Active Directory Plugin performs TLS upgrade (StartTLS) after connecting to domain controllers through insecure LDAP. In this mode, certificates were not properly validated, effectively trusting all certificates, allowing man-in-the-middle attacks. This only affected TLS upgrades. The LDAPS mode, available by setting the system property hudson.plugins.active_directory.ActiveDirectorySecurityRealm.forceLdaps to true, was unaffected.