Starting JIRA 5.1, the embedded crowd has been upgraded from version 2.3.2 to 2.4. This includes the security fix [CWD-2690] (won't be visible to public) that has been announced in Crowd 2.3.6 release notes - Crowd 2.3.6 Release Notes.

In JIRA, this has caused a lot of issues to customers with SSL-ed LDAP integration. Mainly because JIRA used to not verify that the server's SSL certificate is valid for the host name in the LDAP connection URL.

In Crowd, one can still have the old behaviour by workarounding it:

As a workaround for deployments where there is an expected difference, using an 'ldaps' connection URL and leaving 'Secure SSL' unchecked will preserve the previous behaviour and make an SSL connection but will not verify that the hostname and certificate match.

However, in JIRA, once you enable "Use SSL", there is no way we can fallback to the old behaviour like Crowd above.

This feature request is to propose to have similar config/option like Crowd to allow an SSL LDAP connection but without verifying that the hostname and certificate match (fix of CWD-2690).

Workaround options

1. Fix the certificate to contain the correct name. This is the preferred (and most secure) fix.
2. Edit /etc/hosts on the LDAP server to allow you to use the incorrect name in the certificate. Add the FQDN on the certificate and match it to the IP address of the server.
3. Backup Confluence database beforehand for safety purpose
   • Run the following SQL query:

     UPDATE cwd_directory_attribute
     SET attribute_value='false'
     WHERE attribute_name='ldap.secure'
     AND directory_id  = <desired_directory_ID>;
     

   • Restart JIRA
   • Note: The above option will always reverted to its default ('true') whenever you edit the user directory settings. Therefore, you'll need to run that query every time you do any changes on the user directory settings.