Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-14057

With Active Directory Plugin, the user/group validation in authorization strategy of configuration screen fails

    XMLWordPrintable

Details

    • Bug
    • Status: Open (View Workflow)
    • Major
    • Resolution: Unresolved
    • None
    • Win Server 2008, AIX, AD plugin version=1.26, Jenkins version=1.424.6

    Description

      Using the Project-based Matrix Authorization Strategy the identification of the usernames doesn't work properly. Sometimes the username is recognized, sometimes the user fullname is recognized, sometimes nor the username neither the full name are recognized.

      It worked in old versions of jenkins and the plugin (1.16).

      The errormessage is:
      org.acegisecurity.BadCredentialsException: Failed to retrieve user information for xyz; nested exception is javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece

      Attachments

        Issue Links

          Activity

            schtefan Stefan added a comment - - edited

            We are facing the same problems (with Jenkins 1.424.6 and Active Directory Plugin 1.29) and are interested in an error analysis or even a solution. The stack trace displayed in the Authorization Strategy table is:

            Caused by: javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece]; remaining name 'DC=***,DC=***,DC=***'
            	at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
            	at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
            	at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
            	at com.sun.jndi.ldap.LdapCtx.searchAux(Unknown Source)
            	at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source)
            	at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source)
            	at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(Unknown Source)
            	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown Source)
            	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown Source)
            	at hudson.plugins.active_directory.LDAPSearchBuilder.search(LDAPSearchBuilder.java:52)
            	at hudson.plugins.active_directory.LDAPSearchBuilder.searchOne(LDAPSearchBuilder.java:42)
            	at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:260)
            	... 66 more
            schtefan Stefan added a comment - - edited We are facing the same problems (with Jenkins 1.424.6 and Active Directory Plugin 1.29) and are interested in an error analysis or even a solution. The stack trace displayed in the Authorization Strategy table is: Caused by: javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece]; remaining name 'DC=***,DC=***,DC=***' at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source) at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source) at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source) at com.sun.jndi.ldap.LdapCtx.searchAux(Unknown Source) at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source) at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(Unknown Source) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown Source) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown Source) at hudson.plugins.active_directory.LDAPSearchBuilder.search(LDAPSearchBuilder.java:52) at hudson.plugins.active_directory.LDAPSearchBuilder.searchOne(LDAPSearchBuilder.java:42) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:260) ... 66 more
            schtefan Stefan added a comment -

            I am also wondering why the class ActiveDirectoryUnixAuthenticationProvider is invoked although we are running on a Windows system.

            schtefan Stefan added a comment - I am also wondering why the class ActiveDirectoryUnixAuthenticationProvider is invoked although we are running on a Windows system.
            schtefan Stefan added a comment -

            I am asking who to assign issues related to the Active Directory plugin as the automatic assignment is Unassigned

            schtefan Stefan added a comment - I am asking who to assign issues related to the Active Directory plugin as the automatic assignment is Unassigned
            dstine Dan Stine added a comment - - edited

            We also see a flavor of this error. Jenkins 1.466.1, Active Directory plugin 1.29, CentOS 5.6. I think we also had it under the covers in our prior combination (1.448 / 1.24), it was just less obvious because the "Failed to test the validity of the user name" message didn't show in the UI. We are also using Project-based Matrix Authorization Strategy.

            Caused by: javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece]; remaining name 'DC=copyright,DC=com'
            
            dstine Dan Stine added a comment - - edited We also see a flavor of this error. Jenkins 1.466.1, Active Directory plugin 1.29, CentOS 5.6. I think we also had it under the covers in our prior combination (1.448 / 1.24), it was just less obvious because the "Failed to test the validity of the user name" message didn't show in the UI. We are also using Project-based Matrix Authorization Strategy. Caused by: javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece]; remaining name 'DC=copyright,DC=com'
            davida2009 David Aldrich added a comment - - edited

            We also see this error. We are running Jenkins 1.466.1 LTS with Active Directory authentication, on Centos 5.8. The authentication has been working correctly, but today I noticed the following type of error in:

            Manage Jenkins > Configure System > Authorization > Project-based Matrix Authorization Strategy:

            Failed to test the validity of the user name <myname> (show details)
            org.acegisecurity.BadCredentialsException: Failed to retrieve user information for <myname>; nested exception is javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece
            

            I clicked ‘Test’ underneath ‘Active Directory’ and it gave an error. I then downgraded the Active Directory plugin from 1.29 to 1.19. ‘Test’ now succeeds but the ‘Project-based Matrix Authorization Strategy’ area still shows the above error against each user.

            davida2009 David Aldrich added a comment - - edited We also see this error. We are running Jenkins 1.466.1 LTS with Active Directory authentication, on Centos 5.8. The authentication has been working correctly, but today I noticed the following type of error in: Manage Jenkins > Configure System > Authorization > Project-based Matrix Authorization Strategy: Failed to test the validity of the user name <myname> (show details) org.acegisecurity.BadCredentialsException: Failed to retrieve user information for <myname>; nested exception is javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece I clicked ‘Test’ underneath ‘Active Directory’ and it gave an error. I then downgraded the Active Directory plugin from 1.29 to 1.19. ‘Test’ now succeeds but the ‘Project-based Matrix Authorization Strategy’ area still shows the above error against each user.
            davida2009 David Aldrich added a comment -

            Any news about this bug please?

            davida2009 David Aldrich added a comment - Any news about this bug please?

            See also Jenkins-12619

            william_t_r William Roberts added a comment - See also Jenkins-12619
            jameshowe James Howe added a comment -

            Also see this error when using Basic authentication with API tokens.
            Every other requests gives the same LDAP error (i.e. #1 fails, #2 is fine, #3 fails, etc.)

            Jenkins 1.500, ADPlugin 1.30

            jameshowe James Howe added a comment - Also see this error when using Basic authentication with API tokens. Every other requests gives the same LDAP error (i.e. #1 fails, #2 is fine, #3 fails, etc.) Jenkins 1.500, ADPlugin 1.30
            kayers Kenny Ayers added a comment -

            I'm having the same issue with Jenkins 1.489, and LDAP Plugin 1.2.

            kayers Kenny Ayers added a comment - I'm having the same issue with Jenkins 1.489, and LDAP Plugin 1.2.
            davida2009 David Aldrich added a comment -

            Still hoping for a fix for this bug.

            David

            davida2009 David Aldrich added a comment - Still hoping for a fix for this bug. David

            If you see ActiveDirectoryUnixAuthenticationProvider in stack trace on Windows, that's because you are running earlier version of the AD plugin that does not support ADSI auth for 64bit Windows.

            Also, when you report a stack trace, please do not truncate the stack trace. We need not just the error message but the stack frames leading up to it, including all the nested stack traces.

            If you are worried that the lengthy text will make the issue hard to look at, please use attachments.

            The error is because your AD does not allow anonymous bind, and therefore we cannot validate names of the other users. I believe specifying the bind DN and password will solve this problem.

            kohsuke Kohsuke Kawaguchi added a comment - If you see ActiveDirectoryUnixAuthenticationProvider in stack trace on Windows, that's because you are running earlier version of the AD plugin that does not support ADSI auth for 64bit Windows. Also, when you report a stack trace, please do not truncate the stack trace. We need not just the error message but the stack frames leading up to it, including all the nested stack traces. If you are worried that the lengthy text will make the issue hard to look at, please use attachments. The error is because your AD does not allow anonymous bind, and therefore we cannot validate names of the other users. I believe specifying the bind DN and password will solve this problem.
            trbaker Trevor Baker added a comment - - edited

            >>>The error is because your AD does not allow anonymous bind, and therefore we cannot validate names of the other users. I believe specifying the bind DN and password will solve this problem.

            Where does one specify a bind user and password? The only options I see under Advanced are "Domain Name" and "Domain controller".

            trbaker Trevor Baker added a comment - - edited >>>The error is because your AD does not allow anonymous bind, and therefore we cannot validate names of the other users. I believe specifying the bind DN and password will solve this problem. Where does one specify a bind user and password? The only options I see under Advanced are "Domain Name" and "Domain controller".
            schtefan Stefan added a comment -

            Attached complete stack trace of error message

            schtefan Stefan added a comment - Attached complete stack trace of error message
            jameshowe James Howe added a comment -

            >>The error is because your AD does not allow anonymous bind
            How does that account for the observation that the calls fail and succeed in alternation?

            jameshowe James Howe added a comment - >>The error is because your AD does not allow anonymous bind How does that account for the observation that the calls fail and succeed in alternation?
            jameshowe James Howe added a comment -

            Have confirmed that with plugin version 1.33 and a Bind DN set this does work.
            However, the domain controller does allow anonymous binds, so there's still a bug here.

            jameshowe James Howe added a comment - Have confirmed that with plugin version 1.33 and a Bind DN set this does work. However, the domain controller does allow anonymous binds, so there's still a bug here.

            People

              kktest11 Kohsuke Kawaguchi
              lot Thorsten Löber
              Votes:
              13 Vote for this issue
              Watchers:
              18 Start watching this issue

              Dates

                Created:
                Updated: