Defect #8068

LDAP Authentificaton doesn't verify certificate validity

Added by Siegfried Vogel about 7 years ago. Updated 11 months ago.

Status:NewStart date:2011-04-05
Priority:NormalDue date:
Assignee:-% Done:


Target version:-
Resolution: Affected version:1.1.2


LDAP Authentificaton doesn't verify certificate validity of the LDAP-server-certificate. Connection to the LDAP-Server with LDAPS is established, even if the server name in the certifitcate doesn't match or the certificate authority is not trustful.

Solution: If something is wrong with the certificate, or the certificate authority is not trustful, the connection to the LDAP-Server should be closed and any LDAP-Login should be disabled.

Related issues

Duplicated by Redmine - Defect #8091: LDAP Authentificaton doesn't verify certificate validity Closed 2011-04-05


#1 Updated by Etienne Massip about 7 years ago

  • Category set to LDAP

#2 Updated by Ruben Kruiswijk about 7 years ago

A possible 'fix' should be made optional. Not every company uses certificates issued by official certificate authorities. Their are enough self-signed certificates that still have to work.

#3 Updated by Tony Edmonds about 7 years ago

Whether the certificate is self-signed, signed by an in-house CA, or signed by an "official" CA, doesn't matter. Redmine should attempt to check the validity of the cert against information on the local machine. Nothing about a self-signed cert precludes this.

#4 Updated by Tony Edmonds about 7 years ago

I can't work out how to fix this myself, but one possible workaround is to use socat to proxy the LDAP port (389) on localhost to the real LDAPS service, validating the certificate along the way.

socat TCP4-LISTEN:389,bind=localhost,reuseaddr,fork,su=nobody,cafile=/etc/ssl/certs/ldapcert.pem &

Then point Redmine to localhost for LDAP (non TLS).

#5 Updated by ciaran jessup 11 months ago

The 'fix' (which should really be on by default or you could be sending your passwords anywhere :/) can be made by changing


to something along the lines of

                :encryption => {
                   method: :simple_tls,
                   tls_options: OpenSSL::SSL::SSLContext::DEFAULT_PARAMS

(note I've removed the optional check of self.tls, this is purely for reference purposes!!!)

If the change above is made then the certificate will be verified correctly, if the certificate is self signed or not available in the operating system's certificate stores for some other reason then the instructions here explain how to install the relevant certificate.

Also available in: Atom PDF