Can't get it working. I have to use stunnel to be able integrate Jenkins with Google LDAP service. It works fine without stunnel

$ LDAPTLS_CERT=/etc/stunnel/gldap.crt LDAPTLS_KEY=/etc/stunnel/gldap.key \
ldapsearch -H ldaps://ldap.google.com -b "dc=example,dc=com" uid=alex mail

SASL/EXTERNAL authentication started
SASL username: st=California,c=US,ou=GSuite,cn=LDAP Client,l=Mountain View,o=Google Inc.
# extended LDIF
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: uid=alex
# requesting: mail 

# alex, Users, example.com
dn: uid=alex,ou=Users,dc=example,dc=com
mail: alex@example.com

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1

I have tried both - ubuntu-16.04 and 18.04. Stunnel config is pretty simple and based on official docs

# cat /etc/stunnel/ldap.conf 
debug = 7
output = /tmp/stunnel-gldap.log

client = yes
accept =
connect = ldap.google.com:636
cert = /etc/stunnel/gldap.crt
key = /etc/stunnel/gldap.key

But doesn't work via stunnel

$ ldapsearch -H ldap:// -b "dc=example,dc=com" uid=alex
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
    additional info: SASL(-4): no mechanism available:

Stunnel logs

2019.02.08 17:00:24 LOG7[main]: Service [ldap] accepted (FD=3) from
2019.02.08 17:00:24 LOG7[0]: Service [ldap] started
2019.02.08 17:00:24 LOG5[0]: Service [ldap] accepted connection from
2019.02.08 17:00:24 LOG6[0]: s_connect: connecting
2019.02.08 17:00:24 LOG7[0]: s_connect: s_poll_wait waiting 10 seconds
2019.02.08 17:00:24 LOG5[0]: s_connect: connected
2019.02.08 17:00:24 LOG5[0]: Service [ldap] connected remote server from
2019.02.08 17:00:24 LOG7[0]: Remote descriptor (FD=9) initialized
2019.02.08 17:00:24 LOG6[0]: SNI: sending servername: ldap.google.com
2019.02.08 17:00:24 LOG7[0]: SSL state (connect): before/connect initialization
2019.02.08 17:00:24 LOG7[0]: SSL state (connect): SSLv2/v3 write client hello A
2019.02.08 17:00:24 LOG6[0]: Certificate verification disabled
2019.02.08 17:00:24 LOG6[0]: Certificate verification disabled
2019.02.08 17:00:24 LOG7[0]:      1 client connect(s) requested
2019.02.08 17:00:24 LOG7[0]:      1 client connect(s) succeeded
2019.02.08 17:00:24 LOG7[0]:      0 client renegotiation(s) requested
2019.02.08 17:00:24 LOG7[0]:      0 session reuse(s)
2019.02.08 17:00:24 LOG6[0]: SSL connected: new session negotiated
2019.02.08 17:00:24 LOG7[0]: Peer certificate was cached (3201 bytes)
2019.02.08 17:00:24 LOG6[0]: Negotiated TLSv1.2 ciphersuite ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption)
2019.02.08 17:00:24 LOG7[0]: Compression: null, expansion: null
2019.02.08 17:00:25 LOG6[0]: Read socket closed (readsocket)
2019.02.08 17:00:25 LOG7[0]: Sending close_notify alert
2019.02.08 17:00:25 LOG7[0]: SSL alert (write): warning: close notify
2019.02.08 17:00:25 LOG6[0]: SSL_shutdown successfully sent close_notify alert
2019.02.08 17:00:25 LOG6[0]: SSL socket closed (SSL_read)
2019.02.08 17:00:25 LOG7[0]: Sent socket write shutdown
2019.02.08 17:00:25 LOG5[0]: Connection closed: 71 byte(s) sent to SSL, 71 byte(s) sent to socket
2019.02.08 17:00:25 LOG7[0]: Remote descriptor (FD=9) closed
2019.02.08 17:00:25 LOG7[0]: Local descriptor (FD=3) closed
2019.02.08 17:00:25 LOG7[0]: Service [ldap] finished (0 left)

Also I have tried ldapsearch with debug output

$ ldapsearch -d5 -H ldap:// -b "dc=example,dc=com" uid=alex
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_build_search_req ATTRS: supportedSASLMechanisms
ldap_new_connection 1 1 0
ldap_connect_to_host: TCP
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying
ldap_pvt_connect: fd: 4 tm: -1 async: 0
attempting to connect: 
connect success
ldap_open_defconn: successful
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 64 bytes to sd 4
ldap_result ld 0x56265b1fd400 msgid 1
wait4msg ld 0x56265b1fd400 msgid 1 (infinite timeout)
wait4msg continue ld 0x56265b1fd400 msgid 1 all 1
** ld 0x56265b1fd400 Connections:
* host:  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Fri Feb  8 17:02:39 2019

** ld 0x56265b1fd400 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x56265b1fd400 request count 1 (abandoned 0)
** ld 0x56265b1fd400 Response Queue:
  ld 0x56265b1fd400 response count 0
ldap_chkResponseList ld 0x56265b1fd400 msgid 1 all 1
ldap_chkResponseList returns ld 0x56265b1fd400 NULL
read1msg: ld 0x56265b1fd400 msgid 1 all 1
ber_get_next: tag 0x30 len 55 contents:
read1msg: ld 0x56265b1fd400 msgid 1 message type search-entry
wait4msg continue ld 0x56265b1fd400 msgid 1 all 1
** ld 0x56265b1fd400 Connections:
* host:  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Fri Feb  8 17:02:39 2019

** ld 0x56265b1fd400 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x56265b1fd400 request count 1 (abandoned 0)
** ld 0x56265b1fd400 Response Queue:
 * msgid 1,  type 100
  ld 0x56265b1fd400 response count 1
ldap_chkResponseList ld 0x56265b1fd400 msgid 1 all 1
ldap_chkResponseList returns ld 0x56265b1fd400 NULL
read1msg: ld 0x56265b1fd400 msgid 1 all 1
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x56265b1fd400 msgid 1 message type search-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x56265b1fd400 0 new referrals
read1msg:  mark request completed, ld 0x56265b1fd400 msgid 1
request done: ld 0x56265b1fd400 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
adding response ld 0x56265b1fd400 msgid 1 type 101:
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ber_scanf fmt ({x{{a) ber:
ber_scanf fmt ([v]) ber:
ldap_sasl_interactive_bind: server supports: EXTERNAL PLAIN
ldap_int_sasl_bind: EXTERNAL PLAIN
ldap_int_sasl_open: host=ws-alex
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
    additional info: SASL(-4): no mechanism available: 
ldap_free_connection 1 1
ber_flush2: 7 bytes to sd 4
ldap_free_connection: actually freed

The same thing with Jenkins when I try to use stunnel.

Authentication: failed for user "uid=alex,ou=Users,dc=example,dc=com"

User lookup: user "uid=alex,ou=Users,dc=example,dc=com" does not exist.
Does looking up user details require a Manager Dn and password?
Are the user search base and user search filter settings correct?

LDAP Group lookup: could not verify.
Please try with a user that is a member of at least one LDAP group.

The user "uid=alex,ou=Users,dc=example,dc=com" will be unable to login with the supplied password.
If this is your own account this would mean you would be locked out!
Are you sure you want to save this configuration?

Did I miss something? Or maybe there is some other workaround?

Thanks in advance


I was able to get success with ldapsearch with the following command (had to use bind_dn user)

$ ldapsearch -x -D "BIND_USER" -w 123456789 -H ldap:// -b "dc=example,dc=com" uid=alex
ldap_bind: Success (0)
    additional info: Valid access code
# extended LDIF
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: uid=alex
# requesting: ALL

# alex, Users, example.com
dn: uid=alex,ou=Users,dc=example,dc=com

But Jenkins still doesn't work

  • 7,025
  • 1
  • 23
  • 39

1 Answers1


It's turned out that I have to use -Djavax.net.ssl.keyStore and -Djavax.net.ssl.keyStorePassword and pass custom keystore to the Jenkins

  1. Export certificate and private key to pkcs12
$ openssl pkcs12 -export -out ldap.google.com.p12 \
-inkey Google_2022_02_05_42182.key -in Google_2022_02_05_42182.crt

$ keytool -v -importkeystore -srckeystore ldap.google.com.p12 \
-srcstoretype PKCS12 -destkeystore keystore.p12 -deststoretype PKCS12
  1. Pass custom keystore to the Jenkins
$ docker run -it --rm --name jenkins -p 8080:8080 -p 50000:50000 -v jenkins_home:/var/jenkins_home \
-e JAVA_OPTS='-Djavax.net.ssl.trustStore=/var/jenkins_home/.keystore/keystore.p12 -Djavax.net.ssl.trustStorePassword=changeit' jenkins/jenkins:lts
  1. Configure Jenkins under Configure Global Security -> LDAP
Server: ldaps://ldap.google.com/
root DN: dc=example,dc=com
User search base: ou=users
User search filter: uid={0}
Group search base: ou=groups
Group search filter: objectclass=posixGroup
Group membership:
   Search for LDAP groups containing user: memberUid={1}
Manager DN: UntriedWel
Manager Password: 123456789

When you test LDAP settings you have to use only uid and not the full dn User: alex, Password: 987654321

And finally authentication was success

Authentication: successful
User ID: alex
User Dn: uid=alex,ou=ITsoft,ou=users,dc=example,dc=com
User Display Name: Alex Smith
User email: alex@example.com
LDAP Group membership: itsoft

User lookup: successful
User groups consistent (login and lookup)
LDAP Group lookup: successful (1 group)

I hope it will help other people

  • 7,025
  • 1
  • 23
  • 39