Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-11643

v1.21 produces exception shortly after login: org.acegisecurity.AuthenticationServiceException: Unable to retrieve the user information without bind DN/password configured

    XMLWordPrintable

Details

    Description

      After upgrading to v.21 of the active directory plugin we frequently see this error in the browser on the client. I did not see any errors in http://server/log/all. I can reproduce fairly regularly by doing login as a valid user everything workers ok. Then after a few minutes the error occurs. Specifically if I go to Manage Jenkins/Configure System. Initially under Access control/authorization the users appear correctly. When the exception occurs ERROR appears instead of the users. If I clear the browser cookies I can access jenkins again. I have reproduced the client on mac and windows with both chrome and firefox. The error is:

      HTTP Status 500 -

      type Exception report

      message

      description The server encountered an internal error () that prevented it from fulfilling this request.

      exception

      org.acegisecurity.AuthenticationServiceException: Unable to retrieve the user information without bind DN/password configured
      hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:125)
      hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:101)
      hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:67)
      hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:18)
      org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices.loadUserDetails(TokenBasedRememberMeServices.java:308)
      org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices.autoLogin(TokenBasedRememberMeServices.java:218)
      org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:104)
      hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271)
      hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      org.acegisecurity.ui.basicauth.BasicProcessingFilter.doFilter(BasicProcessingFilter.java:173)
      hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      jenkins.security.ApiTokenFilter.doFilter(ApiTokenFilter.java:61)
      hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
      hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:66)
      hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
      hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164)
      hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81)
      note The full stack trace of the root cause is available in the Apache Tomcat/7.0.11 logs.

      Attachments

        Activity

          This problem is caused by our not being able to support "remember me" feature with AD.

          The root fix requires core change to use User.impersonate for auto-login. Disabling the remember me support for AD in the mean time.

          kohsuke Kohsuke Kawaguchi added a comment - This problem is caused by our not being able to support "remember me" feature with AD. The root fix requires core change to use User.impersonate for auto-login. Disabling the remember me support for AD in the mean time.

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          src/main/java/hudson/plugins/active_directory/AbstractActiveDirectoryAuthenticationProvider.java
          src/main/java/hudson/plugins/active_directory/ActiveDirectoryAuthenticationProvider.java
          src/main/java/hudson/plugins/active_directory/ActiveDirectorySecurityRealm.java
          src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java
          http://jenkins-ci.org/commit/active-directory-plugin/00d5f5259c73555192a2808110d66abe73b56eea
          Log:
          JENKINS-11643 RememberMe doesn't work with AD in certain mode.

          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: src/main/java/hudson/plugins/active_directory/AbstractActiveDirectoryAuthenticationProvider.java src/main/java/hudson/plugins/active_directory/ActiveDirectoryAuthenticationProvider.java src/main/java/hudson/plugins/active_directory/ActiveDirectorySecurityRealm.java src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java http://jenkins-ci.org/commit/active-directory-plugin/00d5f5259c73555192a2808110d66abe73b56eea Log: JENKINS-11643 RememberMe doesn't work with AD in certain mode.
          dogfood dogfood added a comment -

          Integrated in plugins_active-directory #44
          JENKINS-11643 RememberMe doesn't work with AD in certain mode.

          Kohsuke Kawaguchi :
          Files :

          • src/main/java/hudson/plugins/active_directory/ActiveDirectorySecurityRealm.java
          • src/main/java/hudson/plugins/active_directory/AbstractActiveDirectoryAuthenticationProvider.java
          • src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java
          • src/main/java/hudson/plugins/active_directory/ActiveDirectoryAuthenticationProvider.java
          dogfood dogfood added a comment - Integrated in plugins_active-directory #44 JENKINS-11643 RememberMe doesn't work with AD in certain mode. Kohsuke Kawaguchi : Files : src/main/java/hudson/plugins/active_directory/ActiveDirectorySecurityRealm.java src/main/java/hudson/plugins/active_directory/AbstractActiveDirectoryAuthenticationProvider.java src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java src/main/java/hudson/plugins/active_directory/ActiveDirectoryAuthenticationProvider.java

          I still get the exception with Jenkins 1.440 and AD plugin v.22 when I try to add a new user/group to the project based authorization matrix. The "user/group" ends up being "ERROR" no matter what I supply as name.

          boerrild2 Christoffer Børrild added a comment - I still get the exception with Jenkins 1.440 and AD plugin v.22 when I try to add a new user/group to the project based authorization matrix. The "user/group" ends up being "ERROR" no matter what I supply as name.
          aflat aflat added a comment -

          I also get this error, using the jankins-cli, AD 1.22 and Jenkins 1.439

          aflat aflat added a comment - I also get this error, using the jankins-cli, AD 1.22 and Jenkins 1.439
          aflat aflat added a comment -

          I get something similar to Christoffer, when I try to configure a job, with project based auth, some of the users get replaced with ERROR, clicking on error expands it, to show a 403 error. Trying to save the job brings me to the Jenkins login page. Attached my log ADerrorLog2.txt

          aflat aflat added a comment - I get something similar to Christoffer, when I try to configure a job, with project based auth, some of the users get replaced with ERROR, clicking on error expands it, to show a 403 error. Trying to save the job brings me to the Jenkins login page. Attached my log ADerrorLog2.txt
          aflat aflat added a comment -

          It looks like when I configurea matrix based security job Jenkins is trying to validate all the user/passwords for all the users listed in the matrix, even though we don't have passwords for all those users. That's why my username listed in the matrix doesn't show ERROR link.

          aflat aflat added a comment - It looks like when I configurea matrix based security job Jenkins is trying to validate all the user/passwords for all the users listed in the matrix, even though we don't have passwords for all those users. That's why my username listed in the matrix doesn't show ERROR link.
          aflat aflat added a comment -

          I was able to reproduce it with the git sources as well, running in debug mode.

          1. Set up AD security in Manage Jenkins, add yourself as an admin
          2. Create a new job.
          3. Configure the job, and add Matrix based security, add another user to the matrix, that isn't you, then save the job.
          4. Configure the job again, and you should see ERROR instead of the other user.

          aflat aflat added a comment - I was able to reproduce it with the git sources as well, running in debug mode. 1. Set up AD security in Manage Jenkins, add yourself as an admin 2. Create a new job. 3. Configure the job, and add Matrix based security, add another user to the matrix, that isn't you, then save the job. 4. Configure the job again, and you should see ERROR instead of the other user.

          The comment from Nov 11th onward is about a different issue (JENKINS-11720) than the original problem.

          kohsuke Kohsuke Kawaguchi added a comment - The comment from Nov 11th onward is about a different issue ( JENKINS-11720 ) than the original problem.

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          changelog.html
          core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java
          test/src/test/groovy/hudson/security/TokenBasedRememberMeServices2Test.groovy
          http://jenkins-ci.org/commit/jenkins/2dbd6eca7f8c19222a04f68b548d54a163883ba0
          Log:
          JENKINS-11643

          An unexpected failure in processing remember me cookie should be handled
          gracefully. In particular, possibly problematic cookie should be
          removed, or else the browser will keep bombarding the server with the
          same cookie, and will never be able to get through.

          It's much better to just drop the cookie.

          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: changelog.html core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java test/src/test/groovy/hudson/security/TokenBasedRememberMeServices2Test.groovy http://jenkins-ci.org/commit/jenkins/2dbd6eca7f8c19222a04f68b548d54a163883ba0 Log: JENKINS-11643 An unexpected failure in processing remember me cookie should be handled gracefully. In particular, possibly problematic cookie should be removed, or else the browser will keep bombarding the server with the same cookie, and will never be able to get through. It's much better to just drop the cookie.
          dogfood dogfood added a comment -

          Integrated in jenkins_main_trunk #3220
          JENKINS-11643 (Revision 2dbd6eca7f8c19222a04f68b548d54a163883ba0)

          Result = SUCCESS
          kohsuke : 2dbd6eca7f8c19222a04f68b548d54a163883ba0
          Files :

          • changelog.html
          • core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java
          • test/src/test/groovy/hudson/security/TokenBasedRememberMeServices2Test.groovy
          dogfood dogfood added a comment - Integrated in jenkins_main_trunk #3220 JENKINS-11643 (Revision 2dbd6eca7f8c19222a04f68b548d54a163883ba0) Result = SUCCESS kohsuke : 2dbd6eca7f8c19222a04f68b548d54a163883ba0 Files : changelog.html core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java test/src/test/groovy/hudson/security/TokenBasedRememberMeServices2Test.groovy

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          src/main/java/hudson/plugins/active_directory/ActiveDirectorySecurityRealm.java
          http://jenkins-ci.org/commit/active-directory-plugin/4f65a3f926aa857e94ea18b687c806eaabaff270
          Log:
          [JENKINS-11643 JENKINS-9258]

          Revisiting the defensive check needed for JENKINS-11643 in light of making remember me service works (JENKINS-9258)

          I've made changes in the core so that the TokenBasedRememberMeService2.autoLogin consults
          the LastGrantedAuthoritiesProperty of the User object in Jenkins 1.556. So when used with
          newer version of Jenkins, I can making remember me work with AD.

          This fix makes AD plugin behave gracefully with earlier versions, while still allowing me
          to leverage new additions in 1.556.

          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: src/main/java/hudson/plugins/active_directory/ActiveDirectorySecurityRealm.java http://jenkins-ci.org/commit/active-directory-plugin/4f65a3f926aa857e94ea18b687c806eaabaff270 Log: [JENKINS-11643 JENKINS-9258] Revisiting the defensive check needed for JENKINS-11643 in light of making remember me service works ( JENKINS-9258 ) I've made changes in the core so that the TokenBasedRememberMeService2.autoLogin consults the LastGrantedAuthoritiesProperty of the User object in Jenkins 1.556. So when used with newer version of Jenkins, I can making remember me work with AD. This fix makes AD plugin behave gracefully with earlier versions, while still allowing me to leverage new additions in 1.556.

          People

            Unassigned Unassigned
            danscha Dan Schaffer
            Votes:
            4 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: