Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-3404

mix LDAP and local Hudson users

    XMLWordPrintable

Details

    • Improvement
    • Status: Open (View Workflow)
    • Trivial
    • Resolution: Unresolved
    • _unsorted, ldap-plugin
    • None
    • Platform: All, OS: All

    Description

      Would it be possible to add the following feature: have users in both LDAP and
      the the local Hudson database?

      We currently have most of our users in LDAP, but a few are not in AD (student
      employees, people in other OUs). For these users, we would like to add them as
      local Hudson users, while maintaining the LDAP users. Basically, we want to mix
      the two: LDAP and local Hudson users. Thanks in advance.

      Also, the subcomponent for this issue is not correct; but it wouldn't let me
      submit this without choosing one. Sorry!

      Attachments

        Issue Links

          Activity

            abrowne abrowne created issue -
            advorsky73 Alexander Dvorsky made changes -
            Field Original Value New Value
            Component/s ldap-plugin [ 17122 ]
            Component/s security [ 15508 ]

            This would make sense as well to have e.g. a user for automation, which doesn't need to exist in the active directory/ldap directory.
            i would very welcome this as well...

            advorsky73 Alexander Dvorsky added a comment - This would make sense as well to have e.g. a user for automation, which doesn't need to exist in the active directory/ldap directory. i would very welcome this as well...

            This bug have any estimated date?
            As Alexander say make sense, for example I have external user that not exists in the active directory but I want that they can be logged.
            Also, and most important, if my LDAP is down I can't use Jenkins, is really useful have a local account for this circumstance.

            fedesg Federico Soria Galvarro added a comment - This bug have any estimated date? As Alexander say make sense, for example I have external user that not exists in the active directory but I want that they can be logged. Also, and most important, if my LDAP is down I can't use Jenkins, is really useful have a local account for this circumstance.

            Another important - at least I think so - use case is, that in case there is an LDAP problem, that needs a config update, I cannot login to jenkins to fix the problem.
            So a "standard" account (the admin or root), that is NOT tied to the configured LDAP is needed.

            compcom_de Jens Rosenthal added a comment - Another important - at least I think so - use case is, that in case there is an LDAP problem, that needs a config update, I cannot login to jenkins to fix the problem. So a "standard" account (the admin or root), that is NOT tied to the configured LDAP is needed.
            rtyler R. Tyler Croy made changes -
            Workflow JNJira [ 133477 ] JNJira + In-Review [ 174033 ]

            I also would like to add some "Technical SCM Trigger User" that is used when the SCM creates a trigger. Such a user shall not be part of LDAP but just be part of Jenkins user database. This avoids an anonymous account inside Jenkins with Discover+Read privileges.

            This involves either only changing the ldap-plugin or being able to iterate over a list of AbstractPasswordBasedSecurityRealm implementations (as far as I understand).

            This would probably also involve that getSecurityRealm() has to be replaced by some getSecurityRealms() (returning a list of realms).

            The same for setSecurityRealm(SecurityRealm securityRealm).

            heiko_nardmann Heiko Nardmann added a comment - I also would like to add some "Technical SCM Trigger User" that is used when the SCM creates a trigger. Such a user shall not be part of LDAP but just be part of Jenkins user database. This avoids an anonymous account inside Jenkins with Discover + Read privileges. This involves either only changing the ldap-plugin or being able to iterate over a list of AbstractPasswordBasedSecurityRealm implementations (as far as I understand). This would probably also involve that getSecurityRealm() has to be replaced by some getSecurityRealms() (returning a list of realms). The same for setSecurityRealm(SecurityRealm securityRealm) .
            sam_zhao Sam Zhao added a comment -

            Very appreciate for these features.
            As a system admin, to keep Jenkins platform to high availability is very important.
            If LDAP is down , users will not login Jenkins to do any job.

            sam_zhao Sam Zhao added a comment - Very appreciate for these features. As a system admin, to keep Jenkins platform to high availability is very important. If LDAP is down , users will not login Jenkins to do any job.

            I too would like to have the ability to define a couple of static local users on a Jenkins server, for pretty much the same reasons stated above - automated processes accessing Jenkins, accessing the dashboard when LDAP/AD are down, etc. This would be very helpful.

            leedega Kevin Phillips added a comment - I too would like to have the ability to define a couple of static local users on a Jenkins server, for pretty much the same reasons stated above - automated processes accessing Jenkins, accessing the dashboard when LDAP/AD are down, etc. This would be very helpful.
            fbelzunc Félix Belzunce Arcos made changes -
            Link This issue duplicates JENKINS-39065 [ JENKINS-39065 ]
            fbelzunc Félix Belzunce Arcos made changes -
            Assignee Félix Belzunce Arcos [ fbelzunc ]
            Resolution Duplicate [ 3 ]
            Status Open [ 1 ] Resolved [ 5 ]
            pcichy Patryk Cichy added a comment -

            Why is this marked as duplicate? JENKINS-39065 should be marked as duplicate - it only covers AD plugin and this ticket is also about LDAP plugin.

            pcichy Patryk Cichy added a comment - Why is this marked as duplicate? JENKINS-39065 should be marked as duplicate - it only covers AD plugin and this ticket is also about LDAP plugin.
            ircbot Jenkins IRC Bot made changes -
            Component/s _unsorted [ 19622 ]
            Component/s security [ 15508 ]
            fbelzunc Félix Belzunce Arcos made changes -
            Component/s active-directory-plugin [ 15526 ]

            Don't like to have the same Jira issue for multiple components, when on each one we might need a different fix in case this is implemented at plugin level.

            On AD there is already a Jira opened, so I am keeping this one for LDAP.

            fbelzunc Félix Belzunce Arcos added a comment - Don't like to have the same Jira issue for multiple components, when on each one we might need a different fix in case this is implemented at plugin level. On AD there is already a Jira opened, so I am keeping this one for LDAP.
            fbelzunc Félix Belzunce Arcos made changes -
            Resolution Duplicate [ 3 ]
            Status Resolved [ 5 ] Reopened [ 4 ]
            stefanrink Stefan Rink added a comment -

            I would also need the possibility of fallback to Jenkins' own user database, or at least to a single fallback user (like the AD plugin does).

            If I implemented this, could I expect the respective pull request to be merged in? Which conditions / coding guidelines would I have to adhere to?

            stefanrink Stefan Rink added a comment - I would also need the possibility of fallback to Jenkins' own user database, or at least to a single fallback user (like the AD plugin does). If I implemented this, could I expect the respective pull request to be merged in? Which conditions / coding guidelines would I have to adhere to?
            stefanrink Stefan Rink made changes -
            Link This issue is duplicated by JENKINS-29162 [ JENKINS-29162 ]

            2019 and still nothing at this front?

            We have users whose AD accounts are disabled due to ID renewal and for this period they cannot log into Jenkins. A local user store would be much appreciated!

            Best wishes,
            Martin

            martinmajewski Martin Majewski added a comment - 2019 and still nothing at this front? We have users whose AD accounts are disabled due to ID renewal and for this period they cannot log into Jenkins. A local user store would be much appreciated! Best wishes, Martin
            yogeek Guillaume Dupin added a comment - - edited

            Agree with all comments above : this feature is important for many use cases.

            For me, it would be useful to configure Jenkins with Configuration-as-Code plugin with a local (non-LDAP) user that will be responsible to apply Jenkins configuration (and as LDAP is a part of this configuration, cannot use a LDAP user for this)

            @fbelzunc any update on this please ? Or at least an estimation date ?
            Thank you

            yogeek Guillaume Dupin added a comment - - edited Agree with all comments above : this feature is important for many use cases. For me, it would be useful to configure Jenkins with Configuration-as-Code plugin with a local (non-LDAP) user that will be responsible to apply Jenkins configuration (and as LDAP is a part of this configuration, cannot use a LDAP user for this) @ fbelzunc any update on this please ? Or at least an estimation date ? Thank you

            As Félix said above, doing this at the SecurityRealm level would likely imply duplicating code between the various implementations.

            So, I'm inclined to think this issue here should actually be closed as a duplicate of JENKINS-15063. Because at least JENKINS-15063 has core as a component, as it should be IMO.

            batmat Baptiste Mathus added a comment - As Félix said above, doing this at the SecurityRealm level would likely imply duplicating code between the various implementations. So, I'm inclined to think this issue here should actually be closed as a duplicate of JENKINS-15063 . Because at least JENKINS-15063 has core as a component, as it should be IMO.
            machn1k Mike Machnik added a comment - - edited

            As mentioned in some of the comments above, allowing for both LDAP and local security allows for real users to have access but also allowing for local users to be created for automation.  This support would allow us to create an ideal security environment for our automation.

            machn1k Mike Machnik added a comment - - edited As mentioned in some of the comments above, allowing for both LDAP and local security allows for real users to have access but also allowing for local users to be created for automation.  This support would allow us to create an ideal security environment for our automation.
            jjulve Jonas Julve made changes -
            Assignee Félix Belzunce Arcos [ fbelzunc ] Jonas Julve [ jjulve ]
            jjulve Jonas Julve made changes -
            Assignee Jonas Julve [ jjulve ] Félix Belzunce Arcos [ fbelzunc ]
            sharon_kwok Sharon Kwok added a comment -

            Agreed with all the comments above. We really need the support of both local security and LDAP security. Normal users should use LDAP for login, while local users are created for automation and remote API call. It would be highly appreciated if it could be implemented. 

            sharon_kwok Sharon Kwok added a comment - Agreed with all the comments above. We really need the support of both local security and LDAP security. Normal users should use LDAP for login, while local users are created for automation and remote API call. It would be highly appreciated if it could be implemented. 
            smekkley smek added a comment -

            Is there workaround on this thing other than using PAM? I heard AD plugin supports this, so maybe it's not too difficult to support LDAP with that plugin?

            smekkley smek added a comment - Is there workaround on this thing other than using PAM? I heard AD plugin supports this, so maybe it's not too difficult to support LDAP with that plugin?
            rorynscott Rory Scott added a comment -

            +1 to what's been said. Automating with a local user would be great while using LDAP for internal users.

            rorynscott Rory Scott added a comment - +1 to what's been said. Automating with a local user would be great while using LDAP for internal users.
            rajivkr Rajiv KR added a comment -

            Need this feature as we are trying to make api calls with ldap enabled jenkins, any local hudson users added to ldap will be really useful. Any update on this?

            rajivkr Rajiv KR added a comment - Need this feature as we are trying to make api calls with ldap enabled jenkins, any local hudson users added to ldap will be really useful. Any update on this?
            promissing WENJUN XIAO added a comment -

            I try to mixing local user with others by this plugin [mixing-security-realm-plugin|https://github.com/wenjunxiao/mixing-security-realm-plugin]

            promissing WENJUN XIAO added a comment - I try to mixing local user with others by this plugin [mixing-security-realm-plugin| https://github.com/wenjunxiao/mixing-security-realm-plugin ]
            370672701 tom zhang added a comment -

            Agreed with all the comments above. We really need the support of both local security and LDAP security.

            370672701 tom zhang added a comment - Agreed with all the comments above. We really need the support of both local security and LDAP security.
            tuehenriksen Tue Henriksen added a comment -

            It would be nice if I could create an admin user that was not dependent on LDAP - just in case some IT guys decided to change AD that would brake the LDAP integration.

            tuehenriksen Tue Henriksen added a comment - It would be nice if I could create an admin user that was not dependent on LDAP - just in case some IT guys decided to change AD that would brake the LDAP integration.
            fbelzunc Félix Belzunce Arcos made changes -
            Assignee Félix Belzunce Arcos [ fbelzunc ]
            deepakn Deepak added a comment -

            12 years and no progress on this. Not sure if there gonna be any useful feature like this in jenkins. 

            deepakn Deepak added a comment - 12 years and no progress on this. Not sure if there gonna be any useful feature like this in jenkins. 

            deepakn fortunately now you're here to implement it. Thanks!

            batmat Baptiste Mathus added a comment - deepakn  fortunately now you're here to implement it. Thanks!
            deepakn Deepak added a comment -

            batmat Not sure if you are being sarcastic or funny. Either ways I won't be able to implement it. My comment was not intented to hurt any one. If you got offended somehow then I'm sorry.

            deepakn Deepak added a comment - batmat  Not sure if you are being sarcastic or funny. Either ways I won't be able to implement it. My comment was not intented to hurt any one. If you got offended somehow then I'm sorry.
            kon Kalle Niemitalo made changes -
            Link This issue relates to HOSTING-997 [ HOSTING-997 ]

            mixing-security-realm-plugin is now hosted at https://github.com/jenkinsci/mixing-security-realm-plugin but does not seem to have any releases available from the update center yet.

            kon Kalle Niemitalo added a comment - mixing-security-realm-plugin is now hosted at https://github.com/jenkinsci/mixing-security-realm-plugin but does not seem to have any releases available from the update center yet.
            promissing WENJUN XIAO added a comment -

            mix-security-realm-plugin has been published to update center, Sorry for not posting to the update center in time due to configuration and permission issues.

            promissing WENJUN XIAO added a comment - mix-security-realm-plugin has been published to update center, Sorry for not posting to the update center in time due to configuration and permission issues.
            hz hz hz added a comment - - edited

            Hi I'd like to ask if you guys have such issue. I need to config mixing security realm to support Jenkins own users database and ldap. if I setup ldap only it verified successfully. but if I config ldap inside mix plugin I got following exception. 

            I am using java-11-openjdk-11.0.12.0.7-0.el7_9.x86_64 and Jenkins 2.316

             

            "java.lang.IllegalArgumentException":Specified type class hudson.security.MixingSecurityRealm is not assignable to the expected class hudson.security.LDAPSecurityRealm"java.lang.IllegalArgumentException":Specified type class hudson.security.MixingSecurityRealm is not assignable to the expected class hudson.security.LDAPSecurityRealm at org.kohsuke.stapler.RequestImpl$TypePair.convertJSON("RequestImpl.java":"683)Caused":"java.lang.IllegalArgumentException":"Failed to instantiate class hudson.security.LDAPSecurityRealm from"{   "value":"3",
               "stapler-class":"hudson.security.MixingSecurityRealm",
               "$class":"hudson.security.MixingSecurityRealm",
               "allowsSignup":false,
               "priority":true,
               "optional":[     

            {         "$enabled":false,          "$id":"hudson.security.SecurityRealm$None"      }

            ,
                 

            {         "$enabled":false,          "$id":"hudson.security.PAMSecurityRealm",          "serviceName":""      }

            ,
                  {         "$enabled":true,
                     "$id":"hudson.security.LDAPSecurityRealm",
                     "configurations":

            {            "server":"ldap://www.example.com",             "rootDN":"dc=example,dc=com",             "inhibitInferRootDN":false,             "userSearchBase":"OU=User Accounts",             "userSearch":"userPrincipalName=

            {0}

            ",
                        "groupSearchBase":"OU=Groups",
                        "groupSearchFilter":"(objectClass=group)",
                        "groupMembershipStrategy":

            {               "value":"0",                "attributeName":"memberOf",                "stapler-class":"jenkins.security.plugins.ldap.FromUserRecordLDAPGroupMembershipStrategy",                "$class":"jenkins.security.plugins.ldap.FromUserRecordLDAPGroupMembershipStrategy"            }

            ,
                        "managerDN":"CN=onprembuild,OU=Service Accounts,OU=User Accounts,DC=example,DC=com",
                        "managerPasswordSecret":"[value redacted]",
                        "$redact":"managerPasswordSecret",
                        "displayNameAttributeName":"displayname",
                        "mailAddressAttributeName":"mail",
                        "ignoreIfUnavailable":false         },
                     "":[            "0",
                        "0"         ],
                     "userIdStrategy":

            {            "stapler-class":"jenkins.model.IdStrategy$CaseInsensitive",             "$class":"jenkins.model.IdStrategy$CaseInsensitive"         }

            ,
                     "groupIdStrategy":

            {            "stapler-class":"jenkins.model.IdStrategy$CaseInsensitive",             "$class":"jenkins.model.IdStrategy$CaseInsensitive"         }

            ,
                     "disableMailAddressResolver":false,
                     "disableRolePrefixing":true      },
                 

            {         "$enabled":false,          "$id":"hudson.security.LegacySecurityRealm"      }

               ]}

            hz hz hz added a comment - - edited Hi I'd like to ask if you guys have such issue. I need to config mixing security realm to support Jenkins own users database and ldap. if I setup ldap only it verified successfully. but if I config ldap inside mix plugin I got following exception.  I am using java-11-openjdk-11.0.12.0.7-0.el7_9.x86_64 and Jenkins 2.316   "java.lang.IllegalArgumentException":Specified type class hudson.security.MixingSecurityRealm is not assignable to the expected class hudson.security.LDAPSecurityRealm"java.lang.IllegalArgumentException":Specified type class hudson.security.MixingSecurityRealm is not assignable to the expected class hudson.security.LDAPSecurityRealm at org.kohsuke.stapler.RequestImpl$TypePair.convertJSON("RequestImpl.java":"683)Caused":"java.lang.IllegalArgumentException":"Failed to instantiate class hudson.security.LDAPSecurityRealm from"{   "value":"3",    "stapler-class":"hudson.security.MixingSecurityRealm",    "$class":"hudson.security.MixingSecurityRealm",    "allowsSignup":false,    "priority":true,    "optional":[      {         "$enabled":false,          "$id":"hudson.security.SecurityRealm$None"      } ,       {         "$enabled":false,          "$id":"hudson.security.PAMSecurityRealm",          "serviceName":""      } ,       {         "$enabled":true,          "$id":"hudson.security.LDAPSecurityRealm",          "configurations": {            "server":"ldap://www.example.com",             "rootDN":"dc=example,dc=com",             "inhibitInferRootDN":false,             "userSearchBase":"OU=User Accounts",             "userSearch":"userPrincipalName= {0} ",             "groupSearchBase":"OU=Groups",             "groupSearchFilter":"(objectClass=group)",             "groupMembershipStrategy": {               "value":"0",                "attributeName":"memberOf",                "stapler-class":"jenkins.security.plugins.ldap.FromUserRecordLDAPGroupMembershipStrategy",                "$class":"jenkins.security.plugins.ldap.FromUserRecordLDAPGroupMembershipStrategy"            } ,             "managerDN":"CN=onprembuild,OU=Service Accounts,OU=User Accounts,DC=example,DC=com",             "managerPasswordSecret":" [value redacted] ",             "$redact":"managerPasswordSecret",             "displayNameAttributeName":"displayname",             "mailAddressAttributeName":"mail",             "ignoreIfUnavailable":false         },          "":[            "0",             "0"         ],          "userIdStrategy": {            "stapler-class":"jenkins.model.IdStrategy$CaseInsensitive",             "$class":"jenkins.model.IdStrategy$CaseInsensitive"         } ,          "groupIdStrategy": {            "stapler-class":"jenkins.model.IdStrategy$CaseInsensitive",             "$class":"jenkins.model.IdStrategy$CaseInsensitive"         } ,          "disableMailAddressResolver":false,          "disableRolePrefixing":true      },       {         "$enabled":false,          "$id":"hudson.security.LegacySecurityRealm"      }    ]}
            kon Kalle Niemitalo added a comment - - edited

            Is there a stack trace for this exception? More than just this

            at org.kohsuke.stapler.RequestImpl$TypePair.convertJSON("RequestImpl.java":"683)

            kon Kalle Niemitalo added a comment - - edited Is there a stack trace for this exception? More than just this at org.kohsuke.stapler.RequestImpl$TypePair.convertJSON("RequestImpl.java":"683)
            hz hz hz added a comment - - edited
            java.lang.IllegalArgumentException: Specified type class hudson.security.MixingSecurityRealm is not assignable to the expected class hudson.security.LDAPSecurityRealmjava.lang.IllegalArgumentException: Specified type class hudson.security.MixingSecurityRealm is not assignable to the expected class hudson.security.LDAPSecurityRealm at org.kohsuke.stapler.RequestImpl$TypePair.convertJSON(RequestImpl.java:683)Caused: java.lang.IllegalArgumentException: Failed to instantiate class hudson.security.LDAPSecurityRealm from {"value":"3","stapler-class":"hudson.security.MixingSecurityRealm","$class":"hudson.security.MixingSecurityRealm","allowsSignup":false,"priority":true,"optional":[{"$enabled":false,"$id":"hudson.security.SecurityRealm$None"},{"$enabled":false,"$id":"hudson.security.PAMSecurityRealm","serviceName":""},{"$enabled":true,"$id":"hudson.security.LDAPSecurityRealm","configurations":{"server":"ldap://www.example.com","rootDN":"dc=example,dc=com","inhibitInferRootDN":false,"userSearchBase":"OU=User Accounts","userSearch":"userPrincipalName={0}","groupSearchBase":"OU=Groups","groupSearchFilter":"(objectClass=group)","groupMembershipStrategy":{"value":"0","attributeName":"memberOf","stapler-class<span class="code-quote">":"jenkins.security.plugins.ldap.FromUserRecordLDAPGroupMembershipStrategy","$class<span class="code-quote">":"jenkins.security.plugins.ldap.FromUserRecordLDAPGroupMembershipStrategy"},"managerDN":"CN=ci-build-onprembuild,OU=Service Accounts,OU=User Accounts,DC=example,DC=com","managerPasswordSecret":"[value redacted]","$redact":"managerPasswordSecret","displayNameAttributeName":"displayname","mailAddressAttributeName":"mail","ignoreIfUnavailable":false},"":["0","0"],"userIdStrategy":{"stapler-class<span class="code-quote">":"jenkins.model.IdStrategy$CaseInsensitive","$class<span class="code-quote">":"jenkins.model.IdStrategy$CaseInsensitive"},"groupIdStrategy":{"stapler-class<span class="code-quote">":"jenkins.model.IdStrategy$CaseInsensitive","$class<span class="code-quote">":"jenkins.model.IdStrategy$CaseInsensitive"},"disableMailAddressResolver":false,"disableRolePrefixing":true},{"$enabled":false,"$id":"hudson.security.LegacySecurityRealm"}]} at org.kohsuke.stapler.RequestImpl$TypePair.convertJSON(RequestImpl.java:693) at org.kohsuke.stapler.RequestImpl.bindJSON(RequestImpl.java:490) at org.kohsuke.stapler.RequestImpl.bindJSON(RequestImpl.java:486) at hudson.security.LDAPSecurityRealm$DescriptorImpl.doValidate(LDAPSecurityRealm.java:1543) at java.base/java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:710) at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:393)Caused: java.lang.reflect.InvocationTargetException at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:397) at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:405) at org.kohsuke.stapler.interceptor.RequirePOST$Processor.invoke(RequirePOST.java:77) at org.kohsuke.stapler.PreInvokeInterceptedFunction.invoke(PreInvokeInterceptedFunction.java:26) at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:208) at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:141) at org.kohsuke.stapler.MetaClass$11.doDispatch(MetaClass.java:536) at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:766) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:898) at org.kohsuke.stapler.MetaClass$4.doDispatch(MetaClass.java:281) at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:766) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:898) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:694) at org.kohsuke.stapler.Stapler.service(Stapler.java:240) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:799) at org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1626) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:156) at jenkins.security.ResourceDomainFilter.doFilter(ResourceDomainFilter.java:80) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:153) at jenkins.telemetry.impl.UserLanguages$AcceptLanguageFilter.doFilter(UserLanguages.java:128) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:153) at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:159) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:153) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:92) at jenkins.security.AcegiSecurityExceptionFilter.doFilter(AcegiSecurityExceptionFilter.java:52) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97) at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:53) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97) at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:121) at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:115) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97) at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:105) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97) at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:101) at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:92) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:218) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97) at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:97) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:110) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:80) at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:62) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97) at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:109) at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:51) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:85) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) at jenkins.security.SuspiciousRequestFilter.doFilter(SuspiciousRequestFilter.java:39) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:548) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:578) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1624) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1434) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:501) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1594) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1349) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) at org.eclipse.jetty.server.Server.handle(Server.java:516) at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:388) at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:633) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:380) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:277) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105) at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:338) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:315) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:173) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:131) at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:386) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883) at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034) at java.base/java.lang.Thread.run(Thread.java:829)
            

