how to accept self-signed certificates for JNDI/LDAP connections?

Tags: , , , ,

I need to connect to an LDAP directory over SSL.

In non-production environments, we use self-signed certificates which, of course, fails to validate with:

javax.naming.CommunicationException: simple bind failed: ldapserver:636 [Root exception is PKIX path building failed: unable to find valid certification path to requested target]
 at com.sun.jndi.ldap.LdapClient.authenticate(
 at com.sun.jndi.ldap.LdapCtx.connect(
 at com.sun.jndi.ldap.LdapCtx.<init>(
 at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(
 at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(
 at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(
 at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(
 at javax.naming.spi.NamingManager.getInitialContext(
 at javax.naming.InitialContext.getDefaultInitCtx(
 at javax.naming.InitialContext.init(
 at javax.naming.ldap.InitialLdapContext.<init>(

I am aware of how to use a custom trust manager for SSL-enabled connections, but don’t know how to use one in connection with the JNDI API where I don’t manage the actual connection. That is, where is the following standard setup will I be able to plug the trust manager?

Thanks in advance.

Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldaps://ldapserver:636");
env.put(Context.SECURITY_PROTOCOL, "ssl");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, "myUser");
env.put(Context.SECURITY_CREDENTIALS, "myPassword");
LdapContext ctx = new InitialLdapContext(env, null); (...)


According to the JNDI documentation it seems possible to set a custom SSLSocketFactory

public class MySSLSocketFactory extends SocketFactory {
    private static final AtomicReference<MySSLSocketFactory> defaultFactory = new AtomicReference<>();

    private SSLSocketFactory sf;

    public MySSLSocketFactory() {
        KeyStore keyStore = ... /* Get a keystore containing the self-signed certificate) */
        TrustManagerFactory tmf = TrustManagerFactory.getInstance();
        SSLContext ctx = SSLContext.getInstance("TLS");
        ctx.init(null, tmf.getTrustManagers(), null);
        sf = ctx.getSocketFactory();

    public static SocketFactory getDefault() {
        final MySSLSocketFactory value = defaultFactory.get();
        if (value == null) {
            defaultFactory.compareAndSet(null, new MySSLSocketFactory());
            return defaultFactory.get();
        return value;

    public Socket createSocket(final String s, final int i) throws IOException {
        return sf.createSocket(s, i);

    public Socket createSocket(final String s, final int i, final InetAddress inetAddress, final int i1) throws IOException {
        return sf.createSocket(s, i, inetAddress, i1);

    public Socket createSocket(final InetAddress inetAddress, final int i) throws IOException {
        return sf.createSocket(inetAddress, i);

    public Socket createSocket(final InetAddress inetAddress, final int i, final InetAddress inetAddress1, final int i1) throws IOException {
        return sf.createSocket(inetAddress, i, inetAddress1, i1);

Configure the environment to use this socket factory

env.put("java.naming.ldap.factory.socket", "com.example.MySSLSocketFactory");

Source: stackoverflow