Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-26049

Add an option in User Directory settings to make an SSL LDAP connection but without verifying that the hostname and certificate match

XMLWordPrintable

    • We collect Confluence feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion.

      Note - as of Confluence 5.1.3 you can make an SSL LDAP connection that doesn't verify that the hostname and certificate match by unchecking this box when configuring your user directory:

      Original issue description

      Starting Confluence 4.2, the embedded crowd has been upgraded from version 2.3.2 to 2.4. This includes the security fix [CWD-2690] (won't be visible to public) that has been announced in Crowd 2.3.6 release notes - Crowd 2.3.6 Release Notes.

      In Confluence, this has caused a lot of issues to customers with SSL-ed LDAP integration. Mainly because Confluence used to not verify that the server's SSL certificate is valid for the host name in the LDAP connection URL.

      In Crowd, one can still have the old behaviour by workarounding it:

      As a workaround for deployments where there is an expected difference, using an 'ldaps' connection URL and leaving 'Secure SSL' unchecked will preserve the previous behaviour and make an SSL connection but will not verify that the hostname and certificate match.

      However, in Confluence, once you enable "Use SSL", there is no way we can fallback to the old behaviour like Crowd above.

      This feature request is to propose to have similar config/option like Crowd to allow an SSL LDAP connection but without verifying that the hostname and certificate match (fix of CWD-2690).

      Workaround options
      1. Fix the certificate to contain the correct name. This is the preferred (and most secure) fix.
      2. Edit /etc/hosts on the LDAP server to allow you to use the incorrect name in the certificate. Add the FQDN on the certificate and match it to the IP address of the server.
      3. Backup Confluence database beforehand for safety purpose
        • Run the following SQL query: 
          UPDATE cwd_directory_attribute
SET attribute_value='false'
WHERE attribute_name='ldap.secure'
AND directory_id  = <desired_directory_ID>;
        • Restart Confluence
        • Note: The above option will always reverted to its default ('true') whenever you edit the user directory settings. Therefore, you'll need to run that query every time you do any changes on the user directory settings.

        1. Screen Shot 2013-04-16 at 3.10.37 PM.png
          Screen Shot 2013-04-16 at 3.10.37 PM.png
          12 kB
        2. SSL_UserDirectory.png
          SSL_UserDirectory.png
          21 kB

            [CONFSERVER-26049] Add an option in User Directory settings to make an SSL LDAP connection but without verifying that the hostname and certificate match

            Sergey Svishchev added a comment -

            I've commented on the linked CWD issue how this change came about - as a persistent request from another customer.

            vosipov, could you repost your comment here, please?

            Sergey Svishchev added a comment - I've commented on the linked CWD issue how this change came about - as a persistent request from another customer. vosipov , could you repost your comment here, please?

            Alex Fisher added a comment -

            Turning off follow referrals worked for me too.

            Alex Fisher added a comment - Turning off follow referrals worked for me too.

            Foo Sim (Inactive) added a comment -

            Hey guys,

            Just to let you know that in most situations, turning off Follow Referrals in the Advanced Options of the Directory Configuration might resolve this issue as well, provided that you only use 1 domain (without cross-domain memberships).

            Foogie

            Foo Sim (Inactive) added a comment - Hey guys, Just to let you know that in most situations, turning off Follow Referrals in the Advanced Options of the Directory Configuration might resolve this issue as well, provided that you only use 1 domain (without cross-domain memberships). Foogie

            Alexey Eronko added a comment -

            We have faced with SSL connection issue during our migration from 3.5 version of Confluence.

            We have common deployment scenario :

            1. Certificate Authority :
            Owner: CN=SERVERNAME.office.company.com
            Issuer: CN=CORPORATE CA, DC=office, DC=company, DC=com

            2. CN certificate :

            Owner: CN=SERVERNAME.office.company.com
            Issuer: CN=CORPORATE CA, DC=office, DC=company, DC=com

            3. Server name : SERVERNAME.office.company.com
            4 DNS PTR IP <-> SERVERNAME.office.company.com

            Could you please explain what plan to be fixed from Atlassian products (JIRA&Confluence) to get it configurable and work correctly.

            Regards,
            Alexey Eronko

            Alexey Eronko added a comment - We have faced with SSL connection issue during our migration from 3.5 version of Confluence. We have common deployment scenario : 1. Certificate Authority : Owner: CN=SERVERNAME.office.company.com Issuer: CN=CORPORATE CA, DC=office, DC=company, DC=com 2. CN certificate : Owner: CN=SERVERNAME.office.company.com Issuer: CN=CORPORATE CA, DC=office, DC=company, DC=com 3. Server name : SERVERNAME.office.company.com 4 DNS PTR IP <-> SERVERNAME.office.company.com Could you please explain what plan to be fixed from Atlassian products (JIRA&Confluence) to get it configurable and work correctly. Regards, Alexey Eronko

            Jason added a comment -

            We're experiencing this issue as well. However, for whatever reason, Confluence is able to connect to our LDAP server successfully during a full sync. Automated syncs fail though with this issue.

            Why is this?

            Background:
            Our Confluence instance connects via round-robin DNS to one of two AD servers. Both AD servers have distinct SSL certificates with their hostname as the CN, and the hostname that Confluence connects to as a SAN. Confluence fails to connect to the hostname when it does an automated sync, but successfully connects to it when it does a full sync.

            Jason added a comment - We're experiencing this issue as well. However, for whatever reason, Confluence is able to connect to our LDAP server successfully during a full sync. Automated syncs fail though with this issue. Why is this? Background: Our Confluence instance connects via round-robin DNS to one of two AD servers. Both AD servers have distinct SSL certificates with their hostname as the CN, and the hostname that Confluence connects to as a SAN. Confluence fails to connect to the hostname when it does an automated sync, but successfully connects to it when it does a full sync.

            HuseinA added a comment -

            Good catch, John! SQL query is fixed now.

            HuseinA added a comment - Good catch, John! SQL query is fixed now.

            John Ryan added a comment - - edited

            Hi Husein,

            Please remove the ';' from the end of line 2 in the SQL statement, otherwise all attributes get set false.

            John

            John Ryan added a comment - - edited Hi Husein, Please remove the ';' from the end of line 2 in the SQL statement, otherwise all attributes get set false. John

              etom edith (Inactive)
              halatas HuseinA
              Votes:
              7 Vote for this issue
              Watchers:
              15 Start watching this issue

                Created:
                Updated:
                Resolved: