It appears that the latest change to LDAP SSL pooling mechanism (disabling custom socket) has created issues with authenticating users. The change was for the good cause (improving security and performance). So if possible, it should be retained. But maybe there could be an option in Admin Console to turn off strict certificate checking. Also maybe this change should be reverted until such option is introduced.
Submitted PR #244 for review. PR 244 returns the behavior that was used prior to OF-924. which would allow ssl connections from self signed/expired/non valid ssl certificates when connected to ldap. However, instead of using the custom ssl socket (SimpleSSLSocketFactory) which prevented the use of pooling ssl connection, this update will call XTrustProvider.java. A system property has been added called ldap.disableSslValidation. Default/not configured is set to true. If set to false, then a valid certificate must be used, or imported into the trust store for ssl connections to ldap.
submitted pr #364 to replace pr #244 for review.
pr #364 returns the previous behavior and use of the custom socket factory, while still being able to enable to use connection pooling with ssl