A bug was introduced in JNDI that affects Java versions 9+, 10, and 11. The bug will manifest as a NullPointerException when LDAPS is used, but it affects all JNDI connections. In particular, all functions that perform bind operations will orphan an open connection . Until JNDI is fixed the following instructions can be used to work around the bug:
- Add -Dorg.ldaptive.provider=org.ldaptive.provider.unboundid.UnboundIDProvider as a runtime switch to Java.
- For example, on Jetty, it can be added to start.ini or another ini file loaded from the start.d directory.
On Windows if you are running procrun (includes the Jetty software installed by the Shibboleth Windows Installer), you set this via the "Java Options" table of the "Java" tab of the "Commons Daemon Service Manager" (C:\Program Files (x86)\Shibboleth\ProcRun\shibd_idpw.exe for a Shibboleth Windows installation, and tomcatw.exe for a Tomcat installation).
- Add the ldaptive-unboundid-1.0.13.jar and unboundid-ldapsdk-4.0.9.jar libraries to your classpath
- Typically this is done by adding them to the edit-webapp directory and rebuilding your warfile via bin/build.sh or bin/built.bat
- Ensure you have no JNDI-specific properties set in your LDAPConnector or JAASAuthnConfiguration files. JNDI properties typically would have "jndi" in the property name. Where necessary, they can usually be converted to generic settings, but feel free to ask if you can't find the documented equivalents.
This configuration should then use the UnboundID library for all LDAP operations. You can log on DEBUG and observe the connection handling in the log and verify thisand eventually exhaust resources and take down the system.
As a result of this bug, V4 has been updated to rely on an alternate LDAP client library by default. Essentially, the approach documented for V3 is applied by default unless the idp.ldaptive.provider property is explicitly overridden.