Add the choice of whether to perform certificate verification when connect to ldaps:// #86
Conversation
src/main/java/jenkins/security/plugins/ldap/LDAPConfiguration.java
Outdated
Show resolved
Hide resolved
longping-t
force-pushed
the
configuration-ldaps
branch
from
8ff9c84
to
b43306f
Compare
…nnect to ldaps://
longping-t
force-pushed
the
configuration-ldaps
branch
from
b43306f
to
d5a64d8
Compare
src/main/java/jenkins/security/plugins/ldap/LDAPConfiguration.java
Outdated
Show resolved
Hide resolved
longping-t
force-pushed
the
configuration-ldaps
branch
from
6c67b86
to
e98596f
Compare
|
It would also be nice to add some information to the readme about enabling ldaps:// currently even using Google returns 0 results about how to configure it in Jenkins |
It's bad security practice to opt out of certificate validation by default as it opens up for man-in-the-middle attacks. Please leave it on, and allow users to opt out if needed. |
I have modified the default case to need to verify the certificate. Thank you for your advice. |
|
I would say this is not something that should be added. |
FWIW: you can have a common root cert for these servers and then you can just import that root cert, not all of the certs. |
When connecting to LDAP server over SSL/TLS(LDAPS) with self-signed certificate, the jenkins server cannot connect to LDAP server.
The error log shows that [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target].
If we can get the cert from LDAP server, we import the cert to trust cacerts in jenkins server. Then the above error can be resolved. But if there are multiple servers, this is a bit troublesome.
Another way is to skip certificate validation.
Add the choice "SSL Verify" in LDAP configuarion for users to choose: