Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-17718

Active Directory Plugin Fails

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Blocker
    • Resolution: Duplicate
    • None

    Description

      Upgraded from version 1.30 of plugin to version 1.31 and cannot login, and get error "Incorrect password" and error "The server is not operational". I have attached stack trace of error with some [XXX_excluded] sections removed for security reasons. Reverting back to version 1.30 and have no issues with login.

      Setup for plugin is as follows:
      Domain Name:  [BLANK]
      Domain Controller:  [ldap_server_ip]:389
      
      [4/23/13 11:03:05:166 EDT] 0000001f Authenticatio I   Login attempt failed
                                       org.acegisecurity.BadCredentialsException: Incorrect password for [uid_excluded] for=CN=[conn_string_excluded]: error=8007203A; nested exception is com4j.ComException: 8007203a The server is not operational. : The server is not operational.
       : .\invoke.cpp:517
      	at hudson.plugins.active_directory.ActiveDirectoryAuthenticationProvider.retrieveUser(ActiveDirectoryAuthenticationProvider.java:109)
      	at org.acegisecurity.providers.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:122)
      	at org.acegisecurity.providers.ProviderManager.doAuthentication(ProviderManager.java:200)
      	at org.acegisecurity.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:47)
      	at org.acegisecurity.ui.webapp.AuthenticationProcessingFilter.attemptAuthentication(AuthenticationProcessingFilter.java:74)
      	at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:252)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at org.acegisecurity.ui.basicauth.BasicProcessingFilter.doFilter(BasicProcessingFilter.java:174)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at jenkins.security.ApiTokenFilter.doFilter(ApiTokenFilter.java:64)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
      	at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
      	at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164)
      	at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:188)
      	at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:116)
      	at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:50)
      	at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:188)
      	at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:116)
      	at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81)
      	at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:188)
      	at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:116)
      	at com.ibm.ws.webcontainer.filter.WebAppFilterChain._doFilter(WebAppFilterChain.java:77)
      	at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:908)
      	at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:934)
      	at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:502)
      	at com.ibm.ws.webcontainer.servlet.ServletWrapperImpl.handleRequest(ServletWrapperImpl.java:181)
      	at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:3935)
      	at com.ibm.ws.webcontainer.webapp.WebGroup.handleRequest(WebGroup.java:276)
      	at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:931)
      	at com.ibm.ws.webcontainer.WSWebContainer.handleRequest(WSWebContainer.java:1592)
      	at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:186)
      	at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:452)
      	at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewRequest(HttpInboundLink.java:511)
      	at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.processRequest(HttpInboundLink.java:305)
      	at com.ibm.ws.http.channel.inbound.impl.HttpICLReadCallback.complete(HttpICLReadCallback.java:83)
      	at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:165)
      	at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217)
      	at com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncChannelFuture.java:161)
      	at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:138)
      	at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:204)
      	at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:775)
      	at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:905)
      	at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1613)
      Caused by: com4j.ComException: 8007203a The server is not operational. : The server is not operational.
       : .\invoke.cpp:517
      	at com4j.Wrapper.invoke(Wrapper.java:166)
      	at $Proxy73.openDSObject(Unknown Source)
      	at hudson.plugins.active_directory.ActiveDirectoryAuthenticationProvider.retrieveUser(ActiveDirectoryAuthenticationProvider.java:101)
      	... 45 more
      Caused by: com4j.ComException: 8007203a The server is not operational. : The server is not operational.
       : .\invoke.cpp:517
      	at com4j.Native.invoke(Native Method)
      	at com4j.StandardComMethod.invoke(StandardComMethod.java:35)
      	at com4j.Wrapper$InvocationThunk.call(Wrapper.java:340)
      	at com4j.Task.invoke(Task.java:51)
      	at com4j.ComThread.run0(ComThread.java:153)
      	at com4j.ComThread.run(ComThread.java:134)
      

      Attachments

        Issue Links

          Activity

            bcoveny Bruce Coveny added a comment - - edited

            Also could not downgrade:

            java.io.IOException: Failed to rename [JENKINS_HOME]\active-directory.bak to [JENKINS_HOME]\plugins\active-directory.jpi
            	at hudson.model.UpdateCenter$PluginDowngradeJob.replace(UpdateCenter.java:1417)
            	at hudson.model.UpdateCenter$UpdateCenterConfiguration.install(UpdateCenter.java:806)
            	at hudson.model.UpdateCenter$PluginDowngradeJob._run(UpdateCenter.java:1406)
            	at hudson.model.UpdateCenter$PluginDowngradeJob.run(UpdateCenter.java:1389)
            	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:441)
            	at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)
            	at java.util.concurrent.FutureTask.run(FutureTask.java:138)
            	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
            	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
            	at java.lang.Thread.run(Thread.java:736)
            

            Manually downgraded and have no issues with login.

            bcoveny Bruce Coveny added a comment - - edited Also could not downgrade: java.io.IOException: Failed to rename [JENKINS_HOME]\active-directory.bak to [JENKINS_HOME]\plugins\active-directory.jpi at hudson.model.UpdateCenter$PluginDowngradeJob.replace(UpdateCenter.java:1417) at hudson.model.UpdateCenter$UpdateCenterConfiguration.install(UpdateCenter.java:806) at hudson.model.UpdateCenter$PluginDowngradeJob._run(UpdateCenter.java:1406) at hudson.model.UpdateCenter$PluginDowngradeJob.run(UpdateCenter.java:1389) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:441) at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303) at java.util.concurrent.FutureTask.run(FutureTask.java:138) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) at java.lang. Thread .run( Thread .java:736) Manually downgraded and have no issues with login.

            We are experiencing the exact same issue since an upgrade to 1.31 from 1.30. We had to restore the old version of the plugin to recover.

            mdkf Michael Fowler added a comment - We are experiencing the exact same issue since an upgrade to 1.31 from 1.30. We had to restore the old version of the plugin to recover.
            ddragut Dan Dragut added a comment - - edited

            I believe this might be the change that broke it in 1.31 - might be because is escaping the "="?
            https://github.com/jenkinsci/active-directory-plugin/commit/ef66cbbb2ce3f466b2d6468187b59e7088113077

            The logger shows the "dn" variable unescaped (for=...) but in fact it uses the escaped version to connect.
            https://github.com/jenkinsci/active-directory-plugin/blob/ef66cbbb2ce3f466b2d6468187b59e7088113077/src/main/java/hudson/plugins/active_directory/ActiveDirectoryAuthenticationProvider.java

            "active-directory-plugin / src / main / java / hudson / plugins / active_directory / ActiveDirectoryAuthenticationProvider.java"
            // to do bind with DN as the user name, the flag must be 0
                        IADsUser usr;
                        try {
                            usr = (authentication==null
                                ? dso.openDSObject("LDAP://"+ ldapEscape(dn), null, null, 0)
                                : dso.openDSObject("LDAP://"+ ldapEscape(dn), dn, password, 0))
                                    .queryInterface(IADsUser.class);
                        } catch (ComException e) {
                            // this is failing
                            String msg = String.format("Incorrect password for %s for=%s: error=%08X", username, dn, e.getHRESULT());
                            LOGGER.log(Level.FINE, "Login failure: "+msg,e);
                            throw (BadCredentialsException)new BadCredentialsException(msg).initCause(e);
                        }
            

            To revert to 1.30 download hpi, save into plugins dir and restart Jenkins.
            http://updates.jenkins-ci.org/download/plugins/active-directory/
            http://stackoverflow.com/questions/14950408/how-to-install-a-plugin-in-jenkins-manually

            ddragut Dan Dragut added a comment - - edited I believe this might be the change that broke it in 1.31 - might be because is escaping the "="? https://github.com/jenkinsci/active-directory-plugin/commit/ef66cbbb2ce3f466b2d6468187b59e7088113077 The logger shows the "dn" variable unescaped (for=...) but in fact it uses the escaped version to connect. https://github.com/jenkinsci/active-directory-plugin/blob/ef66cbbb2ce3f466b2d6468187b59e7088113077/src/main/java/hudson/plugins/active_directory/ActiveDirectoryAuthenticationProvider.java "active-directory-plugin / src / main / java / hudson / plugins / active_directory / ActiveDirectoryAuthenticationProvider.java" // to do bind with DN as the user name, the flag must be 0 IADsUser usr; try { usr = (authentication== null ? dso.openDSObject( "LDAP: //" + ldapEscape(dn), null , null , 0) : dso.openDSObject( "LDAP: //" + ldapEscape(dn), dn, password, 0)) .queryInterface(IADsUser.class); } catch (ComException e) { // this is failing String msg = String .format( "Incorrect password for %s for =%s: error=%08X" , username, dn, e.getHRESULT()); LOGGER.log(Level.FINE, "Login failure: " +msg,e); throw (BadCredentialsException) new BadCredentialsException(msg).initCause(e); } To revert to 1.30 download hpi, save into plugins dir and restart Jenkins. http://updates.jenkins-ci.org/download/plugins/active-directory/ http://stackoverflow.com/questions/14950408/how-to-install-a-plugin-in-jenkins-manually

            Still broken in 1.32

            mdkf Michael Fowler added a comment - Still broken in 1.32
            aczarnowski Aric Czarnowski added a comment - - edited

            I'm guessing https://issues.jenkins-ci.org/browse/JENKINS-17676 is the dup that's taking over?

            ETA: Thanks. Just saw the dup reference show up above.

            aczarnowski Aric Czarnowski added a comment - - edited I'm guessing https://issues.jenkins-ci.org/browse/JENKINS-17676 is the dup that's taking over? ETA: Thanks. Just saw the dup reference show up above.

            People

              Unassigned Unassigned
              bcoveny Bruce Coveny
              Votes:
              7 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: