The message when opening Hudson's URL in a browser for the first time since the
browser is started:
Access Denied
org.acegisecurity.providers.rememberme.RememberMeAuthenticationToken@70307871:
Username: org.acegisecurity.userdetails.ldap.LdapUserDetailsImpl@7030cb29;
Password: [PROTECTED]; Authenticated: true; Details:
org.acegisecurity.ui.WebAuthenticationDetails@ffff4c9c: RemoteIpAddress:
MY_IP_ADDRESS; SessionId: null; Granted Authorities: is missing Read
When logging out and re-logging in it works as long as the window with Hudson's
UI is open and autorefresh is enabled or Hudson's plugin installed in FF.
LDAP binding is defined in Hudson's config:
Security Realm: LDAP
root DN: dc=myorg,dc=org
User search base: ou=Users
User search filter: cn=
{0}
Group search base: ou=Groups
Manager DN: cn=hudson,dc=myorg,dc=org
Authorization: Matrix-based security
Additionally, the following patch was necessary:
"If Hudson is set up to use LDAP for authentication, then you'll find yourself
being locked out. This is because Hudson checks only member={0}
, and not
uniqueMember=
{0} within LDAP groups. You'll have to modify the
authoritiesPopulator function within
WEB-INF/security/LDAPBindSecurityRealm.groovy as follows:
authoritiesPopulator(DeferredCreationLdapAuthoritiesPopulator,initialDirContextFactory,"ou=groups")
{
// groupRoleAttribute = "ou";
groupSearchFilter = "(|(member={0}
) (uniqueMember=
{0}
))"
}
"
This patch works up to ver. 1.279. It also seemed to work with 1.280, but
finally we were locked with auth errors and unable to log in at all, which was
even more weird than the original issue.
The servlet container running Hudson is Apache Tomcat 6.0.16 with (more or less)
default configuration.
added myself to the CC list