Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Problems with LDAP connection on Old Bamboo 5.10.1

NealPorter
NealPorter
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
June 13, 2024

Hi folks. I've had a recent security update within my company causing havoc with my existing (old/ancient Bamboo 5.10 CI system).

The security change has been to set the

Domain Controller : LDAP server channel binding token requirements: to Always

And

Domain Controller : LDAP server signing requirements : to Require signing.

 

As a result we are getting error logs when attempting to log in of

 

2024-06-14 16:04:24,062 ERROR [http-apr-8085-exec-13] [LDAPUserManagerReadOnly] Error retrieving user: 'XXXX' from LDAP server OURSERVER.LOCAL[XX.XX.XX.XX] com.atlassian.user.impl.ldap.repository.LdapConnectionFailedException: javax.naming.AuthenticationNotSupportedException: [LDAP: error code 8 - 00002028: LdapErr: DSID-0C09032F, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v4563 ]

 

We've tried changing over to the LDAPS port from 389 -> 636, but it then appears unable to find the system at all.

 

Does anyone know if there is a way to get the old Bamboo 5.10 etc, using the new LDAPS settings?

I've looked over 

 

https://confluence.atlassian.com/bamboo0510/integrating-bamboo-with-ldap-824480440.html

But I've not been able to get any of its suggestions to help so far.

 

Answer
Watch
Like Be the first to like this
357 views

1 answer

2 votes
Khushboo Gupta
Khushboo Gupta
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 14, 2024

Hello @NealPorter 

Welcome to the Atlassian Community!

Microsoft has released a security advisory for LDAP channel binding and LDAP signing to be implemented as a way to increase security of the network communication between an Active Directory Domain Services (AD DS) or an Active Directory Lightweight Directory Services (AD LDS) and its clients. Please refer to the below article from Microsoft for complete details.

How to enable LDAP signing in Windows Server 2008

As the LDAP server is now configured to require signed communication, simple bind request are rejected by the LDAP server.

Please try following the below steps:

  • Locked out of application. Try login as an administrator accounts and Configure User directories to use SSL.
  • For LDAPS to function, your LDAP server must have a valid SSL certificate installed. Ensure Bamboo server trust those certificates.
  • Make sure your LDAP server (e.g., Active Directory) is configured to support LDAPS on port 636. This might involve configuring the certificate on the LDAP server and ensuring the service is running and accessible over this port.
  • Since you mentioned that switching to port 636 makes the LDAP server unreachable, verify that there are no network firewalls or security groups blocking access to this port from your Bamboo server. Use tools like telnet or openssl s_client -connect YOUR_LDAP_SERVER:636 to test connectivity from the Bamboo server to the LDAP server over port 636.
  • Adjust your Bamboo LDAP configuration to use ldaps:// in the server URL and specify port 636.

The issue you're facing is due to the security policies being tightened on your domain controller, requiring LDAP communications to be signed or encrypted.

Hope it helps!

Regards,

Khushboo Gupta

 

Reply

Suggest an answer

Log in or Sign up to answer
Bamboo
Bamboo
DEPLOYMENT TYPE
SERVER
VERSION
5.10.1
TAGS
AUG Leaders

Atlassian Community Events

    See all events