LDAP and Ignoring SSL Errors

Is it possible to configure the LDAP plug-in to ignore SSL certificate mis-match errors when configuring LDAPS support? My IT department is a PITA, and I'm fine connecting to the AD DCs without verifying their SSL certificate(s). I just want to make sure the traffic is encrypted. Ignoring the trust error is fine by me.

Thoughts?

Thanks!

4 comments
Comment actions Permalink

Hi Schley,

I think the easiest way would be to import the certificates to the TeamCity JVM (using keytool) and thus get rid of errors.
Or you can provide your own SSLContext with a custom X509TrustManager that doesn't perform any checks. To set it up in TeamCity use "java.naming.factory.initial" property. This is a bit more complicated.

Some links that might be helpful:
http://java.sun.com/javase/6/docs/api/javax/net/ssl/SSLContext.html
http://java.sun.com/javase/6/docs/api/javax/net/ssl/X509TrustManager.html
http://java.sun.com/javase/6/docs/api/javax/net/ssl/SSLSocketFactory.html


---
Maxim

0
Comment actions Permalink

Maxim,

Yes, the easiest solution would be to import the certificates, but as I said, that would necessitate working with the IT department and that can take weeks sometimes. I'm familiar with how to set up your own SSL context verification class as I've done so many times, but what I'm not familiar with is where to initialize that property in TeamCity and where to place the JAR with the class in it so that the TeamCity classloader loads it.

Thanks!

0
Comment actions Permalink

I see.

You can put the JAR into /WEB-INF/plugins/ldap/server/ (or to /WEB-INF/lib/ if that didn't work).
The property I mentioned should be defined in your ldap-config.properties file, which is located in <TEAMCITY_DATA_DIRECTORY>/config/

To be sure please turn on DEBUG logging for TeamCity, then LDAP plugin will dump the context it is working.


---
Maxim

0
Comment actions Permalink

Maxim,

Thank you. And perhaps I jumped ahead of myself. I've ignored SSL warnings for HTTPS connections by creating a no-op X509TrustManager before. I didn't realize the LDAP context factory was different. I guess I have some reading to do on what interfaces to implement to provide my own version of the com.sun.jndi.ldap.LdapCtxFactory class.

Thanks again!

0

Please sign in to leave a comment.