Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-35249

Security update 1.651.2 breaks LDAP/AD look up

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Blocker Blocker
    • None
    • Debian Wheezy 7.10, OpenJDK 7u101, AD Plugin 1.46, LDAP Plugin 1.12

      After I updated to 1.651.2 I started seeing failures that appear similar to those in JENKINS-34775. Reverting to earlier versions of the AD and LDAP plugins doesn't resolve the issue. Only reverting to 1.651.1 got things working again. I initially added my stack trace as a comment to JENKINS-34775, but I was told there that this was a different issue and to create a new issue.

      BUILD SUCCESSFUL
      Total time: 5 minutes 23 seconds
      Sending e-mails to: bill@example.com ted@example.com
      FATAL: Failed to retrieve user information for Bill S. Preston; nested exception is javax.naming.NamingException: [LDAP: error code 1 - 00002020: Operation unavailable without authentication]; remaining name 'DC=example,DC=com'
      org.acegisecurity.BadCredentialsException: Failed to retrieve user information for Bill S. Preston; nested exception is javax.naming.NamingException: [LDAP: error code 1 - 00002020: Operation unavailable without authentication]; remaining name 'DC=example,DC=com'
      	at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:343)
      	at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:223)
      	at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:167)
      	at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:54)
      	at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:678)
      	at hudson.model.User$UserIDCanonicalIdResolver.resolveCanonicalId(User.java:1049)
      	at hudson.model.User.get(User.java:395)
      	at hudson.model.User.get(User.java:364)
      	at hudson.plugins.git.GitChangeSet.findOrCreateUser(GitChangeSet.java:374)
      	at hudson.plugins.git.GitChangeSet.getAuthor(GitChangeSet.java:435)
      	at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:350)
      	at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:346)
      	at hudson.model.AbstractBuild$AbstractBuildExecution.post(AbstractBuild.java:672)
      	at hudson.model.Run.execute(Run.java:1763)
      	at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
      	at hudson.model.ResourceController.execute(ResourceController.java:98)
      	at hudson.model.Executor.run(Executor.java:410)
      Caused by: javax.naming.NamingException: [LDAP: error code 1 - 00002020: Operation unavailable without authentication]; remaining name 'DC=example,DC=com'
      	at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3128)
      	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3034)
      	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2841)
      	at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1850)
      	at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1773)
      	at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1790)
      	at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:412)
      	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:394)
      	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:376)
      	at hudson.plugins.active_directory.LDAPSearchBuilder.search(LDAPSearchBuilder.java:112)
      	at hudson.plugins.active_directory.LDAPSearchBuilder.searchOne(LDAPSearchBuilder.java:84)
      	at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:293)
      	... 16 more
      Finished: FAILURE
      

          [JENKINS-35249] Security update 1.651.2 breaks LDAP/AD look up

          I'm experiencing the same problem. Sometimes builds fail after the last step of the actual build.

          The piece of cause causing trouble seems to be:
          https://github.com/jenkinsci/jenkins/blob/jenkins-2.6/core/src/main/java/hudson/model/User.java#L1050

          It looks like the exception "org.acegisecurity.BadCredentialsException" is not catched (on purpose probably).

          A possible workaround may be adding JENKINS_JAVA_OPTIONS="-Dhudson.model.User.SECURITY_243_FULL_DEFENSE=false" into /etc/sysconfig/jenkins. I'm not sure it works, testing it right now.

          However it is not clear which credentials are "Bad". Are these LDAP credentials used to bind to the LDAP server? Why this is not happening constantly but still frequently?

          Andrea Curtoni added a comment - I'm experiencing the same problem. Sometimes builds fail after the last step of the actual build. The piece of cause causing trouble seems to be: https://github.com/jenkinsci/jenkins/blob/jenkins-2.6/core/src/main/java/hudson/model/User.java#L1050 It looks like the exception "org.acegisecurity.BadCredentialsException" is not catched (on purpose probably). A possible workaround may be adding JENKINS_JAVA_OPTIONS="-Dhudson.model.User.SECURITY_243_FULL_DEFENSE=false" into /etc/sysconfig/jenkins. I'm not sure it works, testing it right now. However it is not clear which credentials are "Bad". Are these LDAP credentials used to bind to the LDAP server? Why this is not happening constantly but still frequently?

          I just completed an upgrade to Jenkins 2.7.4 and I no longer see this problem. I think that unless others are still experiencing this problem that this issue can be resolved/closed.

          Roberto Sanchez added a comment - I just completed an upgrade to Jenkins 2.7.4 and I no longer see this problem. I think that unless others are still experiencing this problem that this issue can be resolved/closed.

          Alex Rivera added a comment - - edited

          I am having same issue with 2.11 release of jenkins and AD plugin 1.41

          Alex Rivera added a comment - - edited I am having same issue with 2.11 release of jenkins and AD plugin 1.41

            fbelzunc FĂ©lix Belzunce Arcos
            roberto_sanchez Roberto Sanchez
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: