Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-11948

jenkins-cli can't login to AD enabled server

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved (View Workflow)
    • Major
    • Resolution: Fixed
    • None
    • Jenkins ver. 1.443-SNAPSHOT (private-11/30/2011 01:22 GMT-jenkins) - your official CI build
      active directory plugin 1.24-SNAPSHOT (private-11/30/2011 01:58-jenkins) - from your official CI build

    Description

      When I try to login using the jenkins-cli.jar using the command

      java -jar jenkins-cli.jar -s http://hudson:8080 login --username user@domain1.com

      and pass in a password token(I get the same issue when I use --password as well) I get a failure to login. The stack trace is attached. It throws an error trying to look up the user 'user@domain1.com.second.domain2.co.uk'.
      If I just try to use user instead of use@domain1.com it fails trying to look up the user 'user@second.domain2.co.uk'
      I do have a list of active directory Domain Names set up, comma separated, 'domain1.com,second.domain2.co.uk' so it is falling back to the last name, but it never finds the user, which is located in domain1.com.

      Attachments

        Activity

          aflat aflat added a comment - - edited

          Not sure what is happening here. If I run the AD plugin in debug mode, via netbeans(linking against jenkins core 1.442), when I go to Manage Jenkins, Configure System, under the Security Realm, select Active Directory, and I get choices to enter

          Domain Name
          Domain controller
          Site
          Bind DN
          Bind Password

          But when I take the hpi from that same set of sources, and drop it into a running instance of Jenkins (in this case 1.442) the only options I get are

          Domain Name
          Domain controller

          No errors are thrown, I just can't see them to configure them. I tried copy/pasting (the debug version is running locally, and the full running instance is in a VM) but that didn't work(I didn't figure it would anyways)

          aflat aflat added a comment - - edited Not sure what is happening here. If I run the AD plugin in debug mode, via netbeans(linking against jenkins core 1.442), when I go to Manage Jenkins, Configure System, under the Security Realm, select Active Directory, and I get choices to enter Domain Name Domain controller Site Bind DN Bind Password But when I take the hpi from that same set of sources, and drop it into a running instance of Jenkins (in this case 1.442) the only options I get are Domain Name Domain controller No errors are thrown, I just can't see them to configure them. I tried copy/pasting (the debug version is running locally, and the full running instance is in a VM) but that didn't work(I didn't figure it would anyways)
          aflat aflat added a comment -

          Tried 1.443 as well, still the same issue.

          aflat aflat added a comment - Tried 1.443 as well, still the same issue.
          aflat aflat added a comment -

          I should also mention, that once I do enter the bind dn/pass I can use the CLI to login.

          aflat aflat added a comment - I should also mention, that once I do enter the bind dn/pass I can use the CLI to login.

          The behaviour difference you are seeing between your development environment vs production instance is likely because of the OS difference. When Jenkins runs on 32bit Windows, we switch to native ADSI implementation that's better integrated with Windows that's running the user.

          kohsuke Kohsuke Kawaguchi added a comment - The behaviour difference you are seeing between your development environment vs production instance is likely because of the OS difference. When Jenkins runs on 32bit Windows, we switch to native ADSI implementation that's better integrated with Windows that's running the user.
          aflat aflat added a comment -

          But the ADSI implementation doesn't allow me to login via the cli. It does make sense. My production and VM instances are 32 bit, where I don't see the bind dn info, my dev environment is 64 bit. But I still can't login to a 32 bit instance using the cli.

          aflat aflat added a comment - But the ADSI implementation doesn't allow me to login via the cli. It does make sense. My production and VM instances are 32 bit, where I don't see the bind dn info, my dev environment is 64 bit. But I still can't login to a 32 bit instance using the cli.

          You should do "-username aflat" not "-username user@domain1.com". The error message returned is confusing indeed — what's happening is that it tries all the domains, but after all of them fail, it only reports the last failure, losing the records of the earlier failures. I fixed the error reporting in 1.24.

          Note that the server console in 1.23 already reports all the individual authentication failures per domain. So you can look at that today to understand why your authentication with domain1 is failing.

          kohsuke Kohsuke Kawaguchi added a comment - You should do "- username aflat" not " -username user@domain1.com". The error message returned is confusing indeed — what's happening is that it tries all the domains, but after all of them fail, it only reports the last failure, losing the records of the earlier failures. I fixed the error reporting in 1.24. Note that the server console in 1.23 already reports all the individual authentication failures per domain. So you can look at that today to understand why your authentication with domain1 is failing.
          aflat aflat added a comment - - edited

          I have tried both -username aflat and --username aflat@domain1.com, I get the same error, but it does append the domain in both cases(this was with AD plugin < 1.24)

          With 1.24 I'm getting a different errror

          org.acegisecurity.BadCredentialsException: Failed to retrieve user information f
          or aflat; nested exception is javax.naming.AuthenticationException: [LDAP: er
          ror code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext e
          rror, data 52e, vece ]; remaining name 'DC=domain1,DC=com'
          at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProv
          ider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:179)
          at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProv
          ider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:105)
          at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProv
          ider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:64)
          at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.authenti
          cate(ActiveDirectorySecurityRealm.java:519)
          at hudson.security.AbstractPasswordBasedSecurityRealm$1.authenticate(Abs
          tractPasswordBasedSecurityRealm.java:81)
          at hudson.cli.CLICommand.main(CLICommand.java:181)
          at hudson.cli.CliManagerImpl.main(CliManagerImpl.java:82)
          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
          at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
          at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
          at java.lang.reflect.Method.invoke(Unknown Source)
          at hudson.remoting.RemoteInvocationHandler$RPCRequest.perform(RemoteInvo
          cationHandler.java:274)
          at hudson.remoting.RemoteInvocationHandler$RPCRequest.call(RemoteInvocat
          ionHandler.java:255)
          at hudson.remoting.RemoteInvocationHandler$RPCRequest.call(RemoteInvocat
          ionHandler.java:215)
          at hudson.remoting.UserRequest.perform(UserRequest.java:118)
          at hudson.remoting.UserRequest.perform(UserRequest.java:48)
          at hudson.remoting.Request$2.run(Request.java:287)
          at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
          at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source)
          at java.util.concurrent.FutureTask.run(Unknown Source)
          at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source
          )
          at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
          at java.lang.Thread.run(Unknown Source)
          Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308
          : LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece ]
          ; remaining name 'DC=domain1,DC=com'
          at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
          at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
          at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
          at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
          at com.sun.jndi.ldap.LdapCtx.ensureOpen(Unknown Source)
          at com.sun.jndi.ldap.LdapCtx.ensureOpen(Unknown Source)
          at com.sun.jndi.ldap.LdapCtx.doSearch(Unknown Source)
          at com.sun.jndi.ldap.LdapCtx.searchAux(Unknown Source)
          at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source)
          at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source)
          at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(Unknown Source)

          at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown So
          urce)
          at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown So
          urce)
          at hudson.plugins.active_directory.LDAPSearchBuilder.search(LDAPSearchBu
          ilder.java:52)
          at hudson.plugins.active_directory.LDAPSearchBuilder.searchOne(LDAPSearc
          hBuilder.java:42)
          at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProv
          ider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:140)
          ... 22 more

          Again, this is with both aflat and aflat@domain1.com on the 32 bit server, 64bit server I can login fine.

          aflat aflat added a comment - - edited I have tried both -username aflat and --username aflat@domain1.com, I get the same error, but it does append the domain in both cases(this was with AD plugin < 1.24) With 1.24 I'm getting a different errror org.acegisecurity.BadCredentialsException: Failed to retrieve user information f or aflat; nested exception is javax.naming.AuthenticationException: [LDAP: er ror code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext e rror, data 52e, vece ]; remaining name 'DC=domain1,DC=com' at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProv ider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:179) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProv ider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:105) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProv ider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:64) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.authenti cate(ActiveDirectorySecurityRealm.java:519) at hudson.security.AbstractPasswordBasedSecurityRealm$1.authenticate(Abs tractPasswordBasedSecurityRealm.java:81) at hudson.cli.CLICommand.main(CLICommand.java:181) at hudson.cli.CliManagerImpl.main(CliManagerImpl.java:82) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at hudson.remoting.RemoteInvocationHandler$RPCRequest.perform(RemoteInvo cationHandler.java:274) at hudson.remoting.RemoteInvocationHandler$RPCRequest.call(RemoteInvocat ionHandler.java:255) at hudson.remoting.RemoteInvocationHandler$RPCRequest.call(RemoteInvocat ionHandler.java:215) at hudson.remoting.UserRequest.perform(UserRequest.java:118) at hudson.remoting.UserRequest.perform(UserRequest.java:48) at hudson.remoting.Request$2.run(Request.java:287) at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source) at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source) at java.util.concurrent.FutureTask.run(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source ) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308 : LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece ] ; remaining name 'DC=domain1,DC=com' at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source) at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source) at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source) at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source) at com.sun.jndi.ldap.LdapCtx.ensureOpen(Unknown Source) at com.sun.jndi.ldap.LdapCtx.ensureOpen(Unknown Source) at com.sun.jndi.ldap.LdapCtx.doSearch(Unknown Source) at com.sun.jndi.ldap.LdapCtx.searchAux(Unknown Source) at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source) at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(Unknown Source) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown So urce) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown So urce) at hudson.plugins.active_directory.LDAPSearchBuilder.search(LDAPSearchBu ilder.java:52) at hudson.plugins.active_directory.LDAPSearchBuilder.searchOne(LDAPSearc hBuilder.java:42) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProv ider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:140) ... 22 more Again, this is with both aflat and aflat@domain1.com on the 32 bit server, 64bit server I can login fine.

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java
          src/main/java/hudson/plugins/active_directory/ActiveDirectoryUserDetail.java
          src/main/java/hudson/plugins/active_directory/MultiCauseBadCredentialsException.java
          http://jenkins-ci.org/commit/active-directory-plugin/b73fbb9e6773214e02e068741b703d2c1fb33e4c
          Log:
          [FIXED JENKINS-11948] report all the causes, not just one.

          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java src/main/java/hudson/plugins/active_directory/ActiveDirectoryUserDetail.java src/main/java/hudson/plugins/active_directory/MultiCauseBadCredentialsException.java http://jenkins-ci.org/commit/active-directory-plugin/b73fbb9e6773214e02e068741b703d2c1fb33e4c Log: [FIXED JENKINS-11948] report all the causes, not just one.

          I'm confused. 1.24 isn't released yet. How can you even try it?

          I just pushed the change — do you think you can build the SNAPSHOT and run it for us?

          kohsuke Kohsuke Kawaguchi added a comment - I'm confused. 1.24 isn't released yet. How can you even try it? I just pushed the change — do you think you can build the SNAPSHOT and run it for us?
          dogfood dogfood added a comment -

          Integrated in plugins_active-directory #49
          [FIXED JENKINS-11948] report all the causes, not just one.

          Kohsuke Kawaguchi :
          Files :

          • src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java
          • src/main/java/hudson/plugins/active_directory/ActiveDirectoryUserDetail.java
          • src/main/java/hudson/plugins/active_directory/MultiCauseBadCredentialsException.java
          dogfood dogfood added a comment - Integrated in plugins_active-directory #49 [FIXED JENKINS-11948] report all the causes, not just one. Kohsuke Kawaguchi : Files : src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java src/main/java/hudson/plugins/active_directory/ActiveDirectoryUserDetail.java src/main/java/hudson/plugins/active_directory/MultiCauseBadCredentialsException.java
          aflat aflat added a comment -

          I still get the same issue listed above, but it lists "information for aflat@domain1.com" instead of just aflat. If I use the username aflat@domain1.com to login, I get "hudson.plugins.active_directory.MultiCauseBadCredentialsException: Either no suc
          h user 'aflat@domain1.com' or incorrect password" but I can login, using the ui using the same user/pass (aflat/pass, not aflat@domain1.com/pass)

          aflat aflat added a comment - I still get the same issue listed above, but it lists "information for aflat@domain1.com" instead of just aflat. If I use the username aflat@domain1.com to login, I get "hudson.plugins.active_directory.MultiCauseBadCredentialsException: Either no suc h user 'aflat@domain1.com' or incorrect password" but I can login, using the ui using the same user/pass (aflat/pass, not aflat@domain1.com/pass)
          aflat aflat added a comment -

          And sorry, I said 1.24 when I meant SNAPSHOT, I've just been going by version numbers to keep it clear in my head right now. Been bouncing around versions a bit to see what works.

          aflat aflat added a comment - And sorry, I said 1.24 when I meant SNAPSHOT, I've just been going by version numbers to keep it clear in my head right now. Been bouncing around versions a bit to see what works.

          People

            Unassigned Unassigned
            aflat aflat
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: