Below debug log statement is logging the password to logs risking password exposure.

~~~

    private LdapContext buildLdapContext() throws NamingException {
        config.putIfAbsent(Context.INITIAL_CONTEXT_FACTORY, DEFAULT_INITIAL_CONTEXT_FACTORY);
        config.putIfAbsent(Context.SECURITY_AUTHENTICATION, DEFAULT_SECURITY_AUTHENTICATION);

        String protocol = config.getProperty(Context.SECURITY_PROTOCOL);
        config.putIfAbsent(Context.PROVIDER_URL, createDefaultProviderUrl(protocol));

        if (log.isDebugEnabled()) {
            log.debug("Using following InitialLdapContext properties:");
            log.debug("Initial Context Factory: {}", config.getProperty(Context.INITIAL_CONTEXT_FACTORY));
            log.debug("Authentication Type: {}", config.getProperty(Context.SECURITY_AUTHENTICATION));
            log.debug("Protocol: {}", config.getProperty(Context.SECURITY_PROTOCOL));
            log.debug("Provider URL: {}", config.getProperty(Context.PROVIDER_URL));
            log.debug("User DN: {}", config.getProperty(Context.SECURITY_PRINCIPAL));
            log.debug("Password: {}", config.getProperty(Context.SECURITY_CREDENTIALS));
        }

        return new InitialLdapContext(config, null);
    }

~~~

It's highlighted as security concern.