError(SQLServerEx ception.java:191)

at com.microsoft.sqlserver.jdbc.SQLServerResultSet.verifyResultSetHasCurrentRow(SQ LServerResultSet.java:485)

at com.microsoft.sqlserver.jdbc.SQLServerResultSet.relative(SQLServerResultSet.jav a:791)

at org.jivesoftware.database.DbConnectionManager.scrollResultSet(DbConnectionManag er.java:501)

at org.jivesoftware.openfire.group.JDBCGroupProvider.getGroupNames(JDBCGroupProvid er.java:259)

at org.jivesoftware.openfire.group.GroupManager.getGroups(GroupManager.java:564)

at org.jivesoftware.openfire.admin.group_002dsummary_jsp._jspService(group_002dsum mary_jsp.java:92)

at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)

at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:808)

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1669)

at com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:11 8)

at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:52)

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1652)

at org.jivesoftware.util.LocaleFilter.doFilter(LocaleFilter.java:76)

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1652)

at org.jivesoftware.util.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingF ilter.java:53)

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1652)

at org.jivesoftware.admin.PluginFilter.doFilter(PluginFilter.java:80)

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1652)

at org.jivesoftware.admin.AuthCheckFilter.doFilter(AuthCheckFilter.java:162)

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1652)

at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585)

at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)

at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)

at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:22 3)

at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:11 27)

at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)

at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185 )

at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:106 1)

at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)

at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandler Collection.java:215)

at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.jav a:110)

at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)

at org.eclipse.jetty.server.Server.handle(Server.java:497)

at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:310)

at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)

at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540)

at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635 )

at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)

at java.lang.Thread.run(Thread.java:745)

Groupsummary_pagewithoutGroups.PNG1072×597 85.1 KB

Year 2020 and I have the same problem. But I have fewer users ~550 and 30 groups from LDAP. But it looks like server problem… maybe frequent synchronization with LDAP in the background? While the client Spark is trying to log in he gets the login / password error message or he logs in, but doesn’t download shared groups or get settings from Client Control plugin. If i click on the Users/Groups tab in that moment I have to wait … and wait … and wait…

When the card opens the client can log in too, download shared groups and gets Client Control plugin. But faw minutes and I have the same problem.

Hi, I have 500 users and 30 groups.
on my main server ubuntu 16.04 + java 8 + mysql 5.7 everything opens quickly and Spark enters immediately. But on test 18.04 + java 11 + mysql 8 it also happens that Spark sometimes writes the wrong username or password, you have to log in several times, and I also wait for the Spark interface to load.

I am not a developer, but it seems to me the matter is either in Mysql 8, or in Java 11, or in new versions of the Ubuntu server (if you use it)

As it turned out, the problem was in the self-signed certificate.
I don’t have a certificate at all on the main server. And he was on the test, after deleted it from me, Spark immediately went in.

There are no events on the server at this time.
And here is the Spark log:
warn

èþë 05, 2020 6:38:06 PM org.jivesoftware.spark.util.log.Log warning
WARNING: Certificate doesn't have subjectUniqueID: CN=spark.coleman.local
java.lang.NullPointerException
	at org.jivesoftware.sparkimpl.certificates.CertificateModel.<init>(CertificateModel.java:99)
	at org.jivesoftware.sparkimpl.certificates.CertificateModel.<init>(CertificateModel.java:69)
	at org.jivesoftware.sparkimpl.certificates.CertManager.fillTableListWithKeyStoreContent(CertManager.java:250)
	at org.jivesoftware.sparkimpl.certificates.CertificateController.loadKeyStores(CertificateController.java:96)
	at org.jivesoftware.sparkimpl.certificates.SparkTrustManager.loadKeyStores(SparkTrustManager.java:326)
	at org.jivesoftware.sparkimpl.certificates.SparkTrustManager.<init>(SparkTrustManager.java:87)
	at org.jivesoftware.sparkimpl.certificates.SparkTrustManager.getTrustManagerList(SparkTrustManager.java:91)
	at org.jivesoftware.sparkimpl.certificates.SparkSSLContextCreator.setUpContext(SparkSSLContextCreator.java:40)
	at org.jivesoftware.LoginDialog.retrieveConnectionConfiguration(LoginDialog.java:301)
	at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1137)
	at org.jivesoftware.LoginDialog$LoginPanel.access$900(LoginDialog.java:387)
	at org.jivesoftware.LoginDialog$LoginPanel$3.construct(LoginDialog.java:951)
	at org.jivesoftware.spark.util.SwingWorker.lambda$new$1(SwingWorker.java:139)
	at java.lang.Thread.run(Unknown Source)

èþë 05, 2020 6:38:10 PM org.jivesoftware.spark.util.log.Log warning
WARNING: ofmeet-Error: Properties-file does not exist= C:\Users\Plyha\AppData\Roaming\Spark\ofmeet.properties, using default null
èþë 05, 2020 6:38:27 PM org.jivesoftware.spark.util.log.Log warning
WARNING: ofmeet-Error: Properties-file does not exist= C:\Users\Plyha\AppData\Roaming\Spark\ofmeet.properties, using default null

error

èþë 05, 2020 6:37:33 PM org.jivesoftware.spark.util.log.Log error
SEVERE: Exception in Login:
org.jivesoftware.smack.SmackException$NoResponseException: No response received within reply timeout. Timeout was 10000ms (~10s). Waited for response using: IQReplyFilter: iqAndIdFilter (AndFilter: (OrFilter: (IQTypeFilter: type=error, IQTypeFilter: type=result), StanzaIdFilter: id=ByqjE-54)), : fromFilter (OrFilter: (FromMatchesFilter (full): spark.coleman.local)).
	at org.jivesoftware.smack.SmackException$NoResponseException.newWith(SmackException.java:122)
	at org.jivesoftware.smack.SmackException$NoResponseException.newWith(SmackException.java:105)
	at org.jivesoftware.smack.StanzaCollector.nextResultOrThrow(StanzaCollector.java:265)
	at org.jivesoftware.smack.StanzaCollector.nextResultOrThrow(StanzaCollector.java:219)
	at org.jivesoftware.smackx.disco.ServiceDiscoveryManager.discoverInfo(ServiceDiscoveryManager.java:531)
	at org.jivesoftware.smackx.disco.ServiceDiscoveryManager.discoverInfo(ServiceDiscoveryManager.java:505)
	at org.jivesoftware.smackx.disco.ServiceDiscoveryManager.supportsFeatures(ServiceDiscoveryManager.java:738)
	at org.jivesoftware.smackx.disco.ServiceDiscoveryManager.serverSupportsFeatures(ServiceDiscoveryManager.java:680)
	at org.jivesoftware.smackx.disco.ServiceDiscoveryManager.serverSupportsFeatures(ServiceDiscoveryManager.java:674)
	at org.jivesoftware.smackx.disco.ServiceDiscoveryManager.serverSupportsFeature(ServiceDiscoveryManager.java:669)
	at org.jivesoftware.smackx.carbons.CarbonManager.isSupportedByServer(CarbonManager.java:232)
	at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1205)
	at org.jivesoftware.LoginDialog$LoginPanel.access$900(LoginDialog.java:387)
	at org.jivesoftware.LoginDialog$LoginPanel$3.construct(LoginDialog.java:951)
	at org.jivesoftware.spark.util.SwingWorker.lambda$new$1(SwingWorker.java:139)
	at java.lang.Thread.run(Unknown Source)

Thanks for your answer.

I dont have cert too. Maybe its because of my filters?

Base DN: dc=“domain”,dc=“com”

User filter: (&(objectCategory=person)(objectClass=user)(memberOf=CN=Spark_users,OU=users,DC=domain,DC=com)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

Group filter: (memberOf=CN=Spark_groups,OU=groups,DC=domain,DC=com)

In Spark_groups I put other groups with users.

In debug log I have for example:

2020.07.05 20:24:39 org.jivesoftware.openfire.ldap.LdapManager - Trying to find a user’s RDN based on their username: ‘cn=Mr XX,ou=officeOne,dc=domain,dc=com’. Field: ‘sAMAccountName’, Base DN: 'dc=“domain”,dc=“com” ’ …

2020.07.05 20:24:39 org.jivesoftware.openfire.ldap.LdapManager - Creating a DirContext in LdapManager.getContext() for baseDN 'dc=“domain”,dc=“com” '…

2020.07.05 20:24:39 org.jivesoftware.openfire.ldap.LdapManager - Created hashtable with context values, attempting to create context…

2020.07.05 20:24:39 org.jivesoftware.openfire.ldap.LdapManager - … StartTlsRequest

2020.07.05 20:24:39 org.jivesoftware.openfire.ldap.LdapManager - … peer host: active.um.bytom.pl, CipherSuite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

2020.07.05 20:24:39 org.jivesoftware.openfire.ldap.LdapManager - … context created successfully, returning.

2020.07.05 20:24:39 org.jivesoftware.openfire.ldap.LdapManager - Starting LDAP search for username ‘cn=Mr XX,ou=officeOne,dc=domain,dc=com’…

2020.07.05 20:24:39 org.jivesoftware.openfire.ldap.LdapManager - … search finished for username ‘cn=Mr XX,ou=officeOne,dc=domain,dc=com’.

2020.07.05 20:24:39 org.jivesoftware.openfire.ldap.LdapManager - User DN based on username ‘cn=Mr XX,ou=officeOne,dc=domain,dc=com’ not found.

But “Mr XX” account is disabled. Why is it searched? And all disabled accounts.

Does Base DN look users throughout the domain? This is not good, you need to specify the folder where you have users.
Here the my example:
OU=“Users”,DC=“domain”,DC=“local”

Everything else is good, but how do you divide users into departments?)

But what if you make the filter simple?

for example this:
for users - ldap.searchFilter (objectClass=organizationalPerson)
for groups - (&(objectClass=group)(cn=of-*))

where of-* your groups for Openfire, I have it - of-dev, of-office, of-hr etc…

I have users and groups in containers. For example:

CN=user1,OU=department1,DC=domain,DC=com
CN=user2,OU=department1,DC=domain,DC=com
CN=group1_name,OU=department1,DC=domain,DC=com

CN=user3,OU=department2,DC=domain,DC=com
CN=user4,OU=department2,DC=domain,DC=com
CN=user5,OU=department2,DC=domain,DC=com
CN=group2_different_name,OU=department2,DC=domain,DC=com

CN=user6,OU=department3,DC=domain,DC=com
CN=user7,OU=department3,DC=domain,DC=com
CN=group3,OU=department3,DC=domain,DC=com
CN=group4_else_name,OU=department3,DC=domain,DC=com

CN=user8,OU=department4,DC=domain,DC=com
CN=user9,OU=department4,DC=domain,DC=com
CN=group5,OU=department4,DC=domain,DC=com

CN=Spark_groups,OU=groups,DC=domain,DC=com < members are group1_name, group2_different_name, group4_else_name. Thanks to this, I can see Spark’s structure that I share for users. They can send messages to specific departments and they know who works there.
If I change the account in AD - in the Spark the change is visible automatic. I don’t have to assign users manually after each employee change

“for users - ldap.searchFilter (objectClass=organizationalPerson)”

Too simple? I have many accounts disabled. I wanted to exclude them from my search to reduce processing time. As you can see ineffectively

With my group filter - from the click users/groups tab to load - 23 minutes.
With your group filter - 14 minutes.

But I want to use different groups not only those with a mask (your example cn=of-*).
This time is acceptable for me as long as it happens at my appointed time, not when I click on the tab. Is it possible? Can I scheduler time of synchronization OpenFire with AD?

14 minutes after you clicked on the “Users / Groups” tab?
I have a maximum of 1 minute, and I thought it was a long time)
I can not tell anything about synchronization with AD = (

Searching specific users:
“Trying to find a user’s RDN based on their username”
About 1,2 second per user. 1000 active accounts and I have ~20 minutes

But starts by creating a list (?) ~ 4 minutes:
“Creating a DirContext in LdapManager.getContext() for baseDN”

With StartTLS setting to false - 30 seconds. But it is not safe Any sugestion?
LDAPS (636 port) - I am just measuring the time, now it is over 15 minutes

I found the same problem - I will link it: https://discourse.igniterealtime.org/t/users-groups-tab-in-openfire-is-taking-long-time/61256/10 But @Michel_Leme suggests disabling SSL

I am using LDAPS (636 port)…

I think all the same that you need to create the “Users” group in AD and place the users there, because now you are searching all over AD.

OU=“Users”,DC=“domain”,DC=“local”

And all the groups also put in the “Users”.
CN=of-dev,OU=Openfire,OU=groups,OU=Users,DC=domain,DC=local

AD administrators usually do this

Total time for LDAPS - 23 minutes also.

I’m slowly maturing to move users. However, this is an acquired domain and I am afraid of integrating the accounts sewn into other systems and what may stop working after that. And I’m not sure this will solve the problem in my case.

Thanks a lot for your time. Best regards.

Yes, you’re right, it opens 6 minutes on my test server. What version of Java and SQL are you using?

Sorry. I linked wrong address. Correct is LDAP browsing is extremely slow!

Hi, try setting these cache values, then restart the openfire service or restart the server.

|cache.Roster.size|20971520|
|cache.User.size|2097152|
|cache.VCard.size|20971520|
|cache.group.size|10485760|
|cache.userCache.size|2097152|
|cache.username2roster.size|20971520|
|cache.vcardCache.size|20971520|

image706×224 7.18 KB

or thet

image754×410 14.5 KB

It’s much better now. I don’t know what helped. Maybe now it just updates the changes rather than a fresh download. In the meantime, I also changed the cache configuration - maybe it finally caught on too. My settings at the moment:

cache.Group.size 10485760
cache.GroupMetadataCache.size 5242880
cache.LDAPUserDN.size 10485760
cache.LastActivityCache.size 1048576
cache.OfflinePresenceCache.size 5242880
cache.Roster.size 31457280
cache.User.size 5242880
cache.VCard.size 10485760

It looks quite similar to what you suggested. Once users start reporting issues I will try with your values ​​thank you.