[NEEDS REVIEW] Fixes JENKINS-14520 - LDAP StartTLS support #97
Conversation
…avax.naming.ldap.LdapContext usage, not the Spring LDAP usage (which will be in a separate commit).
| StartTlsResponse tls = (StartTlsResponse) ctx.extendedOperation(new StartTlsRequest()); | ||
| SSLSession session = tls.negotiate(); | ||
|
|
||
| if (!session.isValid()) { |
There was a problem hiding this comment.
does this not break for anyone using non SSL LDAP? (in other words this should be available for users to opt into, or opt out of).
For the AD plugin we also need to close the StartTlsResponse https://github.com/jenkinsci/active-directory-plugin/blob/19e9fbcf0518537c6c4bd24fb1fd09901e7fd60e/src/main/java/hudson/plugins/active_directory/ActiveDirectorySecurityRealm.java#L627-L644
There was a problem hiding this comment.
agree definitely using startTLS must be optional and not per default.
There was a problem hiding this comment.
agreed, this definitely breaks non-STARTTLS implementations. I commented below with some additional context for this PR.
| if (!session.isValid()) { | ||
| throw new IOException("Couldn't negotiate StartTls session, session is invalid"); | ||
| } | ||
| ctx.addToEnvironment(Context.SECURITY_AUTHENTICATION, "simple"); |
There was a problem hiding this comment.
is this needed, it would appear to be an unrelated change and would preclude the use of any stronger sasl algorithms?
There was a problem hiding this comment.
ctx.addToEnvironment(Context.SECURITY_AUTHENTICATION, "simple");
is copy pasted from https://docs.oracle.com/javase/jndi/tutorial/ldap/ext/starttls.html#TLS%20with%20Simple%20Authentication
I did see the External SASL Authentication section in that link, however I wasn't familiar enough with SASL or the Jenkins UI to add additional form controls.
| StartTlsResponse tls = (StartTlsResponse) ctx.extendedOperation(new StartTlsRequest()); | ||
| SSLSession session = tls.negotiate(); | ||
|
|
||
| if (!session.isValid()) { |
There was a problem hiding this comment.
agree definitely using startTLS must be optional and not per default.
| // pooled connections do not work with StartTLS | ||
| contextSource.setPooled(false); |
There was a problem hiding this comment.
interesting. so you mean com.sun.jndi.ldap.connect.pool doesn't work anymore? it creates connectivity issues or just ignored? If so there are few usage this property in the code.
There was a problem hiding this comment.
yeah, this one took me a while to figure out, but every example i was able to find on the internet related to StartTLS and Spring had setPooled(false)
Explicitly disable connection pooling, or Spring may attempt to StartTLS twice on the same connection.
Also there seems to be some known issues as documented in the spring-ldap docs: https://docs.spring.io/spring-ldap/docs/1.3.2.RELEASE/reference/html/pooling.html
|
hey @jtnord @olamy I was hoping someone with a stronger Java background would be willing to pick up my crude implementation and finesse it into something that would be usable. Given the fact that LDAPS has been deprecated for a while, and there seems to be alot of people in the community interested in this fix, I hope that's a reasonable ask. |
|
Any feedback/update on this PR? |
|
Speaking of LDAP over SSL, that appears to currently be broken (in master that is) as there is no documentation to enable it and using an ldaps:// url causes an error in the configuration page |
|
the configuration page reporting error with the current plugin version is a separate issue, currently that always happen regardless if the settings are correct: https://issues.jenkins.io/browse/JENKINS-68748 |
Hi!
This PR fixes JENKINS-14520.
The Jenkins LDAP Plugin does not currently support LDAP over TLS (StartTLS), only the non-standardized (and deprecated) LDAPS.
In this PR, I've modified both the
javax.naming.ldap.LdapContextand Spring-LDAP usage to support STARTTLS. I don't have a LDAPS server configured to test if LDAPS support has been brokenThe changes are fairly minimal, and do not touch the authn/authz mechanisms at all, just the connection configuration. I've also packaged this code and it's confirmed working on a Jenkins server.
I'm not really familiar with Spring (or Java development really), so an edit/review of the code would be appreciated (especially the error handling and
.close()functionality).Links
Most of my code came from research and examples that I found online, which I've compiled and collected here: https://github.com/AnalogJ/docker-jenkins-playground/tree/ldap_starttls
I used some of @mjalbanna code (master...mjalbanna:master) but his code was based on 1.x rather than 2.x, so it didn't have any spring-ldap fixes.
Tests
I have not written any tests, mostly because my thrown-together Java development environment doesn't seem to like the existing test suite. I had to package the plugin with
mvn package -Dmaven.test.skip=true. I'm happy to add tests if someone can provide some guidance.