Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-14057

With Active Directory Plugin, the user/group validation in authorization strategy of configuration screen fails

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • active-directory-plugin
    • None
    • Win Server 2008, AIX, AD plugin version=1.26, Jenkins version=1.424.6

      Using the Project-based Matrix Authorization Strategy the identification of the usernames doesn't work properly. Sometimes the username is recognized, sometimes the user fullname is recognized, sometimes nor the username neither the full name are recognized.

      It worked in old versions of jenkins and the plugin (1.16).

      The errormessage is:
      org.acegisecurity.BadCredentialsException: Failed to retrieve user information for xyz; nested exception is javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece

        1. Stacktrace1.txt
          7 kB

          [JENKINS-14057] With Active Directory Plugin, the user/group validation in authorization strategy of configuration screen fails

          Stefan added a comment - - edited

          We are facing the same problems (with Jenkins 1.424.6 and Active Directory Plugin 1.29) and are interested in an error analysis or even a solution. The stack trace displayed in the Authorization Strategy table is:

          Caused by: javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece]; remaining name 'DC=***,DC=***,DC=***'
	at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
	at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
	at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
	at com.sun.jndi.ldap.LdapCtx.searchAux(Unknown Source)
	at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source)
	at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source)
	at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(Unknown Source)
	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown Source)
	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown Source)
	at hudson.plugins.active_directory.LDAPSearchBuilder.search(LDAPSearchBuilder.java:52)
	at hudson.plugins.active_directory.LDAPSearchBuilder.searchOne(LDAPSearchBuilder.java:42)
	at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:260)
	... 66 more

          Stefan added a comment - - edited We are facing the same problems (with Jenkins 1.424.6 and Active Directory Plugin 1.29) and are interested in an error analysis or even a solution. The stack trace displayed in the Authorization Strategy table is: Caused by: javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece]; remaining name 'DC=***,DC=***,DC=***' at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source) at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source) at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source) at com.sun.jndi.ldap.LdapCtx.searchAux(Unknown Source) at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source) at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(Unknown Source) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown Source) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown Source) at hudson.plugins.active_directory.LDAPSearchBuilder.search(LDAPSearchBuilder.java:52) at hudson.plugins.active_directory.LDAPSearchBuilder.searchOne(LDAPSearchBuilder.java:42) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:260) ... 66 more

          Stefan added a comment -

          I am also wondering why the class ActiveDirectoryUnixAuthenticationProvider is invoked although we are running on a Windows system.

          Stefan added a comment - I am also wondering why the class ActiveDirectoryUnixAuthenticationProvider is invoked although we are running on a Windows system.

          Stefan added a comment -

          I am asking who to assign issues related to the Active Directory plugin as the automatic assignment is Unassigned

          Stefan added a comment - I am asking who to assign issues related to the Active Directory plugin as the automatic assignment is Unassigned

          Dan Stine added a comment - - edited

          We also see a flavor of this error. Jenkins 1.466.1, Active Directory plugin 1.29, CentOS 5.6. I think we also had it under the covers in our prior combination (1.448 / 1.24), it was just less obvious because the "Failed to test the validity of the user name" message didn't show in the UI. We are also using Project-based Matrix Authorization Strategy.

          Caused by: javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece]; remaining name 'DC=copyright,DC=com'

          Dan Stine added a comment - - edited We also see a flavor of this error. Jenkins 1.466.1, Active Directory plugin 1.29, CentOS 5.6. I think we also had it under the covers in our prior combination (1.448 / 1.24), it was just less obvious because the "Failed to test the validity of the user name" message didn't show in the UI. We are also using Project-based Matrix Authorization Strategy. Caused by: javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece]; remaining name 'DC=copyright,DC=com'

          David Aldrich added a comment - - edited

          We also see this error. We are running Jenkins 1.466.1 LTS with Active Directory authentication, on Centos 5.8. The authentication has been working correctly, but today I noticed the following type of error in:

          Manage Jenkins > Configure System > Authorization > Project-based Matrix Authorization Strategy:

          Failed to test the validity of the user name <myname> (show details)
org.acegisecurity.BadCredentialsException: Failed to retrieve user information for <myname>; nested exception is javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece

          I clicked ‘Test’ underneath ‘Active Directory’ and it gave an error. I then downgraded the Active Directory plugin from 1.29 to 1.19. ‘Test’ now succeeds but the ‘Project-based Matrix Authorization Strategy’ area still shows the above error against each user.

          David Aldrich added a comment - - edited We also see this error. We are running Jenkins 1.466.1 LTS with Active Directory authentication, on Centos 5.8. The authentication has been working correctly, but today I noticed the following type of error in: Manage Jenkins > Configure System > Authorization > Project-based Matrix Authorization Strategy: Failed to test the validity of the user name <myname> (show details) org.acegisecurity.BadCredentialsException: Failed to retrieve user information for <myname>; nested exception is javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece I clicked ‘Test’ underneath ‘Active Directory’ and it gave an error. I then downgraded the Active Directory plugin from 1.29 to 1.19. ‘Test’ now succeeds but the ‘Project-based Matrix Authorization Strategy’ area still shows the above error against each user.

          David Aldrich added a comment -

          Any news about this bug please?

          David Aldrich added a comment - Any news about this bug please?

          William Roberts added a comment -

          See also Jenkins-12619

          William Roberts added a comment - See also Jenkins-12619

          James Howe added a comment -

          Also see this error when using Basic authentication with API tokens.
          Every other requests gives the same LDAP error (i.e. #1 fails, #2 is fine, #3 fails, etc.)

          Jenkins 1.500, ADPlugin 1.30

          James Howe added a comment - Also see this error when using Basic authentication with API tokens. Every other requests gives the same LDAP error (i.e. #1 fails, #2 is fine, #3 fails, etc.) Jenkins 1.500, ADPlugin 1.30

          Kenny Ayers added a comment -

          I'm having the same issue with Jenkins 1.489, and LDAP Plugin 1.2.

          Kenny Ayers added a comment - I'm having the same issue with Jenkins 1.489, and LDAP Plugin 1.2.

          David Aldrich added a comment -

          Still hoping for a fix for this bug.

          David

          David Aldrich added a comment - Still hoping for a fix for this bug. David

          Kohsuke Kawaguchi added a comment -

          If you see ActiveDirectoryUnixAuthenticationProvider in stack trace on Windows, that's because you are running earlier version of the AD plugin that does not support ADSI auth for 64bit Windows.

          Also, when you report a stack trace, please do not truncate the stack trace. We need not just the error message but the stack frames leading up to it, including all the nested stack traces.

          If you are worried that the lengthy text will make the issue hard to look at, please use attachments.

          The error is because your AD does not allow anonymous bind, and therefore we cannot validate names of the other users. I believe specifying the bind DN and password will solve this problem.

          Kohsuke Kawaguchi added a comment - If you see ActiveDirectoryUnixAuthenticationProvider in stack trace on Windows, that's because you are running earlier version of the AD plugin that does not support ADSI auth for 64bit Windows. Also, when you report a stack trace, please do not truncate the stack trace. We need not just the error message but the stack frames leading up to it, including all the nested stack traces. If you are worried that the lengthy text will make the issue hard to look at, please use attachments. The error is because your AD does not allow anonymous bind, and therefore we cannot validate names of the other users. I believe specifying the bind DN and password will solve this problem.

          Trevor Baker added a comment - - edited

          >>>The error is because your AD does not allow anonymous bind, and therefore we cannot validate names of the other users. I believe specifying the bind DN and password will solve this problem.

          Where does one specify a bind user and password? The only options I see under Advanced are "Domain Name" and "Domain controller".

          Trevor Baker added a comment - - edited >>>The error is because your AD does not allow anonymous bind, and therefore we cannot validate names of the other users. I believe specifying the bind DN and password will solve this problem. Where does one specify a bind user and password? The only options I see under Advanced are "Domain Name" and "Domain controller".

          Stefan added a comment -

          Attached complete stack trace of error message

          Stefan added a comment - Attached complete stack trace of error message

          James Howe added a comment -

          >>The error is because your AD does not allow anonymous bind
          How does that account for the observation that the calls fail and succeed in alternation?

          James Howe added a comment - >>The error is because your AD does not allow anonymous bind How does that account for the observation that the calls fail and succeed in alternation?

          James Howe added a comment -

          Have confirmed that with plugin version 1.33 and a Bind DN set this does work.
          However, the domain controller does allow anonymous binds, so there's still a bug here.

          James Howe added a comment - Have confirmed that with plugin version 1.33 and a Bind DN set this does work. However, the domain controller does allow anonymous binds, so there's still a bug here.

            kktest11 Kohsuke Kawaguchi
            lot Thorsten Löber
            Votes:
            13 Vote for this issue
            Watchers:
            18 Start watching this issue

              Created:
              Updated: