Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-11643

v1.21 produces exception shortly after login: org.acegisecurity.AuthenticationServiceException: Unable to retrieve the user information without bind DN/password configured

    XMLWordPrintable

Details

    Description

      After upgrading to v.21 of the active directory plugin we frequently see this error in the browser on the client. I did not see any errors in http://server/log/all. I can reproduce fairly regularly by doing login as a valid user everything workers ok. Then after a few minutes the error occurs. Specifically if I go to Manage Jenkins/Configure System. Initially under Access control/authorization the users appear correctly. When the exception occurs ERROR appears instead of the users. If I clear the browser cookies I can access jenkins again. I have reproduced the client on mac and windows with both chrome and firefox. The error is:

      HTTP Status 500 -

      type Exception report

      message

      description The server encountered an internal error () that prevented it from fulfilling this request.

      exception

      org.acegisecurity.AuthenticationServiceException: Unable to retrieve the user information without bind DN/password configured
      hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:125)
      hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:101)
      hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:67)
      hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:18)
      org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices.loadUserDetails(TokenBasedRememberMeServices.java:308)
      org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices.autoLogin(TokenBasedRememberMeServices.java:218)
      org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:104)
      hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271)
      hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      org.acegisecurity.ui.basicauth.BasicProcessingFilter.doFilter(BasicProcessingFilter.java:173)
      hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      jenkins.security.ApiTokenFilter.doFilter(ApiTokenFilter.java:61)
      hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
      hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:66)
      hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
      hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164)
      hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81)
      note The full stack trace of the root cause is available in the Apache Tomcat/7.0.11 logs.

      Attachments

        Activity

          aflat aflat added a comment -

          I was able to reproduce it with the git sources as well, running in debug mode.

          1. Set up AD security in Manage Jenkins, add yourself as an admin
          2. Create a new job.
          3. Configure the job, and add Matrix based security, add another user to the matrix, that isn't you, then save the job.
          4. Configure the job again, and you should see ERROR instead of the other user.

          aflat aflat added a comment - I was able to reproduce it with the git sources as well, running in debug mode. 1. Set up AD security in Manage Jenkins, add yourself as an admin 2. Create a new job. 3. Configure the job, and add Matrix based security, add another user to the matrix, that isn't you, then save the job. 4. Configure the job again, and you should see ERROR instead of the other user.

          The comment from Nov 11th onward is about a different issue (JENKINS-11720) than the original problem.

          kohsuke Kohsuke Kawaguchi added a comment - The comment from Nov 11th onward is about a different issue ( JENKINS-11720 ) than the original problem.

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          changelog.html
          core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java
          test/src/test/groovy/hudson/security/TokenBasedRememberMeServices2Test.groovy
          http://jenkins-ci.org/commit/jenkins/2dbd6eca7f8c19222a04f68b548d54a163883ba0
          Log:
          JENKINS-11643

          An unexpected failure in processing remember me cookie should be handled
          gracefully. In particular, possibly problematic cookie should be
          removed, or else the browser will keep bombarding the server with the
          same cookie, and will never be able to get through.

          It's much better to just drop the cookie.

          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: changelog.html core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java test/src/test/groovy/hudson/security/TokenBasedRememberMeServices2Test.groovy http://jenkins-ci.org/commit/jenkins/2dbd6eca7f8c19222a04f68b548d54a163883ba0 Log: JENKINS-11643 An unexpected failure in processing remember me cookie should be handled gracefully. In particular, possibly problematic cookie should be removed, or else the browser will keep bombarding the server with the same cookie, and will never be able to get through. It's much better to just drop the cookie.
          dogfood dogfood added a comment -

          Integrated in jenkins_main_trunk #3220
          JENKINS-11643 (Revision 2dbd6eca7f8c19222a04f68b548d54a163883ba0)

          Result = SUCCESS
          kohsuke : 2dbd6eca7f8c19222a04f68b548d54a163883ba0
          Files :

          • changelog.html
          • core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java
          • test/src/test/groovy/hudson/security/TokenBasedRememberMeServices2Test.groovy
          dogfood dogfood added a comment - Integrated in jenkins_main_trunk #3220 JENKINS-11643 (Revision 2dbd6eca7f8c19222a04f68b548d54a163883ba0) Result = SUCCESS kohsuke : 2dbd6eca7f8c19222a04f68b548d54a163883ba0 Files : changelog.html core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java test/src/test/groovy/hudson/security/TokenBasedRememberMeServices2Test.groovy

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          src/main/java/hudson/plugins/active_directory/ActiveDirectorySecurityRealm.java
          http://jenkins-ci.org/commit/active-directory-plugin/4f65a3f926aa857e94ea18b687c806eaabaff270
          Log:
          [JENKINS-11643 JENKINS-9258]

          Revisiting the defensive check needed for JENKINS-11643 in light of making remember me service works (JENKINS-9258)

          I've made changes in the core so that the TokenBasedRememberMeService2.autoLogin consults
          the LastGrantedAuthoritiesProperty of the User object in Jenkins 1.556. So when used with
          newer version of Jenkins, I can making remember me work with AD.

          This fix makes AD plugin behave gracefully with earlier versions, while still allowing me
          to leverage new additions in 1.556.

          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: src/main/java/hudson/plugins/active_directory/ActiveDirectorySecurityRealm.java http://jenkins-ci.org/commit/active-directory-plugin/4f65a3f926aa857e94ea18b687c806eaabaff270 Log: [JENKINS-11643 JENKINS-9258] Revisiting the defensive check needed for JENKINS-11643 in light of making remember me service works ( JENKINS-9258 ) I've made changes in the core so that the TokenBasedRememberMeService2.autoLogin consults the LastGrantedAuthoritiesProperty of the User object in Jenkins 1.556. So when used with newer version of Jenkins, I can making remember me work with AD. This fix makes AD plugin behave gracefully with earlier versions, while still allowing me to leverage new additions in 1.556.

          People

            Unassigned Unassigned
            danscha Dan Schaffer
            Votes:
            4 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: