Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-14057

With Active Directory Plugin, the user/group validation in authorization strategy of configuration screen fails

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • Win Server 2008, AIX, AD plugin version=1.26, Jenkins version=1.424.6

      Using the Project-based Matrix Authorization Strategy the identification of the usernames doesn't work properly. Sometimes the username is recognized, sometimes the user fullname is recognized, sometimes nor the username neither the full name are recognized.

      It worked in old versions of jenkins and the plugin (1.16).

      The errormessage is:
      org.acegisecurity.BadCredentialsException: Failed to retrieve user information for xyz; nested exception is javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece

          [JENKINS-14057] With Active Directory Plugin, the user/group validation in authorization strategy of configuration screen fails

          David Aldrich added a comment -

          Any news about this bug please?

          David Aldrich added a comment - Any news about this bug please?

          See also Jenkins-12619

          William Roberts added a comment - See also Jenkins-12619

          James Howe added a comment -

          Also see this error when using Basic authentication with API tokens.
          Every other requests gives the same LDAP error (i.e. #1 fails, #2 is fine, #3 fails, etc.)

          Jenkins 1.500, ADPlugin 1.30

          James Howe added a comment - Also see this error when using Basic authentication with API tokens. Every other requests gives the same LDAP error (i.e. #1 fails, #2 is fine, #3 fails, etc.) Jenkins 1.500, ADPlugin 1.30

          Kenny Ayers added a comment -

          I'm having the same issue with Jenkins 1.489, and LDAP Plugin 1.2.

          Kenny Ayers added a comment - I'm having the same issue with Jenkins 1.489, and LDAP Plugin 1.2.

          David Aldrich added a comment -

          Still hoping for a fix for this bug.

          David

          David Aldrich added a comment - Still hoping for a fix for this bug. David

          If you see ActiveDirectoryUnixAuthenticationProvider in stack trace on Windows, that's because you are running earlier version of the AD plugin that does not support ADSI auth for 64bit Windows.

          Also, when you report a stack trace, please do not truncate the stack trace. We need not just the error message but the stack frames leading up to it, including all the nested stack traces.

          If you are worried that the lengthy text will make the issue hard to look at, please use attachments.

          The error is because your AD does not allow anonymous bind, and therefore we cannot validate names of the other users. I believe specifying the bind DN and password will solve this problem.

          Kohsuke Kawaguchi added a comment - If you see ActiveDirectoryUnixAuthenticationProvider in stack trace on Windows, that's because you are running earlier version of the AD plugin that does not support ADSI auth for 64bit Windows. Also, when you report a stack trace, please do not truncate the stack trace. We need not just the error message but the stack frames leading up to it, including all the nested stack traces. If you are worried that the lengthy text will make the issue hard to look at, please use attachments. The error is because your AD does not allow anonymous bind, and therefore we cannot validate names of the other users. I believe specifying the bind DN and password will solve this problem.

          Trevor Baker added a comment - - edited

          >>>The error is because your AD does not allow anonymous bind, and therefore we cannot validate names of the other users. I believe specifying the bind DN and password will solve this problem.

          Where does one specify a bind user and password? The only options I see under Advanced are "Domain Name" and "Domain controller".

          Trevor Baker added a comment - - edited >>>The error is because your AD does not allow anonymous bind, and therefore we cannot validate names of the other users. I believe specifying the bind DN and password will solve this problem. Where does one specify a bind user and password? The only options I see under Advanced are "Domain Name" and "Domain controller".

          Stefan added a comment -

          Attached complete stack trace of error message

          Stefan added a comment - Attached complete stack trace of error message

          James Howe added a comment -

          >>The error is because your AD does not allow anonymous bind
          How does that account for the observation that the calls fail and succeed in alternation?

          James Howe added a comment - >>The error is because your AD does not allow anonymous bind How does that account for the observation that the calls fail and succeed in alternation?

          James Howe added a comment -

          Have confirmed that with plugin version 1.33 and a Bind DN set this does work.
          However, the domain controller does allow anonymous binds, so there's still a bug here.

          James Howe added a comment - Have confirmed that with plugin version 1.33 and a Bind DN set this does work. However, the domain controller does allow anonymous binds, so there's still a bug here.

            kktest11 Kohsuke Kawaguchi
            lot Thorsten Löber
            Votes:
            13 Vote for this issue
            Watchers:
            18 Start watching this issue

              Created:
              Updated: