Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-21263

LDAP Authentication success, group discovery success but return to login with no error

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • ldap-plugin
    • None
    • Java 1.7.0_45 Tomcat 7.0.47 on Linux 5 with Apache 2.2 proxy using AJP all on VMware 5. Browsers= Sapphire, Firefox and Chrome.

      The backend LDAP servers are OpenDJ 2.6.0 running as a multi-master cluster with a haproxy as a load balancer in front (different server). The LDAP servers are for the entire systems and work well for other systems (Jira and Artifactory) sharing the same instance of Tomcat and of course other servers.

      The problem is authentication works fine as I can see that in the LDAP logs that I have attached. This has been a problem occurring only for the last 2 releases as I can see although I have been making massive changes to LDAP switching from dirsrv (the old netscape directory from Red Hat) across to OpenDJ in the last couple of weeks so there has been a time of migration. Issues I saw I though I may have created but I still have a consistent problem.

      The issue is it all works after Jenkins first boots but after it sits for a while I can not get into Jenkins. It binds successfully, search for groups and just drops back to a login screen. First I thought it was the cache feature so I go and hack the config.xml file and restart. I have tried switching from cache to not cache with load balance SSL, single SSL server, load balanced and a single ldap server and the problem is always the same. If I restart Jenkins it works for a while. The same result on all 3 browsers and when I examine the cookie it seems to have a valid auth session cookie from Jenkins. When I examine the LDAP log file it is a successful bind with a single entry returned and then when using groups to match the DN 13 entries are returned which is accurate.

      It is as though it can not read the auth cookie and just returns to login as it is clearly a successful auth.

          [JENKINS-21263] LDAP Authentication success, group discovery success but return to login with no error

          Arnon Segal added a comment -

          Hi. Don't know if this will help, but I had similar issue. It seems to resolve when I added "read" persmissions to "anonymous" user

          Arnon Segal added a comment - Hi. Don't know if this will help, but I had similar issue. It seems to resolve when I added "read" persmissions to "anonymous" user

          Richard Hwang added a comment -

          I just spent a lot of time trying to figure this out. Turns out I had a stale cookie that was causing login to fail even though LDAP auth succeeded.

          Try clearing your cookies and see if it works!

          Richard Hwang added a comment - I just spent a lot of time trying to figure this out. Turns out I had a stale cookie that was causing login to fail even though LDAP auth succeeded. Try clearing your cookies and see if it works!

          Oleg Nenashev added a comment -

          In order to set proper expectation, I have unassigned Kohsuke from this tickets.
          Currently there is no Default assignee in the LDAP plugin, any contributions will be appreciated.

          Oleg Nenashev added a comment - In order to set proper expectation, I have unassigned Kohsuke from this tickets. Currently there is no Default assignee in the LDAP plugin, any contributions will be appreciated.

            Unassigned Unassigned
            bateau Graham Horne
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: