-
Task
-
Resolution: Fixed
-
Minor
-
None
Description
- Go to Manage Jenkins > Security > Security Realm and select LDAP
- Use LDAPS server (e.g. ldaps://ldap.forumsys.com)
-
- URL is accepted (it might throw exception connecting, but that’s out of the scope of this ticket) → EXPECTED
- Use LDAP server instead (e.g. ldap.forumsys.com:389)
-
- There’s no error message and the configuration can be saved although is not secure → UNEXPECTED
- Click on Advanced Server Configuration
-
- Set a Manager Password shorter than 14 characters
-
-
- There’s no error message and the configuration can be saved although the password is not FIPS compliant → UNEXPECTED
-
Careful here, this is in fact expected and perfectly valid.
LDAPS is unused in favor of LDAP + mandatory STARTTLS.
(in fact it is already deprecated since many years : https://directory.apache.org/api/user-guide/5.1-ldaps.html )
This is also preferred for debugging, as the connection can be initialized before having to deal with a certificate, which is not possible with LDAPS.
On Active Directory, STARTTLS can be enforced with both LDAPServerIntegrity and LdapEnforceChannelBinding settings on the server side (and related GPO).
To harden the configuration on Jenkins side, add an option to reject any server that does not propose STARTTLS on the connection, and have Jenkins to use STARTTLS before any authentication sequence, even for binding purpose.