-
Bug
-
Resolution: Fixed
-
Major
-
None
-
OS: CentOs 6 64-bit
Hardware Platform: VMWare ESXi 5.0
Adding an AD group, e.g. ciusers on Authorization type "Project-based Matrix Authorization Strategy", throws BadCredentialsException.
Issue:
doCheckName_() first tries finding a user and this fails and throws the BadCredentialsException. The function doCheckName_() then tries loadGroupByGroupName() which is throwing UserMayOrMayNotExistException right away. Function doCheckName_() uses SecurityRealm.loadGroupByGroupName() instead of LDAPSecurityRealm.loadGroupByGroupName().
Snippet of loadGroupByGroupname() from the SecurityRealm class.
public GroupDetails loadGroupByGroupname(String groupname) throws UsernameNotFoundException, DataAccessException
Snippet of loadGroupByGroupname() from the LDAPSecurityRealm class.
public GroupDetails loadGroupByGroupname(String groupname) throws UsernameNotFoundException, DataAccessException {
// TODO: obtain a DN instead so that we can obtain multiple attributes later
String searchBase = groupSearchBase != null ? groupSearchBase : "";
final Set<String> groups = (Set<String>)ldapTemplate.searchForSingleAttributeValues(searchBase, GROUP_SEARCH,
new String[]
, "cn");
if(groups.isEmpty())
throw new UsernameNotFoundException(groupname);
return new GroupDetails() {
public String getName()
};
}
Snippet of doCheckName_():
public FormValidation doCheckName_(String value, AccessControlled subject, Permission permission) throws IOException, ServletException {
if(!subject.hasPermission(permission)) return FormValidation.ok(); // can't check
final String v = value.substring(1,value.length()-1);
SecurityRealm sr = Jenkins.getInstance().getSecurityRealm();
String ev = Functions.escape(v);
if(v.equals("authenticated"))
// system reserved group
return FormValidation.respond(Kind.OK, makeImg("user.png") +ev);
try
{ sr.loadUserByUsername(v); return FormValidation.respond(Kind.OK, makeImg("person.png")+ev); }catch (UserMayOrMayNotExistException e)
{ // undecidable, meaning the user may exist return FormValidation.respond(Kind.OK, ev); }catch (UsernameNotFoundException e)
{ // fall through next } catch (DataAccessException e) { // fall through next }try
{ sr.loadGroupByGroupname(v); return FormValidation.respond(Kind.OK, makeImg("user.png") +ev); }catch (UserMayOrMayNotExistException e)
{ // undecidable, meaning the group may exist return FormValidation.respond(Kind.OK, ev); }catch (UsernameNotFoundException e)
{ // fall through next } catch (DataAccessException e) { // fall through next } // couldn't find it. it doesn't exist
return FormValidation.respond(Kind.ERROR, makeImg("error.png") +ev);
}
Stack trace snippet:
Failed to test the validity of the user name ciusers
org.acegisecurity.BadCredentialsException: Authentication was successful but cannot locate the user information for ciusers
at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:147)
at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:105)
at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:64)
at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:23)
at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:514)
at hudson.security.GlobalMatrixAuthorizationStrategy$DescriptorImpl.doCheckName_(GlobalMatrixAuthorizationStrategy.java:303)
at hudson.security.GlobalMatrixAuthorizationStrategy$DescriptorImpl.doCheckName(GlobalMatrixAuthorizationStrategy.java:288)
- is related to
-
JENKINS-17674 Expand SecurityRealm to support case insensitivity better
-
- Resolved
-
[JENKINS-12180] Active Directory Plugin - Adding AD Group Throws BadCredentialsException
This appears to still be happening, perhaps a regression or some other cause. If I only have a group specified in matrix-based security it will not allow a full login and I get a 404 error. If I have my AD user name specified then it works.
WARNING: Credential exception tying to authenticate against . domain
org.acegisecurity.userdetails.UsernameNotFoundException: Authentication was successful but cannot locate the user information for group
Never mind on my previous note. I figured out the issue. It looks like some parts of the plugin and/or authentication routine are case sensitive. I can enter the group name as all lower case, for example, and it will show the group icon showing it's able to look it up properly, but it will only fully authenticate if I enter the group name with the exact same case as it's entered in AD. I will close this out.
John Prester
added a comment - What is the status of this issue? I'm still seeing it in version 1.29 of the plugin. Will it be fixed by a code change in an upcoming release?
John Prester
added a comment - What is the status of this issue? I'm still seeing it in version 1.29 of the plugin. Will it be fixed by a code change in an upcoming release?
Suggestions:
1. Split doCheckName_() into 2 methods, one for trying loadUserByUsername() and the other one for trying loadGroupByGroupname(). The UI add user/group field needs to be split as well, one for adding user and the other one for adding group.
2. The error message for adding a group is misleading. Currently it throws BadCredentialsException("...user..."). A GroupnameNotFoundException (this exception doesn't exist) should be thrown when ldap search returns empty result.