Hi folks. I've had a recent security update within my company causing havoc with my existing (old/ancient Bamboo 5.10 CI system).
The security change has been to set the
Domain Controller : LDAP server channel binding token requirements: to Always
And
Domain Controller : LDAP server signing requirements : to Require signing.
As a result we are getting error logs when attempting to log in of
2024-06-14 16:04:24,062 ERROR [http-apr-8085-exec-13] [LDAPUserManagerReadOnly] Error retrieving user: 'XXXX' from LDAP server OURSERVER.LOCAL[XX.XX.XX.XX] com.atlassian.user.impl.ldap.repository.LdapConnectionFailedException: javax.naming.AuthenticationNotSupportedException: [LDAP: error code 8 - 00002028: LdapErr: DSID-0C09032F, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v4563 ]
We've tried changing over to the LDAPS port from 389 -> 636, but it then appears unable to find the system at all.
Does anyone know if there is a way to get the old Bamboo 5.10 etc, using the new LDAPS settings?
I've looked over
https://confluence.atlassian.com/bamboo0510/integrating-bamboo-with-ldap-824480440.html
But I've not been able to get any of its suggestions to help so far.
Hello @NealPorter
Welcome to the Atlassian Community!
Microsoft has released a security advisory for LDAP channel binding and LDAP signing to be implemented as a way to increase security of the network communication between an Active Directory Domain Services (AD DS) or an Active Directory Lightweight Directory Services (AD LDS) and its clients. Please refer to the below article from Microsoft for complete details.
How to enable LDAP signing in Windows Server 2008
As the LDAP server is now configured to require signed communication, simple bind request are rejected by the LDAP server.
Please try following the below steps:
telnet
or openssl s_client -connect YOUR_LDAP_SERVER:636
to test connectivity from the Bamboo server to the LDAP server over port 636.ldaps://
in the server URL and specify port 636.The issue you're facing is due to the security policies being tightened on your domain controller, requiring LDAP communications to be signed or encrypted.
Hope it helps!
Regards,
Khushboo Gupta
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.