Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-16205

Inaccessible active directory groups prevent authentication

    XMLWordPrintable

Details

    Description

      Our active directory setup has some memberOf references to groups that aren't visible by the authenticating user. This results in the following error and prevents the user from being authenticated:

      Caused by: javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-03151F00, problem 2001 (NO_OBJECT), data 0, best match of:
              'DC=example,DC=com'
      ^@]; remaining name 'CN=Bad Group,DC=example,DC=com'
              at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3092)
              at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3013)
              at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2820)
              at com.sun.jndi.ldap.LdapCtx.c_getAttributes(LdapCtx.java:1312)
              at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(ComponentDirContext.java:213)
              at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:121)
              at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.resolveGroups(ActiveDirectoryUnixAuthenticationProvider.java:422)
              at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:290)
              ... 46 more
      

      Attachments

        Activity

          Code changed in jenkins
          User: Tom Palmer
          Path:
          src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java
          http://jenkins-ci.org/commit/active-directory-plugin/74899c38e87c037084098eae3a84851b28317f03
          Log:
          [FIXED JENKINS-16205] Ignore the lookup failure for the memberOf group as it's possible that the authenticating user doesn't have permissions to access the group.

          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Tom Palmer Path: src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java http://jenkins-ci.org/commit/active-directory-plugin/74899c38e87c037084098eae3a84851b28317f03 Log: [FIXED JENKINS-16205] Ignore the lookup failure for the memberOf group as it's possible that the authenticating user doesn't have permissions to access the group.
          tmpalmer Tom Palmer added a comment -

          I have a submitted a pull request for a fix for this on Github (https://github.com/jenkinsci/active-directory-plugin/pull/5).

          tmpalmer Tom Palmer added a comment - I have a submitted a pull request for a fix for this on Github ( https://github.com/jenkinsci/active-directory-plugin/pull/5 ).

          People

            Unassigned Unassigned
            tmpalmer Tom Palmer
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: