StartTLS for LDAP queries


This patch adds TLS support for LDAP connections (RFC2830) by using a LDAPv3 style extended operation.

There are a few drawbacks when using TLS instead of SSL:

  • The JNDI LDAP connection pool must be disabled since we cannot find out whether StartTLS has been invoked already. (InitialLdapContext could create a new connection or use an existing connection). -> com.sun.jndi.ldap.connect.pool = false; See for more information.

  • Context.REFERRAL = "follow" is not supported; the JNDI provider creates a new connection to the referral target but does not invoke StartTLS. Therefore all traffic to referrals will be unencrypted. The user should disable ldap.autoFollowReferrals (otherwise a warn message will be logged).

  • checkAuthentication(String, String) does a dummy lookup in order to (re-)bind with the correct login credentials after the TLS connection has been negotiated (that means additional traffic).

  • You cannot use both SSL and TLS at the same time (which is obvious). If the user enables both options -> SSL will be preferred.

I am currently testing it with openfire 3.6.4 against Active Directory's LDAP service.






Sebastian Wendel
October 11, 2015, 4:20 PM

Just added some notes to the corresponding community thread:

Feature was not fully integrated.

Guus der Kinderen
January 11, 2010, 12:02 AM

Applied patch with minor changes (to make use of java generics, updated license header).



Guus der Kinderen


Daryl Herzmann