[JENKINS-11948] jenkins-cli can't login to AD enabled server - Jenkins Jira

XML

Word

Printable

Details

Type: Bug
Status: Resolved (View Workflow)
Priority: Major
Resolution: Fixed
Component/s: active-directory-plugin
Labels:
None
Environment:
Jenkins ver. 1.443-SNAPSHOT (private-11/30/2011 01:22 GMT-jenkins) - your official CI build
active directory plugin 1.24-SNAPSHOT (private-11/30/2011 01:58-jenkins) - from your official CI build

Similar Issues:

Show

Description

When I try to login using the jenkins-cli.jar using the command

java -jar jenkins-cli.jar -s http://hudson:8080 login --username user@domain1.com

and pass in a password token(I get the same issue when I use --password as well) I get a failure to login. The stack trace is attached. It throws an error trying to look up the user 'user@domain1.com.second.domain2.co.uk'.
If I just try to use user instead of use@domain1.com it fails trying to look up the user 'user@second.domain2.co.uk'
I do have a list of active directory Domain Names set up, comma separated, 'domain1.com,second.domain2.co.uk' so it is falling back to the last name, but it never finds the user, which is located in domain1.com.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

ADerrorLog3.txt
4 kB
2011-12-01 14:37

Activity

Ascending order - Click to sort in descending order

aflat added a comment - 2011-12-16 16:07 - edited

Not sure what is happening here. If I run the AD plugin in debug mode, via netbeans(linking against jenkins core 1.442), when I go to Manage Jenkins, Configure System, under the Security Realm, select Active Directory, and I get choices to enter

Domain Name
Domain controller
Site
Bind DN
Bind Password

But when I take the hpi from that same set of sources, and drop it into a running instance of Jenkins (in this case 1.442) the only options I get are

Domain Name
Domain controller

No errors are thrown, I just can't see them to configure them. I tried copy/pasting (the debug version is running locally, and the full running instance is in a VM) but that didn't work(I didn't figure it would anyways)

aflat added a comment - 2011-12-16 16:07 - edited Not sure what is happening here. If I run the AD plugin in debug mode, via netbeans(linking against jenkins core 1.442), when I go to Manage Jenkins, Configure System, under the Security Realm, select Active Directory, and I get choices to enter Domain Name Domain controller Site Bind DN Bind Password But when I take the hpi from that same set of sources, and drop it into a running instance of Jenkins (in this case 1.442) the only options I get are Domain Name Domain controller No errors are thrown, I just can't see them to configure them. I tried copy/pasting (the debug version is running locally, and the full running instance is in a VM) but that didn't work(I didn't figure it would anyways)

aflat added a comment - 2011-12-16 16:49

Tried 1.443 as well, still the same issue.

aflat added a comment - 2011-12-16 16:49 Tried 1.443 as well, still the same issue.

aflat added a comment - 2011-12-16 16:53

I should also mention, that once I do enter the bind dn/pass I can use the CLI to login.

aflat added a comment - 2011-12-16 16:53 I should also mention, that once I do enter the bind dn/pass I can use the CLI to login.

Kohsuke Kawaguchi added a comment - 2011-12-16 18:04

The behaviour difference you are seeing between your development environment vs production instance is likely because of the OS difference. When Jenkins runs on 32bit Windows, we switch to native ADSI implementation that's better integrated with Windows that's running the user.

Kohsuke Kawaguchi added a comment - 2011-12-16 18:04 The behaviour difference you are seeing between your development environment vs production instance is likely because of the OS difference. When Jenkins runs on 32bit Windows, we switch to native ADSI implementation that's better integrated with Windows that's running the user.

aflat added a comment - 2011-12-16 18:16

But the ADSI implementation doesn't allow me to login via the cli. It does make sense. My production and VM instances are 32 bit, where I don't see the bind dn info, my dev environment is 64 bit. But I still can't login to a 32 bit instance using the cli.

aflat added a comment - 2011-12-16 18:16 But the ADSI implementation doesn't allow me to login via the cli. It does make sense. My production and VM instances are 32 bit, where I don't see the bind dn info, my dev environment is 64 bit. But I still can't login to a 32 bit instance using the cli.

Kohsuke Kawaguchi added a comment - 2011-12-16 18:23

You should do "-~~username aflat" not "~~-username user@domain1.com". The error message returned is confusing indeed — what's happening is that it tries all the domains, but after all of them fail, it only reports the last failure, losing the records of the earlier failures. I fixed the error reporting in 1.24.

Note that the server console in 1.23 already reports all the individual authentication failures per domain. So you can look at that today to understand why your authentication with domain1 is failing.

Kohsuke Kawaguchi added a comment - 2011-12-16 18:23 You should do "- username aflat" not " -username user@domain1.com". The error message returned is confusing indeed — what's happening is that it tries all the domains, but after all of them fail, it only reports the last failure, losing the records of the earlier failures. I fixed the error reporting in 1.24. Note that the server console in 1.23 already reports all the individual authentication failures per domain. So you can look at that today to understand why your authentication with domain1 is failing.

aflat added a comment - 2011-12-16 18:34 - edited

I have tried both -username aflat and --username aflat@domain1.com, I get the same error, but it does append the domain in both cases(this was with AD plugin < 1.24)

With 1.24 I'm getting a different errror

org.acegisecurity.BadCredentialsException: Failed to retrieve user information f
or aflat; nested exception is javax.naming.AuthenticationException: [LDAP: er
ror code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext e
rror, data 52e, vece ]; remaining name 'DC=domain1,DC=com'
at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProv
ider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:179)
at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProv
ider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:105)
at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProv
ider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:64)
at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.authenti
cate(ActiveDirectorySecurityRealm.java:519)
at hudson.security.AbstractPasswordBasedSecurityRealm$1.authenticate(Abs
tractPasswordBasedSecurityRealm.java:81)
at hudson.cli.CLICommand.main(CLICommand.java:181)
at hudson.cli.CliManagerImpl.main(CliManagerImpl.java:82)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at hudson.remoting.RemoteInvocationHandler$RPCRequest.perform(RemoteInvo
cationHandler.java:274)
at hudson.remoting.RemoteInvocationHandler$RPCRequest.call(RemoteInvocat
ionHandler.java:255)
at hudson.remoting.RemoteInvocationHandler$RPCRequest.call(RemoteInvocat
ionHandler.java:215)
at hudson.remoting.UserRequest.perform(UserRequest.java:118)
at hudson.remoting.UserRequest.perform(UserRequest.java:48)
at hudson.remoting.Request$2.run(Request.java:287)
at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source)
at java.util.concurrent.FutureTask.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source
)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308
: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece ]
; remaining name 'DC=domain1,DC=com'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.ensureOpen(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.ensureOpen(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.doSearch(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.searchAux(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(Unknown Source)

at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown So
urce)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown So
urce)
at hudson.plugins.active_directory.LDAPSearchBuilder.search(LDAPSearchBu
ilder.java:52)
at hudson.plugins.active_directory.LDAPSearchBuilder.searchOne(LDAPSearc
hBuilder.java:42)
at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProv
ider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:140)
... 22 more

Again, this is with both aflat and aflat@domain1.com on the 32 bit server, 64bit server I can login fine.

aflat added a comment - 2011-12-16 18:34 - edited I have tried both -username aflat and --username aflat@domain1.com, I get the same error, but it does append the domain in both cases(this was with AD plugin < 1.24) With 1.24 I'm getting a different errror org.acegisecurity.BadCredentialsException: Failed to retrieve user information f or aflat; nested exception is javax.naming.AuthenticationException: [LDAP: er ror code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext e rror, data 52e, vece ]; remaining name 'DC=domain1,DC=com' at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProv ider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:179) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProv ider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:105) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProv ider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:64) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.authenti cate(ActiveDirectorySecurityRealm.java:519) at hudson.security.AbstractPasswordBasedSecurityRealm$1.authenticate(Abs tractPasswordBasedSecurityRealm.java:81) at hudson.cli.CLICommand.main(CLICommand.java:181) at hudson.cli.CliManagerImpl.main(CliManagerImpl.java:82) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at hudson.remoting.RemoteInvocationHandler$RPCRequest.perform(RemoteInvo cationHandler.java:274) at hudson.remoting.RemoteInvocationHandler$RPCRequest.call(RemoteInvocat ionHandler.java:255) at hudson.remoting.RemoteInvocationHandler$RPCRequest.call(RemoteInvocat ionHandler.java:215) at hudson.remoting.UserRequest.perform(UserRequest.java:118) at hudson.remoting.UserRequest.perform(UserRequest.java:48) at hudson.remoting.Request$2.run(Request.java:287) at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source) at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source) at java.util.concurrent.FutureTask.run(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source ) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308 : LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece ] ; remaining name 'DC=domain1,DC=com' at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source) at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source) at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source) at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source) at com.sun.jndi.ldap.LdapCtx.ensureOpen(Unknown Source) at com.sun.jndi.ldap.LdapCtx.ensureOpen(Unknown Source) at com.sun.jndi.ldap.LdapCtx.doSearch(Unknown Source) at com.sun.jndi.ldap.LdapCtx.searchAux(Unknown Source) at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source) at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(Unknown Source) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown So urce) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown So urce) at hudson.plugins.active_directory.LDAPSearchBuilder.search(LDAPSearchBu ilder.java:52) at hudson.plugins.active_directory.LDAPSearchBuilder.searchOne(LDAPSearc hBuilder.java:42) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProv ider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:140) ... 22 more Again, this is with both aflat and aflat@domain1.com on the 32 bit server, 64bit server I can login fine.

SCM/JIRA link daemon added a comment - 2011-12-16 18:34

Code changed in jenkins
User: Kohsuke Kawaguchi
Path:
src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java
src/main/java/hudson/plugins/active_directory/ActiveDirectoryUserDetail.java
src/main/java/hudson/plugins/active_directory/MultiCauseBadCredentialsException.java
http://jenkins-ci.org/commit/active-directory-plugin/b73fbb9e6773214e02e068741b703d2c1fb33e4c
Log:
[FIXED JENKINS-11948] report all the causes, not just one.

SCM/JIRA link daemon added a comment - 2011-12-16 18:34 Code changed in jenkins User: Kohsuke Kawaguchi Path: src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java src/main/java/hudson/plugins/active_directory/ActiveDirectoryUserDetail.java src/main/java/hudson/plugins/active_directory/MultiCauseBadCredentialsException.java http://jenkins-ci.org/commit/active-directory-plugin/b73fbb9e6773214e02e068741b703d2c1fb33e4c Log: [FIXED JENKINS-11948] report all the causes, not just one.

Kohsuke Kawaguchi added a comment - 2011-12-16 18:40

I'm confused. 1.24 isn't released yet. How can you even try it?

I just pushed the change — do you think you can build the SNAPSHOT and run it for us?

Kohsuke Kawaguchi added a comment - 2011-12-16 18:40 I'm confused. 1.24 isn't released yet. How can you even try it? I just pushed the change — do you think you can build the SNAPSHOT and run it for us?

dogfood added a comment - 2011-12-16 18:47

Integrated in plugins_active-directory #49
[FIXED JENKINS-11948] report all the causes, not just one.

Kohsuke Kawaguchi :
Files :

src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java
src/main/java/hudson/plugins/active_directory/ActiveDirectoryUserDetail.java
src/main/java/hudson/plugins/active_directory/MultiCauseBadCredentialsException.java

dogfood added a comment - 2011-12-16 18:47 Integrated in plugins_active-directory #49 [FIXED JENKINS-11948] report all the causes, not just one. Kohsuke Kawaguchi : Files : src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java src/main/java/hudson/plugins/active_directory/ActiveDirectoryUserDetail.java src/main/java/hudson/plugins/active_directory/MultiCauseBadCredentialsException.java

aflat added a comment - 2011-12-16 18:52

I still get the same issue listed above, but it lists "information for aflat@domain1.com" instead of just aflat. If I use the username aflat@domain1.com to login, I get "hudson.plugins.active_directory.MultiCauseBadCredentialsException: Either no suc
h user 'aflat@domain1.com' or incorrect password" but I can login, using the ui using the same user/pass (aflat/pass, not aflat@domain1.com/pass)

aflat added a comment - 2011-12-16 18:52 I still get the same issue listed above, but it lists "information for aflat@domain1.com" instead of just aflat. If I use the username aflat@domain1.com to login, I get "hudson.plugins.active_directory.MultiCauseBadCredentialsException: Either no suc h user 'aflat@domain1.com' or incorrect password" but I can login, using the ui using the same user/pass (aflat/pass, not aflat@domain1.com/pass)

aflat added a comment - 2011-12-16 18:53

And sorry, I said 1.24 when I meant SNAPSHOT, I've just been going by version numbers to keep it clear in my head right now. Been bouncing around versions a bit to see what works.

aflat added a comment - 2011-12-16 18:53 And sorry, I said 1.24 when I meant SNAPSHOT, I've just been going by version numbers to keep it clear in my head right now. Been bouncing around versions a bit to see what works.

People

Assignee:: Unassigned

Reporter:: aflat

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2011-12-01 14:37

Updated:: 2011-12-16 18:53

Resolved:: 2011-12-16 18:34