Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-13595

Active Directory authentication when making configuration changes locks out the user operating system IDs of any people identified in the security matrix for that project.

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Critical Critical
    • active-directory-plugin
    • None
    • Running Jenkins as a windows service on a win 2003 server using a master-slave setup.

      Making changes to configuration of projects triggers an Active Directory validation of the users on that project's security matrix which result in AD locks of users windows IDs. Our AD system is set up to lock any ID that attempts to validate and fails to do so 3 times in a row. Users have to contact help desk to unlock IDs after that.

      I suspect that there might be an issue with Jenkins keeping older passwords internally and this causes locking when authentication attempts occur with the incorrect password. Our system forces password changes every 90 days. Unable to perform any kind of configuration changes for fear of locking out users.

      Rolled back from version 1.26 to 1.24 whch ws previously there and the problem stopped occuring.

          [JENKINS-13595] Active Directory authentication when making configuration changes locks out the user operating system IDs of any people identified in the security matrix for that project.

          Kohsuke Kawaguchi added a comment -

          Are you running this on 32bit JVM or 64bit JVM? I assume you were using the per-project security matrix?

          Kohsuke Kawaguchi added a comment - Are you running this on 32bit JVM or 64bit JVM? I assume you were using the per-project security matrix?

          alexlombardi added a comment -

          Our Jenkins installation runs on a 32 bit JVMs. And yes, each project has its own security matrix.

          alexlombardi added a comment - Our Jenkins installation runs on a 32 bit JVMs. And yes, each project has its own security matrix.

          SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          src/main/java/hudson/plugins/active_directory/ActiveDirectorySecurityRealm.java
          http://jenkins-ci.org/commit/active-directory-plugin/1c4d2ee8b341426490db97fb5a72541ffdb1eec7
          Log:
          [FIXED JENKINS-13595] when attempting anonymous bind, don't specify the user name.

          If AD is configured not to allow anonymous bind, it'll be recorded as a failed login attempt, and depending on the security policy in question, it can lock the user out.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: src/main/java/hudson/plugins/active_directory/ActiveDirectorySecurityRealm.java http://jenkins-ci.org/commit/active-directory-plugin/1c4d2ee8b341426490db97fb5a72541ffdb1eec7 Log: [FIXED JENKINS-13595] when attempting anonymous bind, don't specify the user name. If AD is configured not to allow anonymous bind, it'll be recorded as a failed login attempt, and depending on the security policy in question, it can lock the user out.

          Kohsuke Kawaguchi added a comment -

          Hmm, I still suspect you are using "64bit code path", which uses ActiveDirectoryUnixAuthenticationProvider instead of ActiveDirectoryAuthenticationProvider.

          Perhaps you specify a custom domain name? Does any stack trace report ActiveDirectoryUnixAuthenticationProvider?

          Kohsuke Kawaguchi added a comment - Hmm, I still suspect you are using "64bit code path", which uses ActiveDirectoryUnixAuthenticationProvider instead of ActiveDirectoryAuthenticationProvider . Perhaps you specify a custom domain name? Does any stack trace report ActiveDirectoryUnixAuthenticationProvider ?

          dogfood added a comment -

          Integrated in plugins_active-directory #60
          [FIXED JENKINS-13595] when attempting anonymous bind, don't specify the user name. (Revision 1c4d2ee8b341426490db97fb5a72541ffdb1eec7)

          Result = SUCCESS
          Kohsuke Kawaguchi :
          Files :

          • src/main/java/hudson/plugins/active_directory/ActiveDirectorySecurityRealm.java

          dogfood added a comment - Integrated in plugins_active-directory #60 [FIXED JENKINS-13595] when attempting anonymous bind, don't specify the user name. (Revision 1c4d2ee8b341426490db97fb5a72541ffdb1eec7) Result = SUCCESS Kohsuke Kawaguchi : Files : src/main/java/hudson/plugins/active_directory/ActiveDirectorySecurityRealm.java

            Unassigned Unassigned
            alexlombardi alexlombardi
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved: