Bamboo can't test user authentication when using LDAPS server after upgrading to version 10 or later

XMLWordPrintable

    • 2
    • Severity 3 - Minor

      Problem

      After upgrading to Bamboo 10.2, user authentication tests are not functional when using LDAPS (secured)

      The issue is caused by a missing method "com.google.common.collect.SingletonImmutableList#iterator()" in the Atlassian Velocity library allowlist used by Bamboo.

      Regular user authentication via the login page still works, the issue is only limited to the Directory user test interface found in Bamboo Administration >> User directories >> Select Directory >> Test

      Environment

      • Reproduced on Bamboo 10.2 (but can possibly be reproduced in 10.1 and 10.0)

      Steps to Reproduce

      • Install Bamboo 10.2
      • Configure a directory to point to an LDAPS (AD) directory server - Port 636
      • Try to test authentication with valid credentials

      Expected Results

      • It should work

      Actual Results

      The application fails the test. It is possible to see the following items in the logs:

      2025-02-04 04:28:36,099 WARN [http-nio-8085-exec-9 url: /bamboo/plugins/servlet/embedded-crowd/directories/troubleshoot/; user: admin] [velocity] Invocation blocked as method is not allowlisted: com.google.common.collect.SingletonImmutableList#iterator()

      Workaround

      Option 1: Configure Bamboo to use an LDAP (non-LDAPS)

      Option 2: Add an LDAP proxy service running on the same machine as Bamboo.

      This service listens to the LDAP protocol (non-LDAPS) and forwards it to the destination LDAP server using a secure LDAPS transport; then configure Bamboo to point to the LDAP server running on localhost.
      Here's a simplified HAProxy configuration file that works as Proof of Concept and can be extended to support customers' requirements.

      global
    log 127.0.0.1 local2
    chroot /var/lib/haproxy
    pidfile /var/run/haproxy.pid
    maxconn 4000
    user haproxy
    group haproxy
    daemon
    stats socket /var/lib/haproxy/stats

defaults
    log global
    mode tcp
    option tcplog
    option dontlognull
    option redispatch
    retries 3
    timeout connect 5s
    timeout client 1m
    timeout server 1m
    maxconn 3000

frontend ldap_front
    # replace *:33389 with 127.0.0.1:389
    # this is the LDAP address you will add to Bamboo
    bind *:33389
    default_backend ldaps_back

backend ldaps_back
    # replace 172.50.0.5 with your local LDAPS server
    server ldapserver 172.50.0.5:636 send-proxy-v2 ssl verify none

      Notes

        1. Test Remote Directory Connection.png
          Test Remote Directory Connection.png
          59 kB

            Assignee:
            Unassigned
            Reporter:
            Eduardo Alvarenga (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: