-
Bug
-
Resolution: Fixed
-
Major
-
jenkins-1.585-1.1.noarch from the http://pkg.jenkins-ci.org/redhat repo, plugin="active-directory@1.38"
Jenkins 2.7.1 ( http://pkg.jenkins-ci.org/debian-stable ) on Ubuntu-16.04 with Active Directory Plugin 1.47
I am attempting to use the inherent StartTLS over LDAP support in the Active Directory plugin. If I'm reading the docs correctly, it should 'just work'. I perused the code and saw that it seems to trust any cert. Here's what I see in the logs:
Oct 23, 2014 2:53:14 AM FINE hudson.plugins.active_directory.ActiveDirectorySecurityRealm Attempting to resolve _gc._tcp.ABCDMZ._sites.my.domain to SRV record Oct 23, 2014 2:53:14 AM FINE hudson.plugins.active_directory.ActiveDirectorySecurityRealm Attempting to resolve _ldap._tcp.ABCDMZ._sites.my.domain to SRV record Oct 23, 2014 2:53:14 AM FINE hudson.plugins.active_directory.ActiveDirectorySecurityRealm SRV record found: 0 100 389 RODC07.my.domain. Oct 23, 2014 2:53:14 AM FINE hudson.plugins.active_directory.ActiveDirectorySecurityRealm _ldap._tcp.ABCDMZ._sites.my.domain resolved to [RODC07.my.domain:389] Oct 23, 2014 2:53:14 AM FINE hudson.plugins.active_directory.ActiveDirectorySecurityRealm Connecting to ldap://RODC07.my.domain:389/ Oct 23, 2014 2:53:14 AM FINE hudson.plugins.active_directory.ActiveDirectorySecurityRealm Failed to start TLS. Authentication will be done via plain-text LDAP javax.naming.CommunicationException: java.net.SocketException: Connection reset [Root exception is javax.net.ssl.SSLException: java.net.SocketException: Connection reset] at com.sun.jndi.ldap.LdapCtx.extendedOperation(LdapCtx.java:3259) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl.bind(ActiveDirectorySecurityRealm.java:448) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl.bind(ActiveDirectorySecurityRealm.java:392) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:239) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:196) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:140) at org.acegisecurity.providers.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:122) at org.acegisecurity.providers.ProviderManager.doAuthentication(ProviderManager.java:200) at org.acegisecurity.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:47) at org.acegisecurity.ui.webapp.AuthenticationProcessingFilter.attemptAuthentication(AuthenticationProcessingFilter.java:74) at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:252) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:86) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249) at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76) at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482) at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:46) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482) at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482) at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1474) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:533) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:428) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116) at org.eclipse.jetty.server.Server.handle(Server.java:370) at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:489) at org.eclipse.jetty.server.AbstractHttpConnection.content(AbstractHttpConnection.java:960) at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:1021) at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:865) at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:240) at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82) at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:668) at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52) at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:724) Caused by: javax.net.ssl.SSLException: java.net.SocketException: Connection reset at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1886) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1844) at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1808) at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1753) at sun.security.ssl.AppInputStream.read(AppInputStream.java:113) at java.io.BufferedInputStream.fill(BufferedInputStream.java:235) at java.io.BufferedInputStream.read1(BufferedInputStream.java:275) at java.io.BufferedInputStream.read(BufferedInputStream.java:334) at com.sun.jndi.ldap.Connection.run(Connection.java:849) ... 1 more Caused by: java.net.SocketException: Connection reset at java.net.SocketInputStream.read(SocketInputStream.java:189) at java.net.SocketInputStream.read(SocketInputStream.java:121) at sun.security.ssl.InputRecord.readFully(InputRecord.java:442) at sun.security.ssl.InputRecord.read(InputRecord.java:480) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:927) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312) at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:882) at sun.security.ssl.AppInputStream.read(AppInputStream.java:102) ... 5 more
This DC serves up normal LDAP and LDAPS to other apps, and I can connect to it with LDAP + StartTLS using Apache Directory Studio, so I know its certificate is installed properly.
[JENKINS-25269] Can't initiate StartTLS against a properly configured Windows 2008 R2 Domain Controller
DI2E SysAdmin
created issue -
| Assignee | New: Félix Belzunce Arcos [ fbelzunc ] |
| Environment | Original: jenkins-1.585-1.1.noarch from the http://pkg.jenkins-ci.org/redhat repo, plugin="active-directory@1.38" |
New:
jenkins-1.585-1.1.noarch from the http://pkg.jenkins-ci.org/redhat repo, plugin="active-directory@1.38" Jenkins 2.7.1 ( http://pkg.jenkins-ci.org/debian-stable ) on Ubuntu-16.04 with Active Directory Plugin 1.47 |
| Workflow | Original: JNJira [ 159183 ] | New: JNJira + In-Review [ 179905 ] |
| Status | Original: Open [ 1 ] | New: In Progress [ 3 ] |
Code changed in jenkins
User: Felix Belzunce Arcos
Path:
src/main/java/hudson/plugins/active_directory/ActiveDirectorySecurityRealm.java
src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java
http://jenkins-ci.org/commit/active-directory-plugin/f80f9555dbe17d61bd4e310e996cd95ee90fad1a
Log:
Merge pull request #62 from fbelzunc/JENKINS-36041-v4
[FIXED JENKINS-36041 JENKINS-25269] Enable com.sun.jndi.ldap.connect.timeout
Compare: https://github.com/jenkinsci/active-directory-plugin/compare/95effde74165...f80f9555dbe1
| Resolution | New: Fixed [ 1 ] | |
| Status | Original: In Progress [ 3 ] | New: Resolved [ 5 ] |
Hi,
We have the same problem.
I added our company CA to the java keystore.
The Active directory Plugin is still not successful in LDAP + STARTTLS.
ldapsearch -ZZ also works fine.