Major
Detail
Major
Detail
Detail
#27073
LDAPAccessService: connection establishment using the host name instead of the IP address
For the creation of a directory context, the endpoint is determined in the configuration via the parameter "provider-url" or the alias %LDAP_PROVIDER_URL%. This value finally fills the environment variable javax.naming.Context.PROVIDER_URL ("java.naming.provider.url"), for evaluation by the Java backend (javax.naming.directory.InitialDirContext).
In fact, however, the configured value is not passed directly to the Java backend. Instead, this URL is explicitly parsed, the contained hostname is extracted and the associated IP addresses are resolved. The hostname in the URL is replaced by the (first) IP address and now the connection is explicitly established using the IP address. In case of an error, the next of the found IP addresses is used.
Problem
If LDAP Secure (LDAP-S, port 636) is used, server certificates from the Java Keystore are used. These usually know the hostname but not the IP address of the server. If the connection is explicitly established using the IP address, no suitable certificate is found.
Solution
The connection should be established directly using the provider-url, which is specified in the configuration.
Test
Demo-deploy with LDAP connection: User accounts are imported correctly and login is possible.