Use system default truststore to validate ldap connection certificate

src/main/java/com/evolveum/polygon/connector/ldap/AbstractLdapConfiguration.java

@@ -76,7 +76,14 @@ public abstract class AbstractLdapConfiguration extends AbstractConfiguration {
      * E.g. SSL, SSLv2, SSLv3, TLS, TLSv1, TLSv1.1, TLSv1.2
      */
     private String sslProtocol = null;
-    
+
+	/**
+	 * Whether connector skips certificate validity check against its default truststore (e.g. Java cacerts)
+	 * When set to false, connector checks server certificate validity in SSL/TLS mode (recommended).
+	 * When set to true, connector does not check server certificate validity. Do not use this option in the production.
+	 */
+	private boolean allowUntrustedSsl = false;
+
     /**
      * Set of security protocols that are acceptable for protocol negotiation.
      * This name is used to set up SSLEngine.
@@ -752,6 +759,15 @@ public abstract class AbstractLdapConfiguration extends AbstractConfiguration {
 		this.additionalSearchFilter = additionalSearchFilter;
 	}
 
+	@ConfigurationProperty(order = 43)
+	public boolean isAllowUntrustedSsl() {
+		return allowUntrustedSsl;
+	}
+
+	public void setAllowUntrustedSsl(boolean allowUntrustedSsl) {
+		this.allowUntrustedSsl = allowUntrustedSsl;
+	}
+
 	@Override
     public void validate() {
     	validateNotBlank(host, "host.blank");

src/main/java/com/evolveum/polygon/connector/ldap/ConnectionManager.java

@@ -17,6 +17,9 @@ package com.evolveum.polygon.connector.ldap;
 
 import java.io.Closeable;
 import java.io.IOException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Iterator;
@@ -40,6 +43,7 @@ import org.apache.directory.api.ldap.model.url.LdapUrl;
 import org.apache.directory.api.ldap.schema.manager.impl.DefaultSchemaManager;
 import org.apache.directory.ldap.client.api.LdapConnectionConfig;
 import org.apache.directory.ldap.client.api.LdapNetworkConnection;
+import org.apache.directory.ldap.client.api.NoVerificationTrustManager;
 import org.identityconnectors.common.logging.Log;
 import org.identityconnectors.common.security.GuardedString;
 import org.identityconnectors.framework.common.exceptions.ConfigurationException;
@@ -51,6 +55,9 @@ import com.evolveum.polygon.common.GuardedStringAccessor;
 import com.evolveum.polygon.connector.ldap.ServerDefinition.Origin;
 import com.evolveum.polygon.connector.ldap.schema.AbstractSchemaTranslator;
 
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+
 /**
  * @author Radovan Semancik
  *
@@ -365,8 +372,10 @@ public class ConnectionManager<C extends AbstractLdapConfiguration> implements C
     		// Nothing to do
     	} else if (LdapConfiguration.CONNECTION_SECURITY_SSL.equals(connectionSecurity)) {
     		connectionConfig.setUseSsl(true);
+    		connectionConfig.setTrustManagers(createTrustManager());
     	} else if (LdapConfiguration.CONNECTION_SECURITY_STARTTLS.equals(connectionSecurity)) {
     		connectionConfig.setUseTls(true);
+			connectionConfig.setTrustManagers(createTrustManager());
     	} else {
     		throw new ConfigurationException("Unknown value for connectionSecurity: "+connectionSecurity);
     	}
@@ -419,7 +428,23 @@ public class ConnectionManager<C extends AbstractLdapConfiguration> implements C
 		}
 		server.setConnection(connection);
     }
-	
+
+    private TrustManager[] createTrustManager() {
+		if (configuration.isAllowUntrustedSsl()) {
+			return new TrustManager[]{new NoVerificationTrustManager()}; // this is apache ldap default
+		}
+
+		String defaultAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
+		try {
+			TrustManagerFactory tmf = TrustManagerFactory.getInstance(defaultAlgorithm);
+			tmf.init((KeyStore) null); // load system default keystore (e.g. JDK cacerts)
+			return tmf.getTrustManagers();
+		} catch (NoSuchAlgorithmException | KeyStoreException e) {
+			LOG.error("Error creating trust manager: {0}", e);
+		}
+		throw new ConnectionFailedException("Unable to create trust manager.");
+	}
+
 	private LdapNetworkConnection connectConnection(LdapConnectionConfig connectionConfig, String userDn) {
 		LOG.ok("Creating connection object");
 		LdapNetworkConnection connection = new LdapNetworkConnection(connectionConfig);

src/main/resources/com/evolveum/polygon/connector/ldap/Messages.properties

@@ -34,6 +34,9 @@ enabledSecurityProtocols.help=Set of security protocols that are acceptable for
 enabledCipherSuites.display=Enabled cipher suites
 enabledCipherSuites.help=
 
+allowUntrustedSsl.display=Allow untrusted SSL/TLS
+allowUntrustedSsl.help=If set to false (which is default and recommended), connector checks server certificate validity in SSL/TLS mode against system default truststore (e.g. Java cacerts). If set to true, connector does not check server certificate validity - do not use this option in the production environment.
+
 authenticationType.display=Authentication type
 authenticationType.help=The authentication mechanism to use. Values: "simple", "SASL-GSSAPI"