Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-14057

With Active Directory Plugin, the user/group validation in authorization strategy of configuration screen fails

    XMLWordPrintable

Details

    • Bug
    • Status: Open (View Workflow)
    • Major
    • Resolution: Unresolved
    • active-directory-plugin
    • None
    • Win Server 2008, AIX, AD plugin version=1.26, Jenkins version=1.424.6

    Description

      Using the Project-based Matrix Authorization Strategy the identification of the usernames doesn't work properly. Sometimes the username is recognized, sometimes the user fullname is recognized, sometimes nor the username neither the full name are recognized.

      It worked in old versions of jenkins and the plugin (1.16).

      The errormessage is:
      org.acegisecurity.BadCredentialsException: Failed to retrieve user information for xyz; nested exception is javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. JENKINS-12619 "Failed to test the validity of the user name" on all security matrices since upgrade

          • Major - Major loss of function.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. JENKINS-17581 Using the API Token beyond 496 causes intermittent 500 errors

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open

          Bug - A problem which impairs or prevents the functions of the product. JENKINS-18906 Problem with Active Directory plugin and Role-Based Strategy plugin working together

          • Major - Major loss of function.
          • Resolved

          Activity

            Ascending order - Click to sort in descending order
            View 10 older comments
            kohsuke Kohsuke Kawaguchi added a comment -

            If you see ActiveDirectoryUnixAuthenticationProvider in stack trace on Windows, that's because you are running earlier version of the AD plugin that does not support ADSI auth for 64bit Windows.

            Also, when you report a stack trace, please do not truncate the stack trace. We need not just the error message but the stack frames leading up to it, including all the nested stack traces.

            If you are worried that the lengthy text will make the issue hard to look at, please use attachments.

            The error is because your AD does not allow anonymous bind, and therefore we cannot validate names of the other users. I believe specifying the bind DN and password will solve this problem.

            kohsuke Kohsuke Kawaguchi added a comment - If you see ActiveDirectoryUnixAuthenticationProvider in stack trace on Windows, that's because you are running earlier version of the AD plugin that does not support ADSI auth for 64bit Windows. Also, when you report a stack trace, please do not truncate the stack trace. We need not just the error message but the stack frames leading up to it, including all the nested stack traces. If you are worried that the lengthy text will make the issue hard to look at, please use attachments. The error is because your AD does not allow anonymous bind, and therefore we cannot validate names of the other users. I believe specifying the bind DN and password will solve this problem.
            trbaker Trevor Baker added a comment - - edited

            >>>The error is because your AD does not allow anonymous bind, and therefore we cannot validate names of the other users. I believe specifying the bind DN and password will solve this problem.

            Where does one specify a bind user and password? The only options I see under Advanced are "Domain Name" and "Domain controller".

            trbaker Trevor Baker added a comment - - edited >>>The error is because your AD does not allow anonymous bind, and therefore we cannot validate names of the other users. I believe specifying the bind DN and password will solve this problem. Where does one specify a bind user and password? The only options I see under Advanced are "Domain Name" and "Domain controller".
            schtefan Stefan added a comment -

            Attached complete stack trace of error message

            schtefan Stefan added a comment - Attached complete stack trace of error message
            jameshowe James Howe added a comment -

            >>The error is because your AD does not allow anonymous bind
            How does that account for the observation that the calls fail and succeed in alternation?

            jameshowe James Howe added a comment - >>The error is because your AD does not allow anonymous bind How does that account for the observation that the calls fail and succeed in alternation?
            jameshowe James Howe added a comment -

            Have confirmed that with plugin version 1.33 and a Bind DN set this does work.
            However, the domain controller does allow anonymous binds, so there's still a bug here.

            jameshowe James Howe added a comment - Have confirmed that with plugin version 1.33 and a Bind DN set this does work. However, the domain controller does allow anonymous binds, so there's still a bug here.

            People

              kktest11 Kohsuke Kawaguchi
              lot Thorsten Löber
              Votes:
              13 Vote for this issue
              Watchers:
              18 Start watching this issue

              Dates

                Created:
                Updated: