Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-73825

[ldap plugin] ldap allows insecure configurations

    • Icon: Task Task
    • Resolution: Fixed
    • Icon: Minor Minor
    • ldap-plugin
    • None

      Description

       

      1. Go to Manage Jenkins > Security > Security Realm and select LDAP
      1. Use LDAPS server (e.g. ldaps://ldap.forumsys.com)
        • URL is accepted (it might throw exception connecting, but that’s out of the scope of this ticket) → EXPECTED
      1. Use LDAP server instead (e.g. ldap.forumsys.com:389)
        • There’s no error message and the configuration can be saved although is not secure → UNEXPECTED
      1. Click on Advanced Server Configuration
        • Set a Manager Password shorter than 14 characters
          • There’s no error message and the configuration can be saved although the password is not FIPS compliant → UNEXPECTED

          [JENKINS-73825] [ldap plugin] ldap allows insecure configurations

          Ogme added a comment -
          1. Use LDAP server instead (e.g. ldap.forumsys.com:389)

            • There’s no error message and the configuration can be saved although is not secure → UNEXPECTED

          Careful here, this is in fact expected and perfectly valid.
          LDAPS is unused in favor of LDAP + mandatory STARTTLS.
          (in fact it is already deprecated since many years : https://directory.apache.org/api/user-guide/5.1-ldaps.html )
          This is also preferred for debugging, as the connection can be initialized before having to deal with a certificate, which is not possible with LDAPS.

          On Active Directory, STARTTLS can be enforced with both LDAPServerIntegrity  and LdapEnforceChannelBinding settings on the server side (and related GPO).

          To harden the configuration on Jenkins side, add an option to reject any server that does not propose STARTTLS on the connection, and have Jenkins to use STARTTLS before any authentication sequence, even for binding purpose.

           

           

           

          Ogme added a comment - Use LDAP server instead (e.g. ldap.forumsys.com:389 ) There’s no error message and the configuration can be saved although is not secure → UNEXPECTED Careful here, this is in fact expected and perfectly valid. LDAPS is unused in favor of LDAP + mandatory STARTTLS. (in fact it is already deprecated since many years : https://directory.apache.org/api/user-guide/5.1-ldaps.html ) This is also preferred for debugging, as the connection can be initialized before having to deal with a certificate, which is not possible with LDAPS. On Active Directory, STARTTLS can be enforced with both LDAPServerIntegrity   and LdapEnforceChannelBinding settings on the server side (and related GPO). To harden the configuration on Jenkins side, add an option to reject any server that does not propose STARTTLS on the connection, and have Jenkins to use STARTTLS before any authentication sequence, even for binding purpose.      

          Vishal added a comment -

          ogme Above configuration is valid only for FIPS mode whereas in will work as it is only. 

          Vishal added a comment - ogme Above configuration is valid only for FIPS mode whereas in will work as it is only. 

            vwagh Vishal
            vwagh Vishal
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: