I’m considering deploying Openfire as a corporate IM service. I plan to authenticate users against Active Directory, DC of which is located in our office LAN.
While setting this up should probably be trivial, we have a requirement that IM service should be availiable even if the office network is down (e.g. power failure, ISP failure).
Suppose I’ve installed Openfire to a VPS, connected it to the office network, everything works fine and each user successfully authenticated at least once. What would happen if connectivity to LDAP server is suddenly lost? Will users be able to authenticate somehow? Does Openfire have a credential cache of some kind? Like when you are able to log on to a Windows PC as a domain user even when the network cable is disconnected.
I expect that unavailability of AD/LDAP primarily affects authentication, an not so much the availability of already connected users.
By default, Openfire caches LDAP interaction, but not authentication. This, however, can be enabled (using the
Caching is primarily intended to reduce load of the AD/LDAP server, and not so much to remove a dependency. I’m not sure if, and how long, Openfire will continue to work properly without being able to connect to AD/LDAP.
I googled for “ldap.authCache.enabled openfire” and found this: LdapAuthProvider (Core XMPP Server 4.6.0-SNAPSHOT API)
ldap.authCache.maxLifetime – maximum amount of time a hashed password can be cached in milleseconds. If property is not set, the default value is 7200000 (2 hours)."
Looks like that is what I was looking for, but “maximum amount” confuses me. What would minimum amount depend on?
Caches in Openfire typically use two different properties:
When a cache (that is not unlimited in size) starts containing so many items that it is “full”, it will start to evict items, even if they’re not “older” than “max life time”.
you can also configure openfire for multiple DCs ie, primary and secondary.