Minor correction, it's possible the LDAP authz plugin is validating the certs in a way that the authentication plugin does not, despite both being on old LDAP client API versions. Would need to dig deeper to validate.
https://github.com/gocd/gocd-ldap-authentication-plugin/blob/a0236ed52cc95646f322220c72a20360893c548c/src/main/java/cd/go/apacheds/ConnectionConfiguration.java Vs https://github.com/gocd/gocd-ldap-authorization-plugin/blob/master/src/main/java/com/thoughtworks/gocd/authorization/ldap/apacheds/ConnectionConfiguration.java -Chad On Sat, 18 May 2024, 11:03 Chad Wilson, <[email protected]> wrote: > I discovered recently that the plugins are on an ancient version of the > Apache LDAP library that means they don't actually seem to validate the > server certs fully by default (e.g on expiry), so may not validate the > hostname either. But that's probably a bug, not a feature? Your call if you > want to give it a go and rely on it for now. > > If the default is made more secure in future I'd like to think there's be > an opt-out. But yeah - those LDAP plugins need some love. > > -Chad > > On Sat, 18 May 2024, 02:29 Jason Smyth, <[email protected]> wrote: > >> Hi Sriram, >> >> >> >> Thank you for the feedback. >> >> >> >> Do you know how the plugin handles SSL negotiation? We considered DNS >> round-robin but ruled it a non-starter, under the assumption that LDAPS >> would require that the hostname and certificate name match. >> >> >> >> Regards, >> >> *Jason Smyth* >> >> >> >> *From:* [email protected] <[email protected]> *On Behalf Of *Sriram >> Narayanan >> *Sent:* Friday, May 17, 2024 12:46 PM >> *To:* [email protected] >> *Subject:* Re: [go-cd] How to Configure Redundant LDAP Authorization? >> >> >> >> >> >> >> >> On Fri, 17 May 2024 at 10:53 PM, Jason Smyth <[email protected]> wrote: >> >> Hi everyone, >> >> >> >> We are looking to move from the bundled LDAP authentication plugin to the >> LDAP >> authorization plugin >> <https://github.com/gocd/gocd-ldap-authorization-plugin>. >> >> >> >> For redundancy, our current setup uses 2 LDAP connectors, each pointing >> to a different Active Directory domain controller in the same domain. If >> we switch to the LDAP authorization plugin we can still create redundant >> authentication links, but does this mean we will need to create duplicate >> role configurations as well? >> >> >> >> Is there any documentation we should be referencing in terms of the >> "right" way to set up a redundant connection to AD? >> >> >> >> >> >> For connection redundancy, I’ve used TCP load balancers. For on premise >> setups, I’ve used DNS round robin to point to two different load balancer >> instances. >> >> >> >> >> >> >> >> Any feedback is appreciated. >> >> >> >> Regards, >> >> Jason Smyth >> >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "go-cd" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/go-cd/4b37a890-f442-4966-a053-0fb985f73e3cn%40googlegroups.com >> <https://groups.google.com/d/msgid/go-cd/4b37a890-f442-4966-a053-0fb985f73e3cn%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> >> -- >> You received this message because you are subscribed to a topic in the >> Google Groups "go-cd" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/go-cd/eEHCCj-vOuo/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/go-cd/CANiY96ZECHfCOjUw5f-XS6kvsChV%2B8K%3Dry21%3DW%3DeOuFM011opw%40mail.gmail.com >> <https://groups.google.com/d/msgid/go-cd/CANiY96ZECHfCOjUw5f-XS6kvsChV%2B8K%3Dry21%3DW%3DeOuFM011opw%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> >> -- >> You received this message because you are subscribed to the Google Groups >> "go-cd" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/go-cd/DM6PR16MB36713451AFA69A524EC80AB6CFEE2%40DM6PR16MB3671.namprd16.prod.outlook.com >> <https://groups.google.com/d/msgid/go-cd/DM6PR16MB36713451AFA69A524EC80AB6CFEE2%40DM6PR16MB3671.namprd16.prod.outlook.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "go-cd" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/go-cd/CAA1RwH8AuQbTdpa37pBi3TaRGTa%3DKH%2Bq2X2UxKeOE3DazpdRSA%40mail.gmail.com.
