If I update the Active directory plugin to 1.38 I get time out on logon. If I go back to the 1.33 version it works fine.

      02.10.2014 09:06:23 hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider retrieveUser
      WARNUNG: Failed to retrieve user information for XXXXXXXX
      javax.naming.TimeLimitExceededException: [LDAP: error code 3 - Timelimit Exceeded]; remaining name 'DC=XXXXX,DC=XXXXXXX,DC=XXX'
      	at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
      	at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
      	at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
      	at com.sun.jndi.ldap.LdapCtx.searchAux(Unknown Source)
      	at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source)
      	at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source)
      	at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(Unknown Source)
      	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown Source)
      	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown Source)
      	at hudson.plugins.active_directory.LDAPSearchBuilder.search(LDAPSearchBuilder.java:52)
      	at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.chainGroupLookup(ActiveDirectoryUnixAuthenticationProvider.java:447)
      	at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.resolveGroups(ActiveDirectoryUnixAuthenticationProvider.java:416)
      	at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:296)
      	at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:196)
      	at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:140)
      	at org.acegisecurity.providers.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:122)
      	at org.acegisecurity.providers.ProviderManager.doAuthentication(ProviderManager.java:200)
      	at org.acegisecurity.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:47)
      	at org.acegisecurity.ui.webapp.AuthenticationProcessingFilter.attemptAuthentication(AuthenticationProcessingFilter.java:74)
      	at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:252)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at org.acegisecurity.ui.basicauth.BasicProcessingFilter.doFilter(BasicProcessingFilter.java:174)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at jenkins.security.ApiTokenFilter.doFilter(ApiTokenFilter.java:74)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
      	at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
      	at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
      	at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:46)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
      	at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1474)
      	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
      	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
      	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:533)
      	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
      	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
      	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:428)
      	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
      	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
      	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
      	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
      	at org.eclipse.jetty.server.Server.handle(Server.java:370)
      	at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:489)
      	at org.eclipse.jetty.server.AbstractHttpConnection.content(AbstractHttpConnection.java:960)
      	at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:1021)
      	at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:865)
      	at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:240)
      	at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
      	at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:668)
      	at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
      	at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
      	at java.lang.Thread.run(Unknown Source)
      02.10.2014 09:06:23 hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider retrieveUser
      WARNUNG: Credential exception trying to authenticate against ww004.siemens.net domain
      org.acegisecurity.BadCredentialsException: Failed to retrieve user information for XXXXXXXX; nested exception is javax.naming.TimeLimitExceededException: [LDAP: error code 3 - Timelimit Exceeded]; remaining name 'DC=XXXXX,DC=XXXXXXX,DC=XXX'
      	at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:312)
      	at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:196)
      	at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:140)
      	at org.acegisecurity.providers.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:122)
      	at org.acegisecurity.providers.ProviderManager.doAuthentication(ProviderManager.java:200)
      	at org.acegisecurity.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:47)
      	at org.acegisecurity.ui.webapp.AuthenticationProcessingFilter.attemptAuthentication(AuthenticationProcessingFilter.java:74)
      	at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:252)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at org.acegisecurity.ui.basicauth.BasicProcessingFilter.doFilter(BasicProcessingFilter.java:174)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at jenkins.security.ApiTokenFilter.doFilter(ApiTokenFilter.java:74)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
      	at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
      	at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
      	at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:46)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
      	at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1474)
      	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
      	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
      	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:533)
      	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
      	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
      	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:428)
      	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
      	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
      	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
      	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
      	at org.eclipse.jetty.server.Server.handle(Server.java:370)
      	at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:489)
      	at org.eclipse.jetty.server.AbstractHttpConnection.content(AbstractHttpConnection.java:960)
      	at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:1021)
      	at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:865)
      	at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:240)
      	at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
      	at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:668)
      	at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
      	at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
      	at java.lang.Thread.run(Unknown Source)
      Caused by: javax.naming.TimeLimitExceededException: [LDAP: error code 3 - Timelimit Exceeded]; remaining name 'DC=XXXXX,DC=XXXXXXX,DC=XXX'
      	at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
      	at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
      	at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
      	at com.sun.jndi.ldap.LdapCtx.searchAux(Unknown Source)
      	at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source)
      	at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source)
      	at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(Unknown Source)
      	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown Source)
      	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown Source)
      	at hudson.plugins.active_directory.LDAPSearchBuilder.search(LDAPSearchBuilder.java:52)
      	at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.chainGroupLookup(ActiveDirectoryUnixAuthenticationProvider.java:447)
      	at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.resolveGroups(ActiveDirectoryUnixAuthenticationProvider.java:416)
      	at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:296)
      	... 45 more
      

          [JENKINS-24960] Active directory Logon Timeout

          Daniel Beck added a comment -

          Right, as soon as you specify one of the options it switches to the LDAP (Unix) implementation; but on Windows doesn't offer you the same configuration options. This appears to be an oversight in the plugin.

          Daniel Beck added a comment - Right, as soon as you specify one of the options it switches to the LDAP (Unix) implementation; but on Windows doesn't offer you the same configuration options. This appears to be an oversight in the plugin.

          M Chon added a comment -

          Same here.
          Ubuntu 12.04
          Base Jenkins version: 1.580.2

          See also my comment here:

          https://issues.jenkins-ci.org/browse/JENKINS-22727?focusedCommentId=219972&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-219972

          Here is the console output:

          Jan 21, 2015 2:20:56 PM hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider retrieveUser
          WARNING: Failed to retrieve user information for XXXXX
          javax.naming.TimeLimitExceededException: [LDAP: error code 3 - Timelimit Exceeded]; remaining name 'DC=XXXXX,DC=XXXXX'
          at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3143)
          at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3033)
          at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2840)
          at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1849)
          at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1772)
          at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1789)

          M Chon added a comment - Same here. Ubuntu 12.04 Base Jenkins version: 1.580.2 See also my comment here: https://issues.jenkins-ci.org/browse/JENKINS-22727?focusedCommentId=219972&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-219972 Here is the console output: Jan 21, 2015 2:20:56 PM hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider retrieveUser WARNING: Failed to retrieve user information for XXXXX javax.naming.TimeLimitExceededException: [LDAP: error code 3 - Timelimit Exceeded] ; remaining name 'DC=XXXXX,DC=XXXXX' at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3143) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3033) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2840) at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1849) at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1772) at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1789)

          podskalsky added a comment -

          the workaround "<groupLookupStrategy>Recursive</groupLookupStrategy>" is ok for me

          podskalsky added a comment - the workaround "<groupLookupStrategy>Recursive</groupLookupStrategy>" is ok for me

          M Chon added a comment -

          @podskalsky Where do you add that?

          M Chon added a comment - @podskalsky Where do you add that?

          podskalsky added a comment -

          Found the hint at: https://issues.jenkins-ci.org/browse/JENKINS-22830

          You must insert this new parameter by hand, because it's new in the latest plugin and the plugin can't start without it ...

          1. install the latest AD Plugin (1.39)
          2. stop your jenkins
          3. add in config.xml ...

          <securityRealm class="hudson.plugins.active_directory.ActiveDirectorySecurityRealm" plugin="active-directory@1.39">
          <domain>XXX</domain>
          <bindName>XXX</bindName>
          <bindPassword>XXX</bindPassword>
          <server>XXX</server>
          <groupLookupStrategy>Recursive</groupLookupStrategy>
          </securityRealm>

          4. restart jenkins

          podskalsky added a comment - Found the hint at: https://issues.jenkins-ci.org/browse/JENKINS-22830 You must insert this new parameter by hand, because it's new in the latest plugin and the plugin can't start without it ... 1. install the latest AD Plugin (1.39) 2. stop your jenkins 3. add in config.xml ... <securityRealm class="hudson.plugins.active_directory.ActiveDirectorySecurityRealm" plugin="active-directory@1.39"> <domain>XXX</domain> <bindName>XXX</bindName> <bindPassword>XXX</bindPassword> <server>XXX</server> <groupLookupStrategy>Recursive</groupLookupStrategy> </securityRealm> 4. restart jenkins

          I've captured JENKINS-22763 that better represents the task that I see.

          I have questions to people who are reporting this issue here. This problem happens only when you run your master on Windows and choose to specify custom AD domain name, whereas I expected that people normally don't have to do that and just leave everything to the default.

          So, why did you have to specify the custom domain name?

          Kohsuke Kawaguchi added a comment - I've captured JENKINS-22763 that better represents the task that I see. I have questions to people who are reporting this issue here. This problem happens only when you run your master on Windows and choose to specify custom AD domain name, whereas I expected that people normally don't have to do that and just leave everything to the default. So, why did you have to specify the custom domain name?

          Daniel Beck added a comment -

          Not currently using this plugin, but IIRC that's necessary when the server is jenkins.uk.corp.com, and users are foo@uk.corp.com but also bar@us.corp.com.

          Correct issue link: JENKINS-27763

          Daniel Beck added a comment - Not currently using this plugin, but IIRC that's necessary when the server is jenkins.uk.corp.com, and users are foo@uk.corp.com but also bar@us.corp.com. Correct issue link: JENKINS-27763

          I've had success with adding in the <groupLookupStrategy>Recursive</groupLookupStrategy> that podskalsky pointed out. However, I've already noticed that Jenkins overwrites my changes and removes this entry, causing my authentication to go wrong again... What gives?! Any advice?

          Tyler Effinger added a comment - I've had success with adding in the <groupLookupStrategy>Recursive</groupLookupStrategy> that podskalsky pointed out. However, I've already noticed that Jenkins overwrites my changes and removes this entry, causing my authentication to go wrong again... What gives?! Any advice?

          Daniel Beck added a comment -

          tsevg9: The issue appears because submitting the current (incomplete) config form resets the internal option value you set. See the issue linked in my comment (should also get fixed in the context of that issue).

          Daniel Beck added a comment - tsevg9 : The issue appears because submitting the current (incomplete) config form resets the internal option value you set. See the issue linked in my comment (should also get fixed in the context of that issue).

          Sorin Sbarnea added a comment -

          This bug still happens with latest versions of Jenkins and the AD plugin making the entire plugin useless.

          Sorin Sbarnea added a comment - This bug still happens with latest versions of Jenkins and the AD plugin making the entire plugin useless.

            Unassigned Unassigned
            svanschu Sven Schultschik
            Votes:
            3 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated: