I think I've just found a bug in org.jivesoftware.openfire.ldap.LdapManager - the property ldap.readTimeout is documented at https://www.igniterealtime.org/builds/openfire/docs/latest/documentation/ldap-gu ide.html as "The value of this property is the string representation of an integer representing the read timeout in milliseconds for LDAP operations."
Checking the code at http://fisheye.igniterealtime.org/browse/openfire/trunk/src/java/org/jivesoftwar e/openfire/ldap/LdapManager.java?r=13754 you can see this being applied to the JiveInitialLdapContext environment at line ~656 in the checkAuthentication() method.
However, it is not being applied at all to the getContext() method that starts at line 480.
This means that any LDAP operation that uses getContext() (most of them?) does not have a timeout specified - according to the LDAP Guide listed above, if "no read timeout is specified which is equivalent to waiting for the response infinitely until it is received".