TLS support in LDAP plugin

Anonymous avatarAnonymous created an issue

Hi, after successful configuration of LDAP access, we are wondering if it is possible to have an option to let SCM-Manager communicate with LDAP server through TLS. This came up as we don't support LDAPS.

Maybe you guys are already planning to support this in the next release, or it can be already configured in release 1.16.

Thanks a lot for this awesome git-tool.

Best regards Mike

Comments (10)

  1. Sebastian Sdorra

    I've created a test version of the ldap plugin. Could you please test this version:

    Install test version:

    • Login in as administrator
    • Open Config->General
    • Change "Plugin Repository" parameter snapshot from false to true
    • Open Plugins
    • Install version 1.14-SNAPSHOT of scm-auth-ldap-plugin
    • Restart your applicationserver
    • Enable "Use StartTLS" in Config->General->LDAP Authentication
  2. Mike Zhao

    Test failed, Output from test and exception stack trace can be found in the attached file.

    Test successful without enabling that TLS option.

    I'm not sure if it is the problem of the plugin, or our scm-client(against our LDAP) needs a server certificate. Our IT confirmed that the server is so configured, that it does not require the client provide a certificate.

    What about the file ".cipherkey" in config directory?

    Thanks for the fast feedback.

  3. Sebastian Sdorra

    The .cipherkey file is not for ssl or tls connections. The exception in the log files means, that the jvm do not trust your ca. The error occurs mostly with self signed certificates. You can walk around this problem by adding your ca certificate to the jvm truststore:

    • Create a new keystore and import your ca certificate:
    keytool -import -alias root -file myca.der -keystore keystore.jks
    
    • Add the new keystore as truststore to scm-manager. Edit the scm-server file and search for the following line:
    EXTRA_JVM_ARGUMENTS="-Dlogback.configurationFile=logging.xml"
    

    And replace it with:

    EXTRA_JVM_ARGUMENTS="-Dlogback.configurationFile=logging.xml -Djavax.net.ssl.trustStore=/path/to/truststore -Djavax.net.ssl.trustStorePassword=truststorepassword"
    
  4. Mike Zhao

    It WORKS! Thanks a lot. We added additional JAVA_OPTS in tomcat/catalina.sh.

    But somehow SCM cannot call Jenkins through HTTPS, although we also imported the Jenkins-Server-Certificate in that same trust store.

    Anyway, we'll try again and search solutions first, since there might be some out there. Otherwise we'll shout out for help again.

  5. Mike Zhao

    Hi Sebastian, thanks for the new release. One more problem we have found out is that, the authentication doesn't work any more if we enable the "TLS"-option: everyone can login even with wrong password, as long as that user account exists in LDAP. If we disable "TLS"-option, it works as desired.

    It would be very nice of you to check this behaviour. Thanks a lot.

  6. Mike Zhao

    Our IT confirmed that after the first BIND operation with configured LDAP-Admin user, no further binding was made using the user that was trying to login - therefore each login is considered to be the configured LDAP-Admin user.

  7. Log in to comment
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.