            here is the stack trace. thank you so much for your quick respons 

            hz hz hz added a comment - - edited java.lang.IllegalArgumentException: Specified type class hudson.security.MixingSecurityRealm is not assignable to the expected class hudson.security.LDAPSecurityRealmjava.lang.IllegalArgumentException: Specified type class hudson.security.MixingSecurityRealm is not assignable to the expected class hudson.security.LDAPSecurityRealm at org.kohsuke.stapler.RequestImpl$TypePair.convertJSON(RequestImpl.java:683)Caused: java.lang.IllegalArgumentException: Failed to instantiate class hudson.security.LDAPSecurityRealm from { "value" : "3" , "stapler-class" : "hudson.security.MixingSecurityRealm" , "$class" : "hudson.security.MixingSecurityRealm" , "allowsSignup" : false , "priority" : true , "optional" :[{ "$enabled" : false , "$id" : "hudson.security.SecurityRealm$None" },{ "$enabled" : false , "$id" : "hudson.security.PAMSecurityRealm" , "serviceName" : ""},{" $enabled ": true ," $id ":" hudson.security.LDAPSecurityRealm "," configurations ":{" server ":" ldap: //www.example.com "," rootDN ":" dc=example,dc=com "," inhibitInferRootDN ": false ," userSearchBase ":" OU=User Accounts "," userSearch ":" userPrincipalName={0} "," groupSearchBase ":" OU=Groups "," groupSearchFilter ":" (objectClass=group) "," groupMembershipStrategy ":{" value ":" 0 "," attributeName ":" memberOf "," stapler- class& lt;span class= "code-quote" > ":" jenkins.security.plugins.ldap.FromUserRecordLDAPGroupMembershipStrategy "," $ class& lt;span class= "code-quote" > ":" jenkins.security.plugins.ldap.FromUserRecordLDAPGroupMembershipStrategy "}," managerDN ":" CN=ci-build-onprembuild,OU=Service Accounts,OU=User Accounts,DC=example,DC=com "," managerPasswordSecret ":" [value redacted] "," $redact ":" managerPasswordSecret "," displayNameAttributeName ":" displayname "," mailAddressAttributeName ":" mail "," ignoreIfUnavailable ": false }," ":[" 0 "," 0 "]," userIdStrategy ":{" stapler- class& lt;span class= "code-quote" > ":" jenkins.model.IdStrategy$CaseInsensitive "," $ class& lt;span class= "code-quote" > ":" jenkins.model.IdStrategy$CaseInsensitive "}," groupIdStrategy ":{" stapler- class& lt;span class= "code-quote" > ":" jenkins.model.IdStrategy$CaseInsensitive "," $ class& lt;span class= "code-quote" > ":" jenkins.model.IdStrategy$CaseInsensitive "}," disableMailAddressResolver ": false ," disableRolePrefixing ": true },{" $enabled ": false ," $id ":" hudson.security.LegacySecurityRealm"}]} at org.kohsuke.stapler.RequestImpl$TypePair.convertJSON(RequestImpl.java:693) at org.kohsuke.stapler.RequestImpl.bindJSON(RequestImpl.java:490) at org.kohsuke.stapler.RequestImpl.bindJSON(RequestImpl.java:486) at hudson.security.LDAPSecurityRealm$DescriptorImpl.doValidate(LDAPSecurityRealm.java:1543) at java.base/java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:710) at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:393)Caused: java.lang.reflect.InvocationTargetException at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:397) at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:405) at org.kohsuke.stapler.interceptor.RequirePOST$Processor.invoke(RequirePOST.java:77) at org.kohsuke.stapler.PreInvokeInterceptedFunction.invoke(PreInvokeInterceptedFunction.java:26) at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:208) at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:141) at org.kohsuke.stapler.MetaClass$11.doDispatch(MetaClass.java:536) at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:766) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:898) at org.kohsuke.stapler.MetaClass$4.doDispatch(MetaClass.java:281) at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:766) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:898) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:694) at org.kohsuke.stapler.Stapler.service(Stapler.java:240) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:799) at org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1626) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:156) at jenkins.security.ResourceDomainFilter.doFilter(ResourceDomainFilter.java:80) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:153) at jenkins.telemetry.impl.UserLanguages$AcceptLanguageFilter.doFilter(UserLanguages.java:128) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:153) at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:159) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:153) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:92) at jenkins.security.AcegiSecurityExceptionFilter.doFilter(AcegiSecurityExceptionFilter.java:52) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97) at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:53) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97) at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:121) at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:115) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97) at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:105) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97) at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:101) at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:92) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:218) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97) at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:97) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:110) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:80) at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:62) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97) at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:109) at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:51) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:85) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) at jenkins.security.SuspiciousRequestFilter.doFilter(SuspiciousRequestFilter.java:39) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:548) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:578) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1624) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1434) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:501) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1594) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1349) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) at org.eclipse.jetty.server.Server.handle(Server.java:516) at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:388) at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:633) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:380) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:277) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105) at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:338) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:315) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:173) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:131) at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:386) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883) at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034) at java.base/java.lang. Thread .run( Thread .java:829) here is the stack trace. thank you so much for your quick respons 
            peachy_devops Loren Alatan added a comment -

            Hi promissing I tried installing the https://github.com/wenjunxiao/mixing-security-realm-plugin plugin. It kind of works having ldap users and a local jenkins user at the same time but ldap groups were not allowed. Are you aware of this issue?
            Thank you very much.

            peachy_devops Loren Alatan added a comment - Hi promissing I tried installing the https://github.com/wenjunxiao/mixing-security-realm-plugin plugin. It kind of works having ldap users and a local jenkins user at the same time but ldap groups were not allowed. Are you aware of this issue? Thank you very much.
            peachy_devops Loren Alatan added a comment -

            Tried updating Active Directory plugin to 2.25.1 from 2.25 but it became worse. LDAP users and groups are not working anymore.

            peachy_devops Loren Alatan added a comment - Tried updating Active Directory plugin to 2.25.1 from 2.25 but it became worse. LDAP users and groups are not working anymore.
            peachy_devops Loren Alatan made changes -
            Status Reopened [ 4 ] Open [ 1 ]
            peachy_devops Loren Alatan made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            peachy_devops Loren Alatan made changes -
            Status In Progress [ 3 ] Open [ 1 ]

            People

              Unassigned Unassigned
              abrowne abrowne
              Votes:
              62 Vote for this issue
              Watchers:
              60 Start watching this issue

              Dates

                Created:
                Updated: