Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-1802

LDAP authentification against AD didn't works

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Component/s: _unsorted
    • Labels:
      None
    • Environment:
      Platform: All, OS: All
    • Similar Issues:

      Description

      I do some tests on Hudson 1.221 and the LDAP authentification still didn't works
      against AD since it didn't want anonymous binding and require a binding
      login/pwd for operations

      I used a network sniffer to track down the problems.

      • On the admin page changes to the LDAP manager login are correctly saved on the
        config.xml but are not used when LDAP connection is done on the admin page

      It seems only the password is sent on the wire during the binding operation on
      the admin page.

      At startup time Hudson, using the saved config.xml LDAP parameters, does a
      successfull bind (login and password are sent) to AD.
      But when a user try to authentificate, Hudson didn't use the same 'socket
      connection' (where binding has been done) and sus the request failed.

      Hope it will help

        Attachments

          Activity

          Hide
          nigord nigord added a comment -

          I am experiencing the exact same issue myself.

          It works as a servlet security realm. (Tomcat 6.0.14 / RHEL 4 JDK 1.6)

          <Realm className="org.apache.catalina.realm.JNDIRealm" debug="0"
          connectionURL="ldap://mtlad01:389"
          connectionName="CN=Hudson Administrator,OU=Users,OU=Montreal,DC=xxx,DC=com"
          connectionPassword="xxx"
          userRoleName="Member"
          userBase="OU=Users,OU=Montreal,DC=xxx,DC=com"
          userPattern="CN=

          {0},OU=Users,OU=Montreal,DC=xxx,DC=com"
          roleBase="OU=Groups,OU=Montreal,DC=xxx,DC=com"
          roleName="mail"
          roleSearch="(Member={0}

          )"
          roleSubtree="true"
          userSubtree="true"
          referrals="follow"/>

          But using the same Manager DN and password in the hudson interface doesn't.
          I also confirm that tcpdump shows that for the bind request, only the password
          is sent as the name field.

          Show
          nigord nigord added a comment - I am experiencing the exact same issue myself. It works as a servlet security realm. (Tomcat 6.0.14 / RHEL 4 JDK 1.6) <Realm className="org.apache.catalina.realm.JNDIRealm" debug="0" connectionURL="ldap://mtlad01:389" connectionName="CN=Hudson Administrator,OU=Users,OU=Montreal,DC=xxx,DC=com" connectionPassword="xxx" userRoleName="Member" userBase="OU=Users,OU=Montreal,DC=xxx,DC=com" userPattern="CN= {0},OU=Users,OU=Montreal,DC=xxx,DC=com" roleBase="OU=Groups,OU=Montreal,DC=xxx,DC=com" roleName="mail" roleSearch="(Member={0} )" roleSubtree="true" userSubtree="true" referrals="follow"/> But using the same Manager DN and password in the hudson interface doesn't. I also confirm that tcpdump shows that for the bind request, only the password is sent as the name field.
          Hide
          kohsuke Kohsuke Kawaguchi added a comment -

          I'm currently working on improving the Active Directory plugin to do a better
          job — in particular with Hudson running on a Unix system to talk to Active
          Directory.

          nigord, can you describe a bit more about your AD set up? In my test
          environment, I never see "OU=xxx" in between. Do you use forests, sites, or
          something else?

          Your AD domain is xxx.com, right? What is "Montreal"? Is that coming from your
          site configuration?

          Show
          kohsuke Kohsuke Kawaguchi added a comment - I'm currently working on improving the Active Directory plugin to do a better job — in particular with Hudson running on a Unix system to talk to Active Directory. nigord, can you describe a bit more about your AD set up? In my test environment, I never see "OU=xxx" in between. Do you use forests, sites, or something else? Your AD domain is xxx.com, right? What is "Montreal"? Is that coming from your site configuration?
          Hide
          kohsuke Kohsuke Kawaguchi added a comment -

          This should be fixed with Active Directory plugin 1.4

          Show
          kohsuke Kohsuke Kawaguchi added a comment - This should be fixed with Active Directory plugin 1.4
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in hudson
          User: : kohsuke
          Path:
          trunk/hudson/main/core/src/main/resources/hudson/security/LDAPSecurityRealm/config.jelly
          trunk/hudson/main/war/resources/WEB-INF/security/LDAPBindSecurityRealm.groovy
          trunk/www/changelog.html
          http://fisheye4.cenqua.com/changelog/hudson/?cs=10095
          Log:
          JENKINS-1802 LDAP authentication with non-empty manager DN/password was not working correctly.
          In 1.225.

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in hudson User: : kohsuke Path: trunk/hudson/main/core/src/main/resources/hudson/security/LDAPSecurityRealm/config.jelly trunk/hudson/main/war/resources/WEB-INF/security/LDAPBindSecurityRealm.groovy trunk/www/changelog.html http://fisheye4.cenqua.com/changelog/hudson/?cs=10095 Log: JENKINS-1802 LDAP authentication with non-empty manager DN/password was not working correctly. In 1.225.
          Hide
          nigord nigord added a comment -

          Good work.
          I confirm the fix worked super for us.

          Additionally, the Active Directory plugin now work for us as well.

          Show
          nigord nigord added a comment - Good work. I confirm the fix worked super for us. Additionally, the Active Directory plugin now work for us as well.

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            henri_gomez henri_gomez
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: