Openfire caches and uses outdated LDAP password for authentication


It seems that Openfire uses a cache or OFUSER instead of trying to query LDAP when a user tries to authenticate. That's fine for a good login performance but bad when the LDAP password is changed.

I recommend to disable the cache completely (or to set the timeout to a low value which makes the cache useless). So one improves security as the password are no longer stored in Openfire.
Another option would be to use the cache only when LDAP is not available but I do not like it because of the password security.


Openfire + LDAP


Daryl Herzmann
November 18, 2016, 7:40 PM

No responses to my query last year, closing. Can reopen if somebody has a current reproducer.

Daryl Herzmann
October 22, 2015, 1:04 PM

Anybody on this ticket able to comment if this is still valid with current release (3.10.2)?

Stanislav Khoroshulya
August 22, 2013, 12:25 PM

version 3.8.2 "ldap.authCache.enabled" System Property doesn't help.

Tic Absis
March 25, 2013, 4:04 PM

I have the same problem any solution???? thank you

Peter Johnson
February 18, 2013, 11:55 PM

I think the LDAP cache can be switched on or off via the "ldap.authCache.enabled" System Property - does this help?