Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-25180

Unable to authenticate using LDAP after upgrading to 1.576 or higher

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Blocker Blocker
    • core
    • None
    • ubuntu 12.04 and 14.04 openldap, authentication is normally done by Apache and the user information should be retrieved by Jenkins from ldap.

      After upgrading to 1.576 or higher LDAP authentication fails. It is very repeatable and downgrading to 1.575 fixes the issue. I have tried 1.576 1.577 1.580 and 1.584 but am unable to log in.

      Basically, I disable security and then setup the same config again and am still unable to log in.
      I am using ldap 1.6 plugin but have also tried 1.11, both fail once I enable ldap authentication.

      This is my configuration from the config.xml

      <useSecurity>true</useSecurity>
      <authorizationStrategy class="hudson.security.AuthorizationStrategy$Unsecured"/>
      <securityRealm class="hudson.security.LDAPSecurityRealm" plugin="ldap@1.6">
      <server>ldap://ldap</server>
      <rootDN></rootDN>
      <inhibitInferRootDN>false</inhibitInferRootDN>
      <userSearchBase>ou=users,dc=xxx,dc=com,dc=sg</userSearchBase>
      <userSearch>uid=

      {0}

      </userSearch>
      <groupSearchBase>ou=jenkins,ou=groups,dc=xxx,dc=com,dc=sg</groupSearchBase>
      <managerDN>cn=admin,dc=xxx,dc=com,dc=sg</managerDN>
      <managerPassword>xxxxxxxxxxx</managerPassword>
      <disableMailAddressResolver>false</disableMailAddressResolver>
      </securityRealm>

      Steps to reproduce:
      1. Fresh install of Jenkins 1.584 from Ubuntu apt-get install jenkins
      2. Enter settings as can be used up to 1.575
      3. Add the display name is the cn
      4. Authorization: Anyone can do anything (I used matrix before but for now I am happy to login)
      5. Save
      6. My name is shown as "Peter Bruin", proof that this was retrieved from ldap or else it would be peterbruin which is my user name
      7. Navigate back to Manage and I get prompted for password
      8. No log entries in /var/log/jenkins/jenkins.log
      9. Unable to access the system log (/log/all) as I am not able to access Jenkins
      10. Downgrade to 1.575 and I can log in again

      How this affected my upgrade:
      1. Upgrade from 1.557 to 1.584
      2. Able to acess jenkins until I wanted to go Manage
      3. Prompted for password and unable to login
      4. Editted the config.xml and disable security
      5. Updated LDAP plugin from 1.6 to latest
      6. Spend hours messing around with ldap settings
      7. Need to restart server after every time, takes a few minutes
      8. Downgraded and was able to log in again

      Ofcourse my bad for doing this on our production server but I didn't expect this kind of trouble. Cost me most of the last two days trying to get it working.

      Any help with trouble shooting would be welcome.
      How can I get more log info out of Jenkins, I don't see much in the /var/log/jenkins/jenkins.log file and the System Log is useless as I am unable to access it after I enable security

          [JENKINS-25180] Unable to authenticate using LDAP after upgrading to 1.576 or higher

          uncletall added a comment -

          I found a fix here: https://github.com/jenkinsci/jenkins/pull/1427
          So I guess this is related to: https://issues.jenkins-ci.org/browse/JENKINS-25144

          I build the version from Christof Schoell and tested it on my server. After this the LDAP authentication works and I can get back into the Manage page after enabling security

          uncletall added a comment - I found a fix here: https://github.com/jenkinsci/jenkins/pull/1427 So I guess this is related to: https://issues.jenkins-ci.org/browse/JENKINS-25144 I build the version from Christof Schoell and tested it on my server. After this the LDAP authentication works and I can get back into the Manage page after enabling security

          Daniel Beck added a comment -

          The linked fix should only affect use of Basic Auth, which isn't part of regular login procedure. Weird.

          Daniel Beck added a comment - The linked fix should only affect use of Basic Auth, which isn't part of regular login procedure. Weird.

          uncletall added a comment -

          I think my definition of LDAP authentication is wrong. The authentication is actually done by the Apache front. LDAP is then used to retrieve the username, email and groups that are used for the authentication. I believe this might actually be basic authentication although in the Security config you need to specify it as LDAP authentication.

          uncletall added a comment - I think my definition of LDAP authentication is wrong. The authentication is actually done by the Apache front. LDAP is then used to retrieve the username, email and groups that are used for the authentication. I believe this might actually be basic authentication although in the Security config you need to specify it as LDAP authentication.

          Daniel Beck added a comment -

          Well, the reverse proxy auth bit was missing from the description. So there's actually a simple workaround? Just don't use Apache for authentication?

          Daniel Beck added a comment - Well, the reverse proxy auth bit was missing from the description. So there's actually a simple workaround? Just don't use Apache for authentication?

          uncletall added a comment - - edited

          I don't think that's a good idea. We now have our development environment setup in such a way that 4 (Jenkins, Gerrit, wiki and bugtraker) sites share the same authentication mechanism. Changing that would result in a lot of broken URLs

          uncletall added a comment - - edited I don't think that's a good idea. We now have our development environment setup in such a way that 4 (Jenkins, Gerrit, wiki and bugtraker) sites share the same authentication mechanism. Changing that would result in a lot of broken URLs

          uncletall added a comment -

          I did actually mention in the environment description that authentication is done by Apache and passed on to Jenkins.

          uncletall added a comment - I did actually mention in the environment description that authentication is done by Apache and passed on to Jenkins.

          Daniel Beck added a comment -

          Right, sorry about that. Steps to reproduce looked so complete

          Daniel Beck added a comment - Right, sorry about that. Steps to reproduce looked so complete

          J. Kirchner added a comment -

          Is disabling cookies a workaround for you?

          J. Kirchner added a comment - Is disabling cookies a workaround for you?

          uncletall added a comment -

          I am not so sure how to do that. But I have just tested 1.589 and the problem is still present in this version. I can't find the tag in GitHub and the latest link still points to the 1.588 on the web site so I don't know if the 1.589 is officially released. But as JENKINS-25144 is marked as fixed I would have expected this issue to be fixed as well.

          uncletall added a comment - I am not so sure how to do that. But I have just tested 1.589 and the problem is still present in this version. I can't find the tag in GitHub and the latest link still points to the 1.588 on the web site so I don't know if the 1.589 is officially released. But as JENKINS-25144 is marked as fixed I would have expected this issue to be fixed as well.

          uncletall added a comment -

          I have tested 1.592 and the issue is fixed

          uncletall added a comment - I have tested 1.592 and the issue is fixed

            Unassigned Unassigned
            uncletall uncletall
            Votes:
            3 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: