• Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • Ubuntu 14.04.2 LTS
      Jenkins ver. 1.614
      Active Directory plugin 1.39
      Java 1.7.0_79-b14

      Hi,

      i'm trying to secure LDAP Logon so i decided to switch from LDAP to LDAPS.

      I tried both LDAPS Ports 3269 and 636 with "Test" in Global Security Config but none of them are working.

      I'm getting immediate Error:

      Bad bind username or password
      org.acegisecurity.BadCredentialsException: Either no such user 'CN=XXXXXX,OU=XXXXX,OU=XXXXXXX,DC=XXXX,DC=XX' or incorrect password; nested exception is javax.naming.NamingException: LDAP response read timed out, timeout used:-1ms.
      	at hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl.bind(ActiveDirectorySecurityRealm.java:453)
      	at hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl.doValidate(ActiveDirectorySecurityRealm.java:369)
      	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:606)
      	at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:298)
      	at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:161)
      	at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:96)
      	at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:121)
      	at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:53)
      	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:746)
      	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:876)
      	at org.kohsuke.stapler.MetaClass$6.doDispatch(MetaClass.java:249)
      	at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:53)
      	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:746)
      	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:876)
      	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:649)
      	at org.kohsuke.stapler.Stapler.service(Stapler.java:238)
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
      	at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:686)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1494)
      	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:123)
      	at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:114)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
      	at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:48)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84)
      	at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:142)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
      	at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
      	at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
      	at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
      	at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
      	at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1474)
      	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
      	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
      	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:533)
      	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
      	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
      	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:428)
      	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
      	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
      	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
      	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
      	at org.eclipse.jetty.server.Server.handle(Server.java:370)
      	at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:489)
      	at org.eclipse.jetty.server.AbstractHttpConnection.content(AbstractHttpConnection.java:960)
      	at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:1021)
      	at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:865)
      	at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:240)
      	at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
      	at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:668)
      	at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
      	at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
      	at java.lang.Thread.run(Thread.java:745)
      Caused by: javax.naming.NamingException: LDAP response read timed out, timeout used:-1ms.
      	at com.sun.jndi.ldap.Connection.readReply(Connection.java:483)
      	at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:364)
      	at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:213)
      	at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740)
      	at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2635)
      	at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2622)
      	at com.sun.jndi.ldap.LdapCtx.reconnect(LdapCtx.java:2618)
      	at hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl.bind(ActiveDirectorySecurityRealm.java:514)
      	at hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl.bind(ActiveDirectorySecurityRealm.java:430)
      	... 74 more
      

      Other Systems (JIRA, Artifactory ...) are working well with LDAPS - so it has to be something with Jenkins in my opinion.

          [JENKINS-28664] LDAPS Authorization not possible

          heinzepreller added a comment -

          Still not able to use ldaps:

          • Jenkins ver. 1.622
          • Active Directory plugin 1.41

          heinzepreller added a comment - Still not able to use ldaps: Jenkins ver. 1.622 Active Directory plugin 1.41

          Don Conry added a comment -

          Confirmed, appears to be an issue strictly with the bind operation. Using the plugin for authentication via LDAPS without binding does seem to work, but obviously does not allow using AD groups for permissions, etc.

          Don Conry added a comment - Confirmed, appears to be an issue strictly with the bind operation. Using the plugin for authentication via LDAPS without binding does seem to work, but obviously does not allow using AD groups for permissions, etc.

          The problem seems to be that although I specify a secure port (636, 3269) the plugin still tries - according to fine logs of the plugin - connect via ldap://server.com:3269, not ldaps://server.com:3269. Trying to force the protocol for the controller definition leads to ldap://ldaps://myserver.com:3269, which fails.

          Maybe a checkbox is missing whether to use a secure protocol? Or perhaps it could be inferred from the port number if missing.

          Michal Bukovjan added a comment - The problem seems to be that although I specify a secure port (636, 3269) the plugin still tries - according to fine logs of the plugin - connect via ldap://server.com:3269, not ldaps://server.com:3269. Trying to force the protocol for the controller definition leads to ldap://ldaps://myserver.com:3269, which fails. Maybe a checkbox is missing whether to use a secure protocol? Or perhaps it could be inferred from the port number if missing.

          Tom Helpstone added a comment -

          See Plugin Documentation for details. You have to set a property:

          -Dhudson.plugins.active_directory.ActiveDirectorySecurityRealm.forceLdaps=true
          

          Tom Helpstone added a comment - See  Plugin Documentation for details. You have to set a property: -Dhudson.plugins.active_directory.ActiveDirectorySecurityRealm.forceLdaps= true

            Unassigned Unassigned
            heinzepreller heinzepreller
            Votes:
            4 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated: