• Icon: Improvement Improvement
    • Resolution: Unresolved
    • Icon: Major Major
    • ldap-plugin
    • None

      The Jenkins LDAP-Plugin doesn't support the LDAP StartTLS extension that we would need to access our LDAP server. See also this discussion on the mailing list: http://jenkins.361315.n4.nabble.com/StartTLS-td372639.html

      I have investigated a bit to check what would be needed to support that feature, and it seems that the version of acegi-security that Jenkins uses is too old. Spring-ldap supports StartTls since version 1.3.0 (which is part of Spring 3.0).

      I have also voted for JENKINS-5303 to upgrade acegi-security.

          [JENKINS-14520] LDAP Plugin should support StartTLS extension

          In the mean time, are there any workarounds available?

          Lukasz Zalewski added a comment - In the mean time, are there any workarounds available?

          Given it's been three years, it doesn't seem like this is a high priority for the project.

          I would note a few things:

          StartTLS is the LDAPv3 RFC defined method for secure LDAP connections. LDAPS is not part of an RFC, but was a temporary hack developed for LDAPv2. It would be very helpful if this issue was fixed, so that Jenkins was RFC compliant in connecting with modern LDAPv3 ldap servers.

          quanah gibson-mount added a comment - Given it's been three years, it doesn't seem like this is a high priority for the project. I would note a few things: StartTLS is the LDAPv3 RFC defined method for secure LDAP connections. LDAPS is not part of an RFC, but was a temporary hack developed for LDAPv2. It would be very helpful if this issue was fixed, so that Jenkins was RFC compliant in connecting with modern LDAPv3 ldap servers.

          +1. Anyone who's installed OpenLDAP securely in the last few years will be using StartTLS and not LDAPS. Reluctant to use our directory with Jenkins while it's all in clear text. Any time-frame for this?

          Brendan Holmes added a comment - +1. Anyone who's installed OpenLDAP securely in the last few years will be using StartTLS and not LDAPS. Reluctant to use our directory with Jenkins while it's all in clear text. Any time-frame for this?

          +1, we are now using LDAPS as a workaround. Jenkins is the only application left in our domain that cannot use STARTTLS. Would be great to see it supporting the RFC

          Frederic Van Espen added a comment - +1, we are now using LDAPS as a workaround. Jenkins is the only application left in our domain that cannot use STARTTLS. Would be great to see it supporting the RFC

          We also need StartTLS compatibility.

          Bengt Fahlgren added a comment - We also need StartTLS compatibility.

          Colin Silcock added a comment -

          +1 would like this

          Colin Silcock added a comment - +1 would like this

          Chung Ley added a comment -

          +1 would like this as well!

          Chung Ley added a comment - +1 would like this as well!

          +1 would like this as well..

          Michael Sjölund added a comment - +1 would like this as well..

          I've implemented StartTLS support inside Jenkins Ldap plugin on top of acegi-security we had only StartTLS ldap connection to work with internally.

          I am beautifying the code and making it readable "was in a hurry when first wrote this". When I added it, ldap plugin was on release 1.20, I am adding it to on top of release 1.24. Will create a branch for my fork and add it there, but might not be the nicest code you looked at.

          Mohammad ALBanna added a comment - I've implemented StartTLS support inside Jenkins Ldap plugin on top of acegi-security we had only StartTLS ldap connection to work with internally. I am beautifying the code and making it readable "was in a hurry when first wrote this". When I added it, ldap plugin was on release 1.20, I am adding it to on top of release 1.24. Will create a branch for my fork and add it there, but might not be the nicest code you looked at.

          I've opened a PR that adds STARTTLS support to the LDAP Plugin - https://github.com/jenkinsci/ldap-plugin/pull/97

          Its confirmed working in our environment, but I could use some help from developers who are familiar with Jenkins/Spring/Java to confirm that I didn't miss anything. 

          I'm fairly certain my PR breaks LDAPS support, but I have no way to confirm that.

          Jason Kulatunga added a comment - I've opened a PR that adds STARTTLS support to the LDAP Plugin - https://github.com/jenkinsci/ldap-plugin/pull/97 Its confirmed working in our environment, but I could use some help from developers who are familiar with Jenkins/Spring/Java to confirm that I didn't miss anything.  I'm fairly certain my PR breaks LDAPS support, but I have no way to confirm that.

            Unassigned Unassigned
            jmairboeck Joachim Mairböck
            Votes:
            18 Vote for this issue
            Watchers:
            22 Start watching this issue

              Created:
              Updated: