Loading...

XML

Word

Printable

Details

Type: Suggestion
Resolution: Fixed
Fix Version/s: 5.1.3, 5.2
Component/s: None
Labels:

Feedback Policy:

We collect Confluence feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

Description

NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion.

Note - as of Confluence 5.1.3 you can make an SSL LDAP connection that doesn't verify that the hostname and certificate match by unchecking this box when configuring your user directory:

Original issue description

Starting Confluence 4.2, the embedded crowd has been upgraded from version 2.3.2 to 2.4. This includes the security fix [CWD-2690] (won't be visible to public) that has been announced in Crowd 2.3.6 release notes - Crowd 2.3.6 Release Notes.

In Confluence, this has caused a lot of issues to customers with SSL-ed LDAP integration. Mainly because Confluence used to not verify that the server's SSL certificate is valid for the host name in the LDAP connection URL.

In Crowd, one can still have the old behaviour by workarounding it:

As a workaround for deployments where there is an expected difference, using an 'ldaps' connection URL and leaving 'Secure SSL' unchecked will preserve the previous behaviour and make an SSL connection but will not verify that the hostname and certificate match.

However, in Confluence, once you enable "Use SSL", there is no way we can fallback to the old behaviour like Crowd above.

This feature request is to propose to have similar config/option like Crowd to allow an SSL LDAP connection but without verifying that the hostname and certificate match (fix of CWD-2690).

Workaround options

Fix the certificate to contain the correct name. This is the preferred (and most secure) fix.
Edit /etc/hosts on the LDAP server to allow you to use the incorrect name in the certificate. Add the FQDN on the certificate and match it to the IP address of the server.
Backup Confluence database beforehand for safety purpose
- Run the following SQL query:
```
UPDATE cwd_directory_attribute
SET attribute_value='false'
WHERE attribute_name='ldap.secure'
AND directory_id  = <desired_directory_ID>;
```
- Restart Confluence
- Note: The above option will always reverted to its default ('true') whenever you edit the user directory settings. Therefore, you'll need to run that query every time you do any changes on the user directory settings.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List

Screen Shot 2013-04-16 at 3.10.37 PM.png
12 kB
16/Apr/2013 5:11 AM
SSL_UserDirectory.png
21 kB
17/Jul/2012 11:27 AM

Issue Links

is related to

CONFSERVER-26826 Verify hostname fails when using own Windows CA and connecting to Active Directory over SSL

Gathering Impact

relates to

BSERV-3553 Advanced setting to ignore LDAP SSL certificate errors while configuring Delgated LDAP Authentication doesn't work

Closed

CONFCLOUD-26049 Add an option in User Directory settings to make an SSL LDAP connection but without verifying that the hostname and certificate match

Closed

was cloned as

JRASERVER-29213 Add an option in User Directory settings to make an SSL LDAP connection but without verifying that the hostname and certificate match

Closed

mentioned in: Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Wiki Page Loading...

(6 mentioned in)

Activity

People

Assignee:: edith (Inactive)

Reporter:: HuseinA

Votes:: 7 Vote for this issue

Watchers:: 15 Start watching this issue

Dates

Created:: 17/Jul/2012 11:27 AM

Updated:: 19/Sep/2019 5:26 AM

Resolved:: 12/Apr/2013 2:10 AM