-
Bug
-
Resolution: Fixed
-
Major
-
None
Our active directory setup has some memberOf references to groups that aren't visible by the authenticating user. This results in the following error and prevents the user from being authenticated:
Caused by: javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-03151F00, problem 2001 (NO_OBJECT), data 0, best match of:
'DC=example,DC=com'
^@]; remaining name 'CN=Bad Group,DC=example,DC=com'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3092)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3013)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2820)
at com.sun.jndi.ldap.LdapCtx.c_getAttributes(LdapCtx.java:1312)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(ComponentDirContext.java:213)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:121)
at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.resolveGroups(ActiveDirectoryUnixAuthenticationProvider.java:422)
at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:290)
... 46 more
[JENKINS-16205] Inaccessible active directory groups prevent authentication
Code changed in jenkins
User: Tom Palmer
Path:
src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java
http://jenkins-ci.org/commit/active-directory-plugin/74899c38e87c037084098eae3a84851b28317f03
Log:
[FIXED JENKINS-16205] Ignore the lookup failure for the memberOf group as it's possible that the authenticating user doesn't have permissions to access the group.
I have a submitted a pull request for a fix for this on Github (https://github.com/jenkinsci/active-directory-plugin/pull/5).