Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-14520

LDAP Plugin should support StartTLS extension

    Details

    • Type: Improvement
    • Status: In Progress (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Component/s: ldap-plugin
    • Labels:
      None
    • Similar Issues:

      Description

      The Jenkins LDAP-Plugin doesn't support the LDAP StartTLS extension that we would need to access our LDAP server. See also this discussion on the mailing list: http://jenkins.361315.n4.nabble.com/StartTLS-td372639.html

      I have investigated a bit to check what would be needed to support that feature, and it seems that the version of acegi-security that Jenkins uses is too old. Spring-ldap supports StartTls since version 1.3.0 (which is part of Spring 3.0).

      I have also voted for JENKINS-5303 to upgrade acegi-security.

        Attachments

          Issue Links

            Activity

            jmairboeck Joachim Mairböck created issue -
            jmairboeck Joachim Mairböck made changes -
            Field Original Value New Value
            Description The Jenkins LDAP-Plugin doesn't support the LDAP StartTLS extension that we would need to access or LDAP server. See also this discussion on the mailing list: http://jenkins.361315.n4.nabble.com/StartTLS-td372639.html

            I have investigated a bit to check what would be needed to support that feature, and it seems that the version of acegi-security that Jenkins uses is too old. acegi-security supports LDAP startTLS since version 1.3.0.

            I have voted for JIRA-5303 to upgrade that, but for this issue, spring-security 2 wouldn't be needed, if that makes things easier.
            The Jenkins LDAP-Plugin doesn't support the LDAP StartTLS extension that we would need to access or LDAP server. See also this discussion on the mailing list: http://jenkins.361315.n4.nabble.com/StartTLS-td372639.html

            I have investigated a bit to check what would be needed to support that feature, and it seems that the version of acegi-security that Jenkins uses is too old. Spring-ldap supports StartTls since version 1.3.0 (which is part of Spring 3.0).

            I have also voted for JENKINS-5303 to upgrade acegi-security.
            jglick Jesse Glick made changes -
            Component/s ldap [ 17122 ]
            Component/s security [ 15508 ]
            jglick Jesse Glick made changes -
            Link This issue depends on JENKINS-5303 [ JENKINS-5303 ]
            Hide
            gmsharky Geoff Meakin added a comment -

            Is there any plan to fix this?

            Show
            gmsharky Geoff Meakin added a comment - Is there any plan to fix this?
            Hide
            lukaszz Lukasz Zalewski added a comment -

            I know it has been a while but I'm also interested in this feature

            Show
            lukaszz Lukasz Zalewski added a comment - I know it has been a while but I'm also interested in this feature
            Hide
            lukaszz Lukasz Zalewski added a comment -

            In the mean time, are there any workarounds available?

            Show
            lukaszz Lukasz Zalewski added a comment - In the mean time, are there any workarounds available?
            Hide
            quanah quanah gibson-mount added a comment -

            Given it's been three years, it doesn't seem like this is a high priority for the project.

            I would note a few things:

            StartTLS is the LDAPv3 RFC defined method for secure LDAP connections. LDAPS is not part of an RFC, but was a temporary hack developed for LDAPv2. It would be very helpful if this issue was fixed, so that Jenkins was RFC compliant in connecting with modern LDAPv3 ldap servers.

            Show
            quanah quanah gibson-mount added a comment - Given it's been three years, it doesn't seem like this is a high priority for the project. I would note a few things: StartTLS is the LDAPv3 RFC defined method for secure LDAP connections. LDAPS is not part of an RFC, but was a temporary hack developed for LDAPv2. It would be very helpful if this issue was fixed, so that Jenkins was RFC compliant in connecting with modern LDAPv3 ldap servers.
            Hide
            bdholmes Brendan Holmes added a comment -

            +1. Anyone who's installed OpenLDAP securely in the last few years will be using StartTLS and not LDAPS. Reluctant to use our directory with Jenkins while it's all in clear text. Any time-frame for this?

            Show
            bdholmes Brendan Holmes added a comment - +1. Anyone who's installed OpenLDAP securely in the last few years will be using StartTLS and not LDAPS. Reluctant to use our directory with Jenkins while it's all in clear text. Any time-frame for this?
            Hide
            fredericve Frederic Van Espen added a comment -

            +1, we are now using LDAPS as a workaround. Jenkins is the only application left in our domain that cannot use STARTTLS. Would be great to see it supporting the RFC

            Show
            fredericve Frederic Van Espen added a comment - +1, we are now using LDAPS as a workaround. Jenkins is the only application left in our domain that cannot use STARTTLS. Would be great to see it supporting the RFC
            rtyler R. Tyler Croy made changes -
            Workflow JNJira [ 145156 ] JNJira + In-Review [ 176281 ]
            Hide
            bangalore Bengt Fahlgren added a comment -

            We also need StartTLS compatibility.

            Show
            bangalore Bengt Fahlgren added a comment - We also need StartTLS compatibility.
            fbelzunc Félix Belzunce Arcos made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            Hide
            colinlinx Colin Silcock added a comment -

            +1 would like this

            Show
            colinlinx Colin Silcock added a comment - +1 would like this
            Hide
            chungley2000 Chung Ley added a comment -

            +1 would like this as well!

            Show
            chungley2000 Chung Ley added a comment - +1 would like this as well!
            jmairboeck Joachim Mairböck made changes -
            Description The Jenkins LDAP-Plugin doesn't support the LDAP StartTLS extension that we would need to access or LDAP server. See also this discussion on the mailing list: http://jenkins.361315.n4.nabble.com/StartTLS-td372639.html

            I have investigated a bit to check what would be needed to support that feature, and it seems that the version of acegi-security that Jenkins uses is too old. Spring-ldap supports StartTls since version 1.3.0 (which is part of Spring 3.0).

            I have also voted for JENKINS-5303 to upgrade acegi-security.
            The Jenkins LDAP-Plugin doesn't support the LDAP StartTLS extension that we would need to access our LDAP server. See also this discussion on the mailing list: [http://jenkins.361315.n4.nabble.com/StartTLS-td372639.html]

            I have investigated a bit to check what would be needed to support that feature, and it seems that the version of acegi-security that Jenkins uses is too old. Spring-ldap supports StartTls since version 1.3.0 (which is part of Spring 3.0).

            I have also voted for JENKINS-5303 to upgrade acegi-security.
            Hide
            neej Michael Sjölund added a comment -

            +1 would like this as well..

            Show
            neej Michael Sjölund added a comment - +1 would like this as well..

              People

              • Assignee:
                Unassigned
                Reporter:
                jmairboeck Joachim Mairböck
              • Votes:
                17 Vote for this issue
                Watchers:
                19 Start watching this issue

                Dates

                • Created:
                  Updated: