Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-20064

Cannot use CLI or URL with API token with Active Directory as the access control security realm

    XMLWordPrintable

Details

    Description

      I'm trying to use the Jenkins CLI for a server that is set up with AD as the access control security realm. Logged in users can perform any action.

      The Jenkins server is 1.534 on Ubuntu with Active Directory plugin 1.33, configured with just the domain (no bind DN or password).

      I've provisioned an SSH public key for my user. When I attempt to run CLI against Jenkins it fails with this

      Exception in thread "main" java.io.EOFException
              at java.io.DataInputStream.readBoolean(DataInputStream.java:244)
              at hudson.cli.Connection.readBoolean(Connection.java:95)
              at hudson.cli.CLI.authenticate(CLI.java:644)
              at hudson.cli.CLI._main(CLI.java:474)
              at hudson.cli.CLI.main(CLI.java:384)
      

      and the below is logged on the server. This is similar to JENKINS-12619 though in my case the behavior is consistent and always fails.

      Oct 13, 2013 12:23:35 PM WARNING hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider retrieveUser
      
      Failed to retrieve user information for username
      javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece]; remaining name 'DC=mycompany,DC=com'
          at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3072)
          at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2978)
          at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2785)
          at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1839)
          at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1762)
          at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1779)
          at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:412)
          at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:394)
          at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:376)
          at hudson.plugins.active_directory.LDAPSearchBuilder.search(LDAPSearchBuilder.java:52)
          at hudson.plugins.active_directory.LDAPSearchBuilder.searchOne(LDAPSearchBuilder.java:42)
          at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:263)
          at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:193)
          at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:137)
          at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:30)
          at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:584)
          at hudson.model.User.impersonate(User.java:255)
          at org.jenkinsci.main.modules.cli.auth.ssh.SshCliAuthenticator.authenticate(SshCliAuthenticator.java:44)
          at hudson.cli.CliManagerImpl$2.run(CliManagerImpl.java:109)
      
      Oct 13, 2013 12:23:35 PM WARNING hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider retrieveUser
      
      Credential exception tying to authenticate against mycompany.com domain
      org.acegisecurity.BadCredentialsException: Failed to retrieve user information for username; nested exception is javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece]; remaining name 'DC=mycompany,DC=com'
          at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:309)
          at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:193)
          at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:137)
          at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:30)
          at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:584)
          at hudson.model.User.impersonate(User.java:255)
          at org.jenkinsci.main.modules.cli.auth.ssh.SshCliAuthenticator.authenticate(SshCliAuthenticator.java:44)
          at hudson.cli.CliManagerImpl$2.run(CliManagerImpl.java:109)
      Caused by: javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece]; remaining name 'DC=mycompany,DC=com'
          at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3072)
          at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2978)
          at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2785)
          at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1839)
          at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1762)
          at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1779)
          at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:412)
          at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:394)
          at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:376)
          at hudson.plugins.active_directory.LDAPSearchBuilder.search(LDAPSearchBuilder.java:52)
          at hudson.plugins.active_directory.LDAPSearchBuilder.searchOne(LDAPSearchBuilder.java:42)
          at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:263)
          ... 7 more
      

      Attachments

        Issue Links

          Activity

            Please forgive if this it not the same issue. I'm running Jenkins 1.575 w/ Active Directory plugin 1.37 and using an API token to authenticate using the HTTP API works fine, but when I try to authenticate jenkins-cli with an API token like this:

            java -jar jenkins-cli.jar -s http://jenkins.intranet:8080/jenkins who-am-i --username dserodi --password MY_API_KEY
            

            I get this stracktrace:

            org.acegisecurity.BadCredentialsException: Either no such user 'dserodi@intranet' or incorrect password; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]
                at hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl.bind(ActiveDirectorySecurityRealm.java:385)
                at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:248)
                at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:193)
                at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:137)
                at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.authenticate(ActiveDirectorySecurityRealm.java:602)
                at hudson.security.AbstractPasswordBasedSecurityRealm.doAuthenticate(AbstractPasswordBasedSecurityRealm.java:114)
                at hudson.security.AbstractPasswordBasedSecurityRealm.access$100(AbstractPasswordBasedSecurityRealm.java:39)
                at hudson.security.AbstractPasswordBasedSecurityRealm$1.authenticate(AbstractPasswordBasedSecurityRealm.java:81)
                at hudson.cli.CLICommand.main(CLICommand.java:228)
                at hudson.cli.CliManagerImpl.main(CliManagerImpl.java:92)
                at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
                at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
                at java.lang.reflect.Method.invoke(Method.java:606)
                at hudson.remoting.RemoteInvocationHandler$RPCRequest.perform(RemoteInvocationHandler.java:309)
                at hudson.remoting.RemoteInvocationHandler$RPCRequest.call(RemoteInvocationHandler.java:290)
                at hudson.remoting.RemoteInvocationHandler$RPCRequest.call(RemoteInvocationHandler.java:249)
                at hudson.remoting.UserRequest.perform(UserRequest.java:118)
                at hudson.remoting.UserRequest.perform(UserRequest.java:48)
                at hudson.remoting.Request$2.run(Request.java:328)
                at hudson.remoting.InterceptingExecutorService$1.call(InterceptingExecutorService.java:72)
                at hudson.cli.CliManagerImpl$1.call(CliManagerImpl.java:63)
                at hudson.remoting.InterceptingExecutorService$2.call(InterceptingExecutorService.java:95)
                at jenkins.util.ContextResettingExecutorService$2.call(ContextResettingExecutorService.java:46)
                at java.util.concurrent.FutureTask.run(FutureTask.java:262)
                at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
                at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
                at java.lang.Thread.run(Thread.java:744)
            Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]
                at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3087)
                at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3033)
                at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2835)
                at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749)
                at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2635)
                at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2622)
                at com.sun.jndi.ldap.LdapCtx.reconnect(LdapCtx.java:2618)
                at hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl.bind(ActiveDirectorySecurityRealm.java:454)
                at hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl.bind(ActiveDirectorySecurityRealm.java:370)
                ... 27 more
            
            dserodio Daniel Serodio added a comment - Please forgive if this it not the same issue. I'm running Jenkins 1.575 w/ Active Directory plugin 1.37 and using an API token to authenticate using the HTTP API works fine, but when I try to authenticate jenkins-cli with an API token like this: java -jar jenkins-cli.jar -s http: //jenkins.intranet:8080/jenkins who-am-i --username dserodi --password MY_API_KEY I get this stracktrace: org.acegisecurity.BadCredentialsException: Either no such user 'dserodi@intranet' or incorrect password; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1] at hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl.bind(ActiveDirectorySecurityRealm.java:385) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:248) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:193) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:137) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.authenticate(ActiveDirectorySecurityRealm.java:602) at hudson.security.AbstractPasswordBasedSecurityRealm.doAuthenticate(AbstractPasswordBasedSecurityRealm.java:114) at hudson.security.AbstractPasswordBasedSecurityRealm.access$100(AbstractPasswordBasedSecurityRealm.java:39) at hudson.security.AbstractPasswordBasedSecurityRealm$1.authenticate(AbstractPasswordBasedSecurityRealm.java:81) at hudson.cli.CLICommand.main(CLICommand.java:228) at hudson.cli.CliManagerImpl.main(CliManagerImpl.java:92) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at hudson.remoting.RemoteInvocationHandler$RPCRequest.perform(RemoteInvocationHandler.java:309) at hudson.remoting.RemoteInvocationHandler$RPCRequest.call(RemoteInvocationHandler.java:290) at hudson.remoting.RemoteInvocationHandler$RPCRequest.call(RemoteInvocationHandler.java:249) at hudson.remoting.UserRequest.perform(UserRequest.java:118) at hudson.remoting.UserRequest.perform(UserRequest.java:48) at hudson.remoting.Request$2.run(Request.java:328) at hudson.remoting.InterceptingExecutorService$1.call(InterceptingExecutorService.java:72) at hudson.cli.CliManagerImpl$1.call(CliManagerImpl.java:63) at hudson.remoting.InterceptingExecutorService$2.call(InterceptingExecutorService.java:95) at jenkins.util.ContextResettingExecutorService$2.call(ContextResettingExecutorService.java:46) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang. Thread .run( Thread .java:744) Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1] at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3087) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3033) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2835) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749) at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2635) at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2622) at com.sun.jndi.ldap.LdapCtx.reconnect(LdapCtx.java:2618) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl.bind(ActiveDirectorySecurityRealm.java:454) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl.bind(ActiveDirectorySecurityRealm.java:370) ... 27 more
            ssbarnea Sorin Sbarnea added a comment -

            I can confirm the the issue, tried to use API_TOKEN as a password for the CLI usage and I got the error below from a jenkins instance that is configured to accept LDAP logins:

