Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-29772

Can't retrieve ldap info using domain search with spaces

    XMLWordPrintable

Details

    Description

      Configuration

      Jenkins LDAP configuration:

      Servidor		ldap://ldap.test.es:389/
      root DN	Allow empty RootDN
      Search Domain User Base		"o=Group Using Spaces,c=ES"
      Search user filter (&(objectClass=inetorgperson)(uid={0}))
      

      Problem

      Jenkins LDAP can't handle correctly LDAP base domain search form input. Has to be defined it between quotes if it's composed by various words between spaces. If I don't it won't create configuration correctly, you don't get any response.

      Error Without quotes

      When you define LDAP configuration using Search Domain User Base without quotes and not selected rootDN:

      • You can't/don't execute the query.

      Error With quotes

      Log when user attempt to log in:

      Failed to bind to LDAP: userDncn=SurName1 SurName2 Name (123456),ou=GROUP,"o=Group Using Spaces,c=ES"  username=login_name
      javax.naming.AuthenticationException: [LDAP: error code 32 - No Such Object]
      	at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:293)
      	at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740)
      	at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)
      	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
      	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
      	at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
      	at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
      	at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
      	at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
      	at javax.naming.InitialContext.init(InitialContext.java:242)
      	at javax.naming.InitialContext.<init>(InitialContext.java:216)
      	at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101)
      	at org.acegisecurity.ldap.DefaultInitialDirContextFactory.connect(DefaultInitialDirContextFactory.java:180)
      	at org.acegisecurity.ldap.DefaultInitialDirContextFactory.newInitialDirContext(DefaultInitialDirContextFactory.java:261)
      	at org.acegisecurity.ldap.LdapTemplate.execute(LdapTemplate.java:123)
      	at org.acegisecurity.ldap.LdapTemplate.retrieveEntry(LdapTemplate.java:165)
      	at org.acegisecurity.providers.ldap.authenticator.BindAuthenticator.bindWithDn(BindAuthenticator.java:87)
      	at org.acegisecurity.providers.ldap.authenticator.BindAuthenticator.authenticate(BindAuthenticator.java:72)
      	at org.acegisecurity.providers.ldap.authenticator.BindAuthenticator2.authenticate(BindAuthenticator2.java:49)
      	at org.acegisecurity.providers.ldap.LdapAuthenticationProvider.retrieveUser(LdapAuthenticationProvider.java:233)
      	at org.acegisecurity.providers.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:122)
      	at org.acegisecurity.providers.ProviderManager.doAuthentication(ProviderManager.java:200)
      	at org.acegisecurity.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:47)
      	at hudson.security.LDAPSecurityRealm$LDAPAuthenticationManager.authenticate(LDAPSecurityRealm.java:786)
      	at org.acegisecurity.ui.webapp.AuthenticationProcessingFilter.attemptAuthentication(AuthenticationProcessingFilter.java:74)
      	at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:252)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
      	at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
      	at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      	at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      	at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      	at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
      	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
      	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:611)
      	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
      	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
      	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
      	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
      	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
      	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1023)
      	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
      	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
      	at java.lang.Thread.run(Thread.java:724)
      

      Other configurations

      Search using ldapsearh correct:

      ldapsearch -H ldap://ldap.test.es:389 -b "o=Group Using Spaces,c=es" -s sub -a always -z 1000 "uid=login_name" -x
      

      Attachments

        Activity

          danielbeck Daniel Beck added a comment -

          Looks like this has a trivial workaround, so reducing priority.

          danielbeck Daniel Beck added a comment - Looks like this has a trivial workaround, so reducing priority.

          Hi danielbeck ! which is this workaround ? Thanks in advance.

          ricardogarfe Ricardo García Fernández added a comment - Hi danielbeck ! which is this workaround ? Thanks in advance.
          danielbeck Daniel Beck added a comment -

          Misread the issue description, it looked like the workaround was using quotes but that doesn't work either.

          danielbeck Daniel Beck added a comment - Misread the issue description, it looked like the workaround was using quotes but that doesn't work either.
          sakapur Sandeep Kapur added a comment -

          Is there any workaround for this issue ? This must be common problem with many enterprises

          sakapur Sandeep Kapur added a comment - Is there any workaround for this issue ? This must be common problem with many enterprises

          Any resolution to this? Is this something I can work on a solution for? Just need some pointers on where to look ...

          bwangia Bradley Wangia added a comment - Any resolution to this? Is this something I can work on a solution for? Just need some pointers on where to look ...

          Hello.

          We just solve this issue in our company.

          To make it work we just make userSearchBase field empty.

          To check LDAP working I also used this script
          Before the issue was solved, script was able to resolve only groups, but not users.

          grandma Roman Kovtyukh added a comment - Hello. We just solve this issue in our company. To make it work we just make  userSearchBase field empty. To check LDAP working I also used this script Before the issue was solved, script was able to resolve only groups, but not users.
          oleg_nenashev Oleg Nenashev added a comment -

          In order to set proper expectation, I have unassigned Kohsuke from this tickets.
          Currently there is no Default assignee in the LDAP plugin, any contributions will be appreciated.

          oleg_nenashev Oleg Nenashev added a comment - In order to set proper expectation, I have unassigned Kohsuke from this tickets. Currently there is no Default assignee in the LDAP plugin, any contributions will be appreciated.

          People

            Unassigned Unassigned
            ricardogarfe Ricardo García Fernández
            Votes:
            2 Vote for this issue
            Watchers:
            7 Start watching this issue

            Dates

              Created:
              Updated: