Fix Authentication for FIPS

src/main/java/hudson/security/LDAPSecurityRealm.java

@@ -39,6 +39,7 @@
 import hudson.util.Secret;
 import jenkins.model.IdStrategy;
 import jenkins.model.Jenkins;
+import jenkins.security.FIPS140;
 import jenkins.security.SecurityListener;
 import jenkins.security.plugins.ldap.FromGroupSearchLDAPGroupMembershipStrategy;
 import jenkins.security.plugins.ldap.LDAPConfiguration;
@@ -753,6 +754,9 @@ public SecurityComponents createSecurityComponents() {
      */
     @Override
     protected UserDetails authenticate2(String username, String password) throws AuthenticationException {
+        if(FIPS140.useCompliantAlgorithms() && StringUtils.isNotBlank(password) && password.length() < 14) {
+            throw new org.springframework.ldap.AuthenticationException(new javax.naming.AuthenticationException("When running in FIPS compliance mode, the password must be at least 14 characters long"));
+        }
         return updateUserDetails((UserDetails) getSecurityComponents().manager2.authenticate(
                 new UsernamePasswordAuthenticationToken(fixUsername(username), password)).getPrincipal(), null);
     }

src/main/java/jenkins/security/plugins/ldap/LDAPConfiguration.java

@@ -36,6 +36,7 @@
 import hudson.util.Secret;
 import jenkins.model.Jenkins;
 import java.nio.charset.StandardCharsets;
+
 import org.apache.commons.lang.StringUtils;
 import org.kohsuke.accmod.Restricted;
 import org.kohsuke.accmod.restrictions.NoExternalUse;

src/main/resources/jenkins/security/plugins/ldap/Messages.properties

@@ -6,6 +6,7 @@ LDAPSecurityRealm.LoginHeader=Login
 LDAPSecurityRealm.AuthenticationSuccessful=Authentication: successful
 LDAPSecurityRealm.AuthenticationFailed=Authentication: failed for user "{0}"
 LDAPSecurityRealm.AuthenticationFailedEmptyPass=Authentication: failed for user "{0}" with empty password
+LDAPSecurityRealm.AuthenticationFailedNotFipsCompliantPass=When running in FIPS compliance mode, the password must be at least 14 characters long
 LDAPSecurityRealm.UserId=User ID: {0}
 LDAPSecurityRealm.UserDn=User DN: {0}
 LDAPSecurityRealm.UserConfiguration=User Server: {0}

src/test/java/hudson/security/LDAPSecurityRealmWithFIPSTest.java

@@ -0,0 +1,51 @@
+package hudson.security;
+
+import hudson.util.Secret;
+import jenkins.model.IdStrategy;
+import jenkins.security.FIPS140;
+import jenkins.security.plugins.ldap.FromUserRecordLDAPGroupMembershipStrategy;
+import jenkins.security.plugins.ldap.LDAPConfiguration;
+import org.junit.ClassRule;
+import org.junit.Rule;
+import org.junit.Test;
+import org.jvnet.hudson.test.FlagRule;
+import org.jvnet.hudson.test.JenkinsRule;
+
+public class LDAPSecurityRealmWithFIPSTest {
+
+    @Rule
+    public JenkinsRule r = new JenkinsRule();
+
+
+    @ClassRule
+    public static FlagRule<String> fipsFlag = FlagRule.systemProperty(FIPS140.class.getName() + ".COMPLIANCE", "true");
+
+    @Test
+    public void ldapAuthenticationWithFIPSTest() throws Exception {
+        final String server = "localhost";
+        final String rootDN = "ou=umich,dc=ou.edu";
+        final String userSearchBase = "cn=users,ou=umich,ou.edu";
+        final String managerDN = "cn=admin,ou=umich,ou.edu";
+        final String managerSecret = "secret";
+        final LDAPSecurityRealm realm = new LDAPSecurityRealm(
+                server,
+                rootDN,
+                userSearchBase,
+                null,
+                null,
+                null,
+                new FromUserRecordLDAPGroupMembershipStrategy("previousValue"),
+                managerDN,
+                Secret.fromString(managerSecret),
+                false,
+                false,
+                null,
+                null,
+                null,
+                null,
+                IdStrategy.CASE_INSENSITIVE,
+                IdStrategy.CASE_INSENSITIVE);
+        r.jenkins.setSecurityRealm(realm);
+        //realm.authenticate2("user","secret");
+    }
+}