            org.acegisecurity.AuthenticationServiceException: Application name and/or password are not valid.; nested exception is com.atlassian.crowd.exception.InvalidAuthenticationException: Account with name <svcacct_scale> failed to authenticate
            	at de.theit.jenkins.crowd.CrowdSecurityRealm.authenticate(CrowdSecurityRealm.java:394)
            	at hudson.security.AbstractPasswordBasedSecurityRealm.doAuthenticate(AbstractPasswordBasedSecurityRealm.java:114)
            	at hudson.security.AbstractPasswordBasedSecurityRealm.access$100(AbstractPasswordBasedSecurityRealm.java:39)
            	at hudson.security.AbstractPasswordBasedSecurityRealm$1.authenticate(AbstractPasswordBasedSecurityRealm.java:81)
            	at hudson.cli.CLICommand.main(CLICommand.java:231)
            	at hudson.cli.CliManagerImpl.main(CliManagerImpl.java:92)
            	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
            	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
            	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
            	at java.lang.reflect.Method.invoke(Method.java:497)
            	at hudson.remoting.RemoteInvocationHandler$RPCRequest.perform(RemoteInvocationHandler.java:326)
            	at hudson.remoting.RemoteInvocationHandler$RPCRequest.call(RemoteInvocationHandler.java:301)
            	at hudson.remoting.RemoteInvocationHandler$RPCRequest.call(RemoteInvocationHandler.java:260)
            	at hudson.remoting.UserRequest.perform(UserRequest.java:121)
            	at hudson.remoting.UserRequest.perform(UserRequest.java:49)
            	at hudson.remoting.Request$2.run(Request.java:325)
            	at hudson.remoting.InterceptingExecutorService$1.call(InterceptingExecutorService.java:68)
            	at hudson.cli.CliManagerImpl$1.call(CliManagerImpl.java:63)
            	at hudson.remoting.CallableDecoratorAdapter.call(CallableDecoratorAdapter.java:18)
            	at hudson.remoting.CallableDecoratorList$1.call(CallableDecoratorList.java:21)
            	at jenkins.util.ContextResettingExecutorService$2.call(ContextResettingExecutorService.java:46)
            	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
            	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
            	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
            	at java.lang.Thread.run(Thread.java:745)
            Caused by: com.atlassian.crowd.exception.InvalidAuthenticationException: Account with name <svcacct_scale> failed to authenticate
            	at com.atlassian.crowd.exception.InvalidAuthenticationException.newInstanceWithName(InvalidAuthenticationException.java:50)
            	at com.atlassian.crowd.integration.rest.service.RestCrowdClient.handleInvalidUserAuthentication(RestCrowdClient.java:1187)
            	at com.atlassian.crowd.integration.rest.service.RestCrowdClient.authenticateUser(RestCrowdClient.java:128)
            	at de.theit.jenkins.crowd.CrowdSecurityRealm.authenticate(CrowdSecurityRealm.java:376)
            	... 24 more
            ssbarnea Sorin Sbarnea added a comment - I can confirm the the issue, tried to use API_TOKEN as a password for the CLI usage and I got the error below from a jenkins instance that is configured to accept LDAP logins: org.acegisecurity.AuthenticationServiceException: Application name and/or password are not valid.; nested exception is com.atlassian.crowd.exception.InvalidAuthenticationException: Account with name <svcacct_scale> failed to authenticate at de.theit.jenkins.crowd.CrowdSecurityRealm.authenticate(CrowdSecurityRealm.java:394) at hudson.security.AbstractPasswordBasedSecurityRealm.doAuthenticate(AbstractPasswordBasedSecurityRealm.java:114) at hudson.security.AbstractPasswordBasedSecurityRealm.access$100(AbstractPasswordBasedSecurityRealm.java:39) at hudson.security.AbstractPasswordBasedSecurityRealm$1.authenticate(AbstractPasswordBasedSecurityRealm.java:81) at hudson.cli.CLICommand.main(CLICommand.java:231) at hudson.cli.CliManagerImpl.main(CliManagerImpl.java:92) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at hudson.remoting.RemoteInvocationHandler$RPCRequest.perform(RemoteInvocationHandler.java:326) at hudson.remoting.RemoteInvocationHandler$RPCRequest.call(RemoteInvocationHandler.java:301) at hudson.remoting.RemoteInvocationHandler$RPCRequest.call(RemoteInvocationHandler.java:260) at hudson.remoting.UserRequest.perform(UserRequest.java:121) at hudson.remoting.UserRequest.perform(UserRequest.java:49) at hudson.remoting.Request$2.run(Request.java:325) at hudson.remoting.InterceptingExecutorService$1.call(InterceptingExecutorService.java:68) at hudson.cli.CliManagerImpl$1.call(CliManagerImpl.java:63) at hudson.remoting.CallableDecoratorAdapter.call(CallableDecoratorAdapter.java:18) at hudson.remoting.CallableDecoratorList$1.call(CallableDecoratorList.java:21) at jenkins.util.ContextResettingExecutorService$2.call(ContextResettingExecutorService.java:46) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang. Thread .run( Thread .java:745) Caused by: com.atlassian.crowd.exception.InvalidAuthenticationException: Account with name <svcacct_scale> failed to authenticate at com.atlassian.crowd.exception.InvalidAuthenticationException.newInstanceWithName(InvalidAuthenticationException.java:50) at com.atlassian.crowd.integration. rest .service.RestCrowdClient.handleInvalidUserAuthentication(RestCrowdClient.java:1187) at com.atlassian.crowd.integration. rest .service.RestCrowdClient.authenticateUser(RestCrowdClient.java:128) at de.theit.jenkins.crowd.CrowdSecurityRealm.authenticate(CrowdSecurityRealm.java:376) ... 24 more
            jglick Jesse Glick added a comment -

            Probably the subsequent comments are really about JENKINS-22346.

            jglick Jesse Glick added a comment - Probably the subsequent comments are really about JENKINS-22346 .
            yann yann kerherve added a comment -

            jglick You marked it as resolved, but where is the fix? Thanks

            yann yann kerherve added a comment - jglick You marked it as resolved, but where is the fix? Thanks
            jglick Jesse Glick added a comment - http://jenkins-ci.org/commit/jenkins/0e339d7a454df119995b896eea14f09a099f99b5 as noted above.

            People

              kohsuke Kohsuke Kawaguchi
              david_resnick David Resnick
              Votes:
              6 Vote for this issue
              Watchers:
              16 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: