KEYCLOAK-2505 docs

docbook/auth-server-docs/reference/en/en-US/modules/user-federation.xml

@@ -135,6 +135,23 @@
                 </variablelist>
             </para>
         </section>
+        <section>
+            <title>Connect to LDAP over SSL</title>
+            <para>
+                When you configure secured connection URL to LDAP (for example <literal>ldaps://myhost.com:636</literal> ) the Keycloak will
+                use SSL for the communication with LDAP server. The important thing is to properly configure truststore on the Keycloak server side,
+                because SSL won't work if Keycloak can't trust the SSL connection with LDAP (Keycloak acts as the <literal>client</literal> here, when LDAP acts as server).
+            </para>
+            <para>
+                The global truststore for the Keycloak can be configured with Truststore SPI in the <literal>keycloak-server.json</literal> file and it's described in the details <link linkend="truststore">here</link>.
+                If you don't configure truststore SPI, the truststore will fallback to the default mechanism provided by Java (either the file provided by system property <literal>javax.net.ssl.trustStore</literal> or finally
+                the cacerts file from JDK if even the system property is not set).
+            </para>
+            <para>There is configuration property <literal>Use Truststore SPI</literal> in the LDAP federation provider configuration, where you can choose
+                whether Truststore SPI is used. By default, the value is <literal>ldaps only</literal>, which is fine for most of deployments, because attempt
+                to use Truststore SPI is done just if connection to LDAP starts with <literal>ldaps</literal> .
+            </para>
+        </section>
     </section>
     <section>
         <title>Sync of LDAP users to Keycloak</title>