Add the choice of whether to perform certificate verification when connect to ldaps://

[longping-t]

When connecting to LDAP server over SSL/TLS(LDAPS) with self-signed certificate, the jenkins server cannot connect to LDAP server.
The error log shows that [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target].

If we can get the cert from LDAP server, we import the cert to trust cacerts in jenkins server. Then the above error can be resolved. But if there are multiple servers, this is a bit troublesome.

Another way is to skip certificate validation.

Add the choice "SSL Verify" in LDAP configuarion for users to choose:

1. If checked(the default) and ldap server is an ldaps:// style URL, requiring the certificate to be verified.
2. If unchecked, Jenkins will not verify the server certificate.

[rsandell]

Can you write some for of test for this?

[rsandell]

Please avoid force pushing in the future if possible. It makes reviewing harder as I can't see what has changed since I last reviewed.

[wbehrens-on-gh]

It would also be nice to add some information to the readme about enabling ldaps:// currently even using Google returns 0 results about how to configure it in Jenkins

[Tethik]

If unchecked (the default), Jenkins will not verify the server certificate.

It's bad security practice to opt out of certificate validation by default as it opens up for man-in-the-middle attacks. Please leave it on, and allow users to opt out if needed.

[longping-t]

If unchecked (the default), Jenkins will not verify the server certificate.

It's bad security practice to opt out of certificate validation by default as it opens up for man-in-the-middle attacks. Please leave it on, and allow users to opt out if needed.

I have modified the default case to need to verify the certificate. Thank you for your advice.

[jtnord]

I would say this is not something that should be added.
If there is a need to support a self signed cert in 2024 then is there a reason that this cert can not be added to the JVM keystore?

[jtnord]

If we can get the cert from LDAP server, we import the cert to trust cacerts in jenkins server. Then the above error can be resolved. But if there are multiple servers, this is a bit troublesome.

FWIW: you can have a common root cert for these servers and then you can just import that root cert, not all of the certs.

[freafrea]

I would say this is not something that should be added. If there is a need to support a self signed cert in 2024 then is there a reason that this cert can not be added to the JVM keystore?

In my case it is an self-signed cert that is incorrectly generated and java is unable to trust it. As this is a corporate environment I do not have any way to force a fixed cert. Unfortunately the only solution I found is just skipping checks for these certs.