Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Problems with LDAP connection on Old Bamboo 5.10.1

NealPorter
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
June 13, 2024

Hi folks. I've had a recent security update within my company causing havoc with my existing (old/ancient Bamboo 5.10 CI system).

The security change has been to set the

Domain Controller : LDAP server channel binding token requirements: to Always

And

Domain Controller : LDAP server signing requirements : to Require signing.

 

As a result we are getting error logs when attempting to log in of

 

2024-06-14 16:04:24,062 ERROR [http-apr-8085-exec-13] [LDAPUserManagerReadOnly] Error retrieving user: 'XXXX' from LDAP server OURSERVER.LOCAL[XX.XX.XX.XX] com.atlassian.user.impl.ldap.repository.LdapConnectionFailedException: javax.naming.AuthenticationNotSupportedException: [LDAP: error code 8 - 00002028: LdapErr: DSID-0C09032F, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v4563 ]

 

We've tried changing over to the LDAPS port from 389 -> 636, but it then appears unable to find the system at all.

 

Does anyone know if there is a way to get the old Bamboo 5.10 etc, using the new LDAPS settings?

I've looked over 

 

https://confluence.atlassian.com/bamboo0510/integrating-bamboo-with-ldap-824480440.html

But I've not been able to get any of its suggestions to help so far.

 

1 answer

2 votes
Khushboo Gupta
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 14, 2024

Hello @NealPorter 

Welcome to the Atlassian Community!

Microsoft has released a security advisory for LDAP channel binding and LDAP signing to be implemented as a way to increase security of the network communication between an Active Directory Domain Services (AD DS) or an Active Directory Lightweight Directory Services (AD LDS) and its clients. Please refer to the below article from Microsoft for complete details.

How to enable LDAP signing in Windows Server 2008

As the LDAP server is now configured to require signed communication, simple bind request are rejected by the LDAP server.

Please try following the below steps:

  • Locked out of application. Try login as an administrator accounts and Configure User directories to use SSL.
  • For LDAPS to function, your LDAP server must have a valid SSL certificate installed. Ensure Bamboo server trust those certificates.
  • Make sure your LDAP server (e.g., Active Directory) is configured to support LDAPS on port 636. This might involve configuring the certificate on the LDAP server and ensuring the service is running and accessible over this port.
  • Since you mentioned that switching to port 636 makes the LDAP server unreachable, verify that there are no network firewalls or security groups blocking access to this port from your Bamboo server. Use tools like telnet or openssl s_client -connect YOUR_LDAP_SERVER:636 to test connectivity from the Bamboo server to the LDAP server over port 636.
  • Adjust your Bamboo LDAP configuration to use ldaps:// in the server URL and specify port 636.

The issue you're facing is due to the security policies being tightened on your domain controller, requiring LDAP communications to be signed or encrypted.

Hope it helps!

Regards,

Khushboo Gupta

 

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
SERVER
VERSION
5.10.1
TAGS
AUG Leaders

Atlassian Community Events