Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-29772

Can't retrieve ldap info using domain search with spaces

      Configuration

      Jenkins LDAP configuration:

      Servidor		ldap://ldap.test.es:389/
      root DN	Allow empty RootDN
      Search Domain User Base		"o=Group Using Spaces,c=ES"
      Search user filter (&(objectClass=inetorgperson)(uid={0}))
      

      Problem

      Jenkins LDAP can't handle correctly LDAP base domain search form input. Has to be defined it between quotes if it's composed by various words between spaces. If I don't it won't create configuration correctly, you don't get any response.

      Error Without quotes

      When you define LDAP configuration using Search Domain User Base without quotes and not selected rootDN:

      • You can't/don't execute the query.

      Error With quotes

      Log when user attempt to log in:

      Failed to bind to LDAP: userDncn=SurName1 SurName2 Name (123456),ou=GROUP,"o=Group Using Spaces,c=ES"  username=login_name
      javax.naming.AuthenticationException: [LDAP: error code 32 - No Such Object]
      	at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:293)
      	at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740)
      	at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)
      	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
      	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
      	at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
      	at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
      	at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
      	at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
      	at javax.naming.InitialContext.init(InitialContext.java:242)
      	at javax.naming.InitialContext.<init>(InitialContext.java:216)
      	at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101)
      	at org.acegisecurity.ldap.DefaultInitialDirContextFactory.connect(DefaultInitialDirContextFactory.java:180)
      	at org.acegisecurity.ldap.DefaultInitialDirContextFactory.newInitialDirContext(DefaultInitialDirContextFactory.java:261)
      	at org.acegisecurity.ldap.LdapTemplate.execute(LdapTemplate.java:123)
      	at org.acegisecurity.ldap.LdapTemplate.retrieveEntry(LdapTemplate.java:165)
      	at org.acegisecurity.providers.ldap.authenticator.BindAuthenticator.bindWithDn(BindAuthenticator.java:87)
      	at org.acegisecurity.providers.ldap.authenticator.BindAuthenticator.authenticate(BindAuthenticator.java:72)
      	at org.acegisecurity.providers.ldap.authenticator.BindAuthenticator2.authenticate(BindAuthenticator2.java:49)
      	at org.acegisecurity.providers.ldap.LdapAuthenticationProvider.retrieveUser(LdapAuthenticationProvider.java:233)
      	at org.acegisecurity.providers.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:122)
      	at org.acegisecurity.providers.ProviderManager.doAuthentication(ProviderManager.java:200)
      	at org.acegisecurity.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:47)
      	at hudson.security.LDAPSecurityRealm$LDAPAuthenticationManager.authenticate(LDAPSecurityRealm.java:786)
      	at org.acegisecurity.ui.webapp.AuthenticationProcessingFilter.attemptAuthentication(AuthenticationProcessingFilter.java:74)
      	at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:252)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
      	at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
      	at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      	at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      	at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      	at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
      	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
      	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:611)
      	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
      	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
      	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
      	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
      	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
      	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1023)
      	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
      	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
      	at java.lang.Thread.run(Thread.java:724)
      

      Other configurations

      Search using ldapsearh correct:

      ldapsearch -H ldap://ldap.test.es:389 -b "o=Group Using Spaces,c=es" -s sub -a always -z 1000 "uid=login_name" -x
      

          [JENKINS-29772] Can't retrieve ldap info using domain search with spaces

          Daniel Beck added a comment -

          Looks like this has a trivial workaround, so reducing priority.

          Daniel Beck added a comment - Looks like this has a trivial workaround, so reducing priority.

          Hi danielbeck ! which is this workaround ? Thanks in advance.

          Ricardo García Fernández added a comment - Hi danielbeck ! which is this workaround ? Thanks in advance.

          Daniel Beck added a comment -

          Misread the issue description, it looked like the workaround was using quotes but that doesn't work either.

          Daniel Beck added a comment - Misread the issue description, it looked like the workaround was using quotes but that doesn't work either.

          Sandeep Kapur added a comment -

          Is there any workaround for this issue ? This must be common problem with many enterprises

          Sandeep Kapur added a comment - Is there any workaround for this issue ? This must be common problem with many enterprises

          Any resolution to this? Is this something I can work on a solution for? Just need some pointers on where to look ...

          Bradley Wangia added a comment - Any resolution to this? Is this something I can work on a solution for? Just need some pointers on where to look ...

          Hello.

          We just solve this issue in our company.

          To make it work we just make userSearchBase field empty.

          To check LDAP working I also used this script
          Before the issue was solved, script was able to resolve only groups, but not users.

          Roman Kovtyukh added a comment - Hello. We just solve this issue in our company. To make it work we just make  userSearchBase field empty. To check LDAP working I also used this script Before the issue was solved, script was able to resolve only groups, but not users.

          Oleg Nenashev added a comment -

          In order to set proper expectation, I have unassigned Kohsuke from this tickets.
          Currently there is no Default assignee in the LDAP plugin, any contributions will be appreciated.

          Oleg Nenashev added a comment - In order to set proper expectation, I have unassigned Kohsuke from this tickets. Currently there is no Default assignee in the LDAP plugin, any contributions will be appreciated.

            Unassigned Unassigned
            ricardogarfe Ricardo García Fernández
            Votes:
            2 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated: