From 8effe31fdf65eddeb78f4835f8374144302e5b02 Mon Sep 17 00:00:00 2001
From: Hynek Mlnarik <hmlnarik@redhat.com>
Date: Wed, 13 Sep 2023 17:29:11 +0200
Subject: [PATCH] Fix ldap:// with STARTTLS

Closes: #21935
---
 .../storage/ldap/idm/store/ldap/LDAPContextManager.java         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/store/ldap/LDAPContextManager.java b/federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/store/ldap/LDAPContextManager.java
index 50c37fb275..6304529e59 100644
--- a/federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/store/ldap/LDAPContextManager.java
+++ b/federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/store/ldap/LDAPContextManager.java
@@ -192,7 +192,7 @@ public final class LDAPContextManager implements AutoCloseable {
 
         // when using Start TLS, use default socket factory for LDAP client but pass the TrustStore SSL socket factory later
         // when calling StartTlsResponse.negotiate(trustStoreSSLSocketFactory)
-        if (LDAPUtil.shouldUseTruststoreSpi(ldapConfig)) {
+        if (!ldapConfig.isStartTls() && LDAPUtil.shouldUseTruststoreSpi(ldapConfig)) {
             env.put("java.naming.ldap.factory.socket", "org.keycloak.truststore.SSLSocketFactory");
         }