Add an option in User Directory settings to make an SSL LDAP connection but without verifying that the hostname and certificate match

2012-07-17T11:27:43
ID ATLASSIAN:CONFSERVER-26049
Type atlassian
Reporter halatas
Modified 2017-10-16T03:50:19

Description

{panel:bgColor=#e7f4fa} NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? [See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-26049]. {panel}

h5. Note - as of Confluence 5.1.3 you can make an SSL LDAP connection that doesn't verify that the hostname and certificate match by unchecking this box when configuring your user directory:

!Screen Shot 2013-04-16 at 3.10.37 PM.png!


h5. Original issue description

Starting Confluence 4.2, the embedded crowd has been upgraded from version 2.3.2 to 2.4. This includes the security fix [CWD-2690] (won't be visible to public) that has been announced in Crowd 2.3.6 release notes - [Crowd 2.3.6 Release Notes|https://confluence.atlassian.com/display/CROWD/Crowd+2.3.6+Release+Notes].

In Confluence, this has caused a lot of issues to customers with SSL-ed LDAP integration. Mainly because Confluence used to not verify that the server's SSL certificate is valid for the host name in the LDAP connection URL.

In Crowd, one can still have the old behaviour by workarounding it: {quote} As a workaround for deployments where there is an expected difference, using an 'ldaps' connection URL and leaving 'Secure SSL' unchecked will preserve the previous behaviour and make an SSL connection but will not verify that the hostname and certificate match. {quote}

However, in Confluence, once you enable "Use SSL", there is no way we can fallback to the old behaviour like Crowd above. !SSL_UserDirectory.png!

This feature request is to propose to have similar config/option like Crowd to allow an SSL LDAP connection but without verifying that the hostname and certificate match (fix of CWD-2690).

h5. Workaround options

Fix the certificate to contain the correct name. This is the preferred (and most secure) fix.

Edit /etc/hosts on the LDAP server to allow you to use the incorrect name in the certificate. Add the FQDN on the certificate and match it to the IP address of the server.

(!) Backup Confluence database beforehand for safety purpose

- Run the following SQL query:

{code} UPDATE cwd_directory_attribute SET attribute_value='false' WHERE attribute_name='ldap.secure' AND directory_id = <desired_directory_ID>; {code}

- Restart Confluence

- (i) Note: The above option will always reverted to its default ('true') whenever you edit the user directory settings. Therefore, you'll need to run that query every time you do any changes on the user directory settings.