Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-23214

LDAP Plugin occasionally does not connect LDAP server

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Not A Defect
    • Icon: Major Major
    • ldap-plugin
    • CentOS 6.5 Jenkins 1.561 LDAP Plugin 1.9

      I am currently using an external LDAP server to enable user logins. This works pretty good in most cases. However, sometimes the login takes a long time and ends up at mydomain.com/login_error.

          [JENKINS-23214] LDAP Plugin occasionally does not connect LDAP server

          Michael Dicke created issue -

          Michael Dicke added a comment -

          We switched from Hudson to Jenkins and now we are encountering this problem from time to time.

          Here is my configuration

          <securityRealm class="hudson.security.LDAPSecurityRealm" plugin="ldap@1.9">
    <server>myLdapIP:10389</server>
    <rootDN>dc=myCompany,dc=org</rootDN>
    <inhibitInferRootDN>true</inhibitInferRootDN>
    <userSearchBase>ou=users</userSearchBase>
    <userSearch>uid={0}</userSearch>
    <groupSearchBase>ou=groups</groupSearchBase>
    <groupMembershipFilter>(| (member={0}) (uniqueMember={0}) (memberUid={1}))</groupMembershipFilter>
    <managerDN>cn=hudson,ou=users,ou=system</managerDN>
    <managerPasswordSecret>*secret*</managerPasswordSecret>
    <disableMailAddressResolver>true</disableMailAddressResolver>
    <cache>
      <size>500</size>
      <ttl>3600</ttl>
    </cache>
    <extraEnvVars class="linked-hash-map">
      <entry>
        <string>com.sun.jndi.ldap.connect.timeout</string>
        <string>5000</string>
      </entry>
      <entry>
        <string>com.sun.jndi.ldap.read.timeout</string>
        <string>10000</string>
      </entry>
    </extraEnvVars>
    <displayNameAttributeName>displayname</displayNameAttributeName>
    <mailAddressAttributeName>mail</mailAddressAttributeName>
  </securityRealm>

          Michael Dicke added a comment - We switched from Hudson to Jenkins and now we are encountering this problem from time to time. Here is my configuration <securityRealm class= "hudson.security.LDAPSecurityRealm" plugin= "ldap@1.9" > <server> myLdapIP:10389 </server> <rootDN> dc=myCompany,dc=org </rootDN> <inhibitInferRootDN> true </inhibitInferRootDN> <userSearchBase> ou=users </userSearchBase> <userSearch> uid={0} </userSearch> <groupSearchBase> ou=groups </groupSearchBase> <groupMembershipFilter> (| (member={0}) (uniqueMember={0}) (memberUid={1})) </groupMembershipFilter> <managerDN> cn=hudson,ou=users,ou=system </managerDN> <managerPasswordSecret> *secret* </managerPasswordSecret> <disableMailAddressResolver> true </disableMailAddressResolver> <cache> <size> 500 </size> <ttl> 3600 </ttl> </cache> <extraEnvVars class= "linked-hash-map" > <entry> <string> com.sun.jndi.ldap.connect.timeout </string> <string> 5000 </string> </entry> <entry> <string> com.sun.jndi.ldap.read.timeout </string> <string> 10000 </string> </entry> </extraEnvVars> <displayNameAttributeName> displayname </displayNameAttributeName> <mailAddressAttributeName> mail </mailAddressAttributeName> </securityRealm>

          Michael Dicke added a comment -

          To track the problem I already tried the following steps:

          • added logger
            • org.acegisecurity.providers.ldap.authenticator
            • org.acegisecurity.providers.ldap.authenticator.bindauthenticator
            • org.acegisecurity.providers.ldap.authenticator.PasswordComparisonAuthenticator
            • but no log messages occured
          • dumped tcp on jenkins machine and inspected in wireshark the communication is as follows
            Step description good case failure case
            1 user (webclient) sends username and password ok ok
            2 jenkins machine exchanges username and password with ldap machine ok missing
            3 jenkins machine communicates with DNS Server ok ok
            4 jenkins machine exchanges username, password and groups with ldap machine ok missing
            5 webclient receives session cookie from jenkins machine ok missing - loginError instead

          Michael Dicke added a comment - To track the problem I already tried the following steps: added logger org.acegisecurity.providers.ldap.authenticator org.acegisecurity.providers.ldap.authenticator.bindauthenticator org.acegisecurity.providers.ldap.authenticator.PasswordComparisonAuthenticator but no log messages occured dumped tcp on jenkins machine and inspected in wireshark the communication is as follows Step description good case failure case 1 user (webclient) sends username and password ok ok 2 jenkins machine exchanges username and password with ldap machine ok missing 3 jenkins machine communicates with DNS Server ok ok 4 jenkins machine exchanges username, password and groups with ldap machine ok missing 5 webclient receives session cookie from jenkins machine ok missing - loginError instead
          Oleg Nenashev made changes -
          Component/s Original: security [ 15508 ]

          Michael Dicke added a comment -

          Nothing happened for several weeks...
          Is anybody responsible for this issue?

          Michael Dicke added a comment - Nothing happened for several weeks... Is anybody responsible for this issue?

          Henri Gomez added a comment -

          Same error here on some Jenkins.
          All have exactly same configuration but some works and others don't works.
          And no log in catalina.out.

          Jenkins 1.562.2, LDAP plugin 1.10.2

          Henri Gomez added a comment - Same error here on some Jenkins. All have exactly same configuration but some works and others don't works. And no log in catalina.out. Jenkins 1.562.2, LDAP plugin 1.10.2

          Sebastian Bathke added a comment - - edited

          We have loging working for a certain time period after startup of jenkins. But it gets broken some hours later. A restart solves login problems for another period. Other tools work well with the same ldap host (gerrit, sonar).

          Jenkins v1.598, LDAP-Plugin v1.11

          Sebastian Bathke added a comment - - edited We have loging working for a certain time period after startup of jenkins. But it gets broken some hours later. A restart solves login problems for another period. Other tools work well with the same ldap host (gerrit, sonar). Jenkins v1.598, LDAP-Plugin v1.11

          Mark Nejman added a comment -

          I am also experiencing the same behavior. It works for anywhere from 1 to 24 hours, but then I cannot login until I restart.

          Could this be an issue with the LDAP using SSL?

          Mark Nejman added a comment - I am also experiencing the same behavior. It works for anywhere from 1 to 24 hours, but then I cannot login until I restart. Could this be an issue with the LDAP using SSL?

          Manoj Binjola added a comment -

          I am also facing the same issue. Jenkins 1.508.2, TOmcat 7, LDAP plugin 1.11
          I've created a ticked but found that many people facing the same issue, so I closed it as duplicate. JENKINS-27434

          Manoj Binjola added a comment - I am also facing the same issue. Jenkins 1.508.2, TOmcat 7, LDAP plugin 1.11 I've created a ticked but found that many people facing the same issue, so I closed it as duplicate. JENKINS-27434

          Manoj Binjola added a comment -

          Hi, is there any update on this issue. Please let us know if its not related to Jenkins, so that we could focus on other aspects.

          Manoj Binjola added a comment - Hi, is there any update on this issue. Please let us know if its not related to Jenkins, so that we could focus on other aspects.

            kohsuke Kohsuke Kawaguchi
            dicke Michael Dicke
            Votes:
            3 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: