This patch adds TLS support for LDAP connections (RFC2830) by using a LDAPv3 style extended operation.
There are a few drawbacks when using TLS instead of SSL:
The JNDI LDAP connection pool must be disabled since we cannot find out whether StartTLS has been invoked already. (InitialLdapContext could create a new connection or use an existing connection). -> com.sun.jndi.ldap.connect.pool = false; See http://java.sun.com/products/jndi/tutorial/ldap/connect/pool.html for more information.
Context.REFERRAL = "follow" is not supported; the JNDI provider creates a new connection to the referral target but does not invoke StartTLS. Therefore all traffic to referrals will be unencrypted. The user should disable ldap.autoFollowReferrals (otherwise a warn message will be logged).
checkAuthentication(String, String) does a dummy lookup in order to (re-)bind with the correct login credentials after the TLS connection has been negotiated (that means additional traffic).
You cannot use both SSL and TLS at the same time (which is obvious). If the user enables both options -> SSL will be preferred.
I am currently testing it with openfire 3.6.4 against Active Directory's LDAP service.
Applied patch with minor changes (to make use of java generics, updated license header).