[JENKINS-17718] Active Directory Plugin Fails

Type: Bug
Resolution: Duplicate
Priority: Blocker
Component/s: active-directory-plugin
Labels:
None
Environment:

Hide
JENKINS WAR VERSION 1.512
JENKINS ACTIVE DIRECTORY PLUGIN VERSINO 1.31
WINDOWS SERVER 2008 R2 ENTERPRISE
AMD OPTERON(TM) PROCESSOR 6136 2.4 GHZ (2 PROCESSORS)
4.0 GB RAM
64-BIT OPERATION SYSTEM
WEBSPHERE APPLICATION SERVER 7.0.0.23

Show
JENKINS WAR VERSION 1.512 JENKINS ACTIVE DIRECTORY PLUGIN VERSINO 1.31 WINDOWS SERVER 2008 R2 ENTERPRISE AMD OPTERON(TM) PROCESSOR 6136 2.4 GHZ (2 PROCESSORS) 4.0 GB RAM 64-BIT OPERATION SYSTEM WEBSPHERE APPLICATION SERVER 7.0.0.23

Similar Issues:
Powered by SuggestiMate

Show

Upgraded from version 1.30 of plugin to version 1.31 and cannot login, and get error "Incorrect password" and error "The server is not operational". I have attached stack trace of error with some [XXX_excluded] sections removed for security reasons. Reverting back to version 1.30 and have no issues with login.

Setup for plugin is as follows:
Domain Name:  [BLANK]
Domain Controller:  [ldap_server_ip]:389

[4/23/13 11:03:05:166 EDT] 0000001f Authenticatio I   Login attempt failed
                                 org.acegisecurity.BadCredentialsException: Incorrect password for [uid_excluded] for=CN=[conn_string_excluded]: error=8007203A; nested exception is com4j.ComException: 8007203a The server is not operational. : The server is not operational.
 : .\invoke.cpp:517
	at hudson.plugins.active_directory.ActiveDirectoryAuthenticationProvider.retrieveUser(ActiveDirectoryAuthenticationProvider.java:109)
	at org.acegisecurity.providers.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:122)
	at org.acegisecurity.providers.ProviderManager.doAuthentication(ProviderManager.java:200)
	at org.acegisecurity.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:47)
	at org.acegisecurity.ui.webapp.AuthenticationProcessingFilter.attemptAuthentication(AuthenticationProcessingFilter.java:74)
	at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:252)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
	at org.acegisecurity.ui.basicauth.BasicProcessingFilter.doFilter(BasicProcessingFilter.java:174)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
	at jenkins.security.ApiTokenFilter.doFilter(ApiTokenFilter.java:64)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
	at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
	at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
	at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
	at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164)
	at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:188)
	at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:116)
	at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:50)
	at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:188)
	at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:116)
	at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81)
	at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:188)
	at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:116)
	at com.ibm.ws.webcontainer.filter.WebAppFilterChain._doFilter(WebAppFilterChain.java:77)
	at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:908)
	at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:934)
	at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:502)
	at com.ibm.ws.webcontainer.servlet.ServletWrapperImpl.handleRequest(ServletWrapperImpl.java:181)
	at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:3935)
	at com.ibm.ws.webcontainer.webapp.WebGroup.handleRequest(WebGroup.java:276)
	at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:931)
	at com.ibm.ws.webcontainer.WSWebContainer.handleRequest(WSWebContainer.java:1592)
	at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:186)
	at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:452)
	at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewRequest(HttpInboundLink.java:511)
	at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.processRequest(HttpInboundLink.java:305)
	at com.ibm.ws.http.channel.inbound.impl.HttpICLReadCallback.complete(HttpICLReadCallback.java:83)
	at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:165)
	at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217)
	at com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncChannelFuture.java:161)
	at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:138)
	at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:204)
	at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:775)
	at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:905)
	at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1613)
Caused by: com4j.ComException: 8007203a The server is not operational. : The server is not operational.
 : .\invoke.cpp:517
	at com4j.Wrapper.invoke(Wrapper.java:166)
	at $Proxy73.openDSObject(Unknown Source)
	at hudson.plugins.active_directory.ActiveDirectoryAuthenticationProvider.retrieveUser(ActiveDirectoryAuthenticationProvider.java:101)
	... 45 more
Caused by: com4j.ComException: 8007203a The server is not operational. : The server is not operational.
 : .\invoke.cpp:517
	at com4j.Native.invoke(Native Method)
	at com4j.StandardComMethod.invoke(StandardComMethod.java:35)
	at com4j.Wrapper$InvocationThunk.call(Wrapper.java:340)
	at com4j.Task.invoke(Task.java:51)
	at com4j.ComThread.run0(ComThread.java:153)
	at com4j.ComThread.run(ComThread.java:134)

duplicates

JENKINS-17676 ADSI mode auth no longer working after update to AD plugin v 1.31

Resolved

Bruce Coveny added a comment - 2013-04-23 15:19 - edited

Also could not downgrade:

java.io.IOException: Failed to rename [JENKINS_HOME]\active-directory.bak to [JENKINS_HOME]\plugins\active-directory.jpi
	at hudson.model.UpdateCenter$PluginDowngradeJob.replace(UpdateCenter.java:1417)
	at hudson.model.UpdateCenter$UpdateCenterConfiguration.install(UpdateCenter.java:806)
	at hudson.model.UpdateCenter$PluginDowngradeJob._run(UpdateCenter.java:1406)
	at hudson.model.UpdateCenter$PluginDowngradeJob.run(UpdateCenter.java:1389)
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:441)
	at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)
	at java.util.concurrent.FutureTask.run(FutureTask.java:138)
	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
	at java.lang.Thread.run(Thread.java:736)

Manually downgraded and have no issues with login.

Bruce Coveny added a comment - 2013-04-23 15:19 - edited Also could not downgrade: java.io.IOException: Failed to rename [JENKINS_HOME]\active-directory.bak to [JENKINS_HOME]\plugins\active-directory.jpi at hudson.model.UpdateCenter$PluginDowngradeJob.replace(UpdateCenter.java:1417) at hudson.model.UpdateCenter$UpdateCenterConfiguration.install(UpdateCenter.java:806) at hudson.model.UpdateCenter$PluginDowngradeJob._run(UpdateCenter.java:1406) at hudson.model.UpdateCenter$PluginDowngradeJob.run(UpdateCenter.java:1389) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:441) at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303) at java.util.concurrent.FutureTask.run(FutureTask.java:138) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) at java.lang. Thread .run( Thread .java:736) Manually downgraded and have no issues with login.

Michael Fowler added a comment - 2013-04-26 15:11

We are experiencing the exact same issue since an upgrade to 1.31 from 1.30. We had to restore the old version of the plugin to recover.

Michael Fowler added a comment - 2013-04-26 15:11 We are experiencing the exact same issue since an upgrade to 1.31 from 1.30. We had to restore the old version of the plugin to recover.

Dan Dragut added a comment - 2013-05-01 20:04 - edited

I believe this might be the change that broke it in 1.31 - might be because is escaping the "="?
https://github.com/jenkinsci/active-directory-plugin/commit/ef66cbbb2ce3f466b2d6468187b59e7088113077

The logger shows the "dn" variable unescaped (for=...) but in fact it uses the escaped version to connect.
https://github.com/jenkinsci/active-directory-plugin/blob/ef66cbbb2ce3f466b2d6468187b59e7088113077/src/main/java/hudson/plugins/active_directory/ActiveDirectoryAuthenticationProvider.java

"active-directory-plugin / src / main / java / hudson / plugins / active_directory / ActiveDirectoryAuthenticationProvider.java"

// to do bind with DN as the user name, the flag must be 0
            IADsUser usr;
            try {
                usr = (authentication==null
                    ? dso.openDSObject("LDAP://"+ ldapEscape(dn), null, null, 0)
                    : dso.openDSObject("LDAP://"+ ldapEscape(dn), dn, password, 0))
                        .queryInterface(IADsUser.class);
            } catch (ComException e) {
                // this is failing
                String msg = String.format("Incorrect password for %s for=%s: error=%08X", username, dn, e.getHRESULT());
                LOGGER.log(Level.FINE, "Login failure: "+msg,e);
                throw (BadCredentialsException)new BadCredentialsException(msg).initCause(e);
            }

To revert to 1.30 download hpi, save into plugins dir and restart Jenkins.
http://updates.jenkins-ci.org/download/plugins/active-directory/
http://stackoverflow.com/questions/14950408/how-to-install-a-plugin-in-jenkins-manually

Dan Dragut added a comment - 2013-05-01 20:04 - edited I believe this might be the change that broke it in 1.31 - might be because is escaping the "="? https://github.com/jenkinsci/active-directory-plugin/commit/ef66cbbb2ce3f466b2d6468187b59e7088113077 The logger shows the "dn" variable unescaped (for=...) but in fact it uses the escaped version to connect. https://github.com/jenkinsci/active-directory-plugin/blob/ef66cbbb2ce3f466b2d6468187b59e7088113077/src/main/java/hudson/plugins/active_directory/ActiveDirectoryAuthenticationProvider.java "active-directory-plugin / src / main / java / hudson / plugins / active_directory / ActiveDirectoryAuthenticationProvider.java" // to do bind with DN as the user name, the flag must be 0 IADsUser usr; try { usr = (authentication== null ? dso.openDSObject( "LDAP: //" + ldapEscape(dn), null , null , 0) : dso.openDSObject( "LDAP: //" + ldapEscape(dn), dn, password, 0)) .queryInterface(IADsUser.class); } catch (ComException e) { // this is failing String msg = String .format( "Incorrect password for %s for =%s: error=%08X" , username, dn, e.getHRESULT()); LOGGER.log(Level.FINE, "Login failure: " +msg,e); throw (BadCredentialsException) new BadCredentialsException(msg).initCause(e); } To revert to 1.30 download hpi, save into plugins dir and restart Jenkins. http://updates.jenkins-ci.org/download/plugins/active-directory/ http://stackoverflow.com/questions/14950408/how-to-install-a-plugin-in-jenkins-manually

Michael Fowler added a comment - 2013-05-02 14:58

Still broken in 1.32

Michael Fowler added a comment - 2013-05-02 14:58 Still broken in 1.32

Aric Czarnowski added a comment - 2013-05-02 22:50 - edited

I'm guessing https://issues.jenkins-ci.org/browse/JENKINS-17676 is the dup that's taking over?

ETA: Thanks. Just saw the dup reference show up above.

Aric Czarnowski added a comment - 2013-05-02 22:50 - edited I'm guessing https://issues.jenkins-ci.org/browse/JENKINS-17676 is the dup that's taking over? ETA: Thanks. Just saw the dup reference show up above.

Jenkins

Details

Description

Attachments

Issue Links

Activity

Collapse comment: Bruce Coveny added a comment - 2013-04-23 15:19, Edited by Bruce Coveny - 2013-04-23 16:36

Expand comment: Bruce Coveny added a comment - 2013-04-23 15:19, Edited by Bruce Coveny - 2013-04-23 16:36

Collapse comment: Michael Fowler added a comment - 2013-04-26 15:11

Expand comment: Michael Fowler added a comment - 2013-04-26 15:11

Collapse comment: Dan Dragut added a comment - 2013-05-01 20:04, Edited by Dan Dragut - 2013-05-01 20:08

Expand comment: Dan Dragut added a comment - 2013-05-01 20:04, Edited by Dan Dragut - 2013-05-01 20:08

Collapse comment: Michael Fowler added a comment - 2013-05-02 14:58

Expand comment: Michael Fowler added a comment - 2013-05-02 14:58

Collapse comment: Aric Czarnowski added a comment - 2013-05-02 22:50, Edited by Aric Czarnowski - 2013-05-02 22:51

Expand comment: Aric Czarnowski added a comment - 2013-05-02 22:50, Edited by Aric Czarnowski - 2013-05-02 22:51

People

Dates