A bug was introduced in JNDI that affects all Java versions above 8. The bug will manifest as a NullPointerException
when LDAPS is used, but it affects all JNDI connections. In particular, all functions that perform bind operations will orphan an open connection.
Another bug was introduced more recently in a subset of Java 8 versions that in some cases may be the latest versions available on particular platforms, and this bug is completely fatal to all TLS usage because it causes hostname verification failures.
Unless JNDI is fixed the following instructions can be used to work around the bug.
<BinaryAttributes>
element within the LDAPConnector.Then follow one of the two sections below, as appropriate.
This configuration should then use the UnboundID library for all LDAP operations. You can log on DEBUG and observe the connection handling in the log and verify this.
We now include, and will maintain, the necessary jars in the distribution and have embedded a new property that can be set via ldap.properties (or any other property file loaded):
idp.ldaptive.provider=org.ldaptive.provider.unboundid.UnboundIDProvider
On Windows if you are running procrun (includes the Jetty software installed by the Shibboleth Windows Installer), you set this via the "Java Options" table of the "Java" tab of the "Commons Daemon Service Manager" (C:\Program Files (x86)\Shibboleth\ProcRun\shibd_idpw.exe for a Shibboleth Windows installation, and tomcatw.exe for a Tomcat installation).
https://bugs.openjdk.java.net/browse/JDK-8217606
https://mail.openjdk.java.net/pipermail/jdk8u-dev/2020-October/012887.html