• Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Blocker Blocker
    • ldap-plugin
    • None

      I'm having troubles configuring jenkins with ldap groupmembership filter, is like it isn't filter.

      I can see that the groups is filter correctly:

      Group search filter: (objectClass=mycompPermissions)(tValue=

      {0}) -> this filter works , I can see the groups in the section "assign roles"

      but when a user is logged in, jenkins is not able to detect what group it belong, this is my filter:

      (objectClass=mycompPermissions)(equivalentToMe=cn={0}

      ,ou=people,ou=users,o=Company)

      if I replace cn=

      {0}

      , with a specific user , it doesn't work neither. I tested the filter with ApacheDirectoryStudio and it worked there. if I go to jenkinsurl/whoAmI/

      I can see:

      Name: user1 IsAuthenticated?: true Authorities:
      "authenticated"

      So:

      I'm able to login with jenkins with my ldapuser
      Jenkins Is able to list the ldap groups
      the problem is:

      Jenkins is not able to detect what group belong each user

          [JENKINS-40541] Ldap group membership doenst work

          Roque M added a comment - - edited

          it happened to me after upgrade jenkins from 1.564 to 1.656 , if I use the old 1.5 jenkins instance it works , please help!!

          Roque M added a comment - - edited it happened to me after upgrade jenkins from 1.564 to 1.656 , if I use the old 1.5 jenkins instance it works , please help!!

          Oli Vier added a comment -

          I have the same problem (plugin version 1.20).

          Testing Ldap settings give me an error :

          javax.naming.InvalidNameException: Invalid name: "cn=mygroup,ou=Entity,ou=FonctionnalGroup,dc=shom,dc=fr at javax.naming.ldap.Rfc2253Parser.parseAttrType(Rfc2253Parser.java:155) at javax.naming.ldap.Rfc2253Parser.doParse(Rfc2253Parser.java:108) at javax.naming.ldap.Rfc2253Parser.parseDn(Rfc2253Parser.java:70) at javax.naming.ldap.LdapName.parse(LdapName.java:785) at javax.naming.ldap.LdapName.<init>(LdapName.java:123) at hudson.security.LDAPSecurityRealm$GroupDetailsMapper.mapAttributes(LDAPSecurityRealm.java:961) at hudson.security.LDAPSecurityRealm$GroupDetailsMapper.mapAttributes(LDAPSecurityRealm.java:958) at jenkins.security.plugins.ldap.LDAPExtendedTemplate$SearchResultEnumeration.next(LDAPExtendedTemplate.java:163) at jenkins.security.plugins.ldap.LDAPExtendedTemplate.searchForFirstEntry(LDAPExtendedTemplate.java:74) Caused: org.acegisecurity.ldap.LdapDataAccessException: Unable to get first element; nested exception is javax.naming.InvalidNameException: Invalid name: "cn=DMGS/INF/ISI/BSL",ou=Entity,ou=FonctionnalGroup,dc=shom,dc=fr at jenkins.security.plugins.ldap.LDAPExtendedTemplate.searchForFirstEntry(LDAPExtendedTemplate.java:76) at hudson.security.LDAPSecurityRealm.searchForGroupName(LDAPSecurityRealm.java:894) at hudson.security.LDAPSecurityRealm.loadGroupByGroupname(LDAPSecurityRealm.java:875) at hudson.security.LDAPSecurityRealm.loadGroupByGroupname(LDAPSecurityRealm.java:847) at hudson.security.LDAPSecurityRealm$DescriptorImpl.validate(LDAPSecurityRealm.java:1902) at hudson.security.LDAPSecurityRealm$DescriptorImpl.doValidate(LDAPSecurityRealm.java:1594) at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627) at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:343) at org.kohsuke.stapler.interceptor.RequirePOST$Processor.invoke(RequirePOST.java:52) at org.kohsuke.stapler.PreInvokeInterceptedFunction.invoke(PreInvokeInterceptedFunction.java:26) at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:184) at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:117) at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:129) at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:715) Caused: javax.servlet.ServletException at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:765) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:845) at org.kohsuke.stapler.MetaClass$5.doDispatch(MetaClass.java:248) at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:715) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:845) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:649) at org.kohsuke.stapler.Stapler.service(Stapler.java:238) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:841) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1650) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:135) at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:138) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:49) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84) at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:142) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:92) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249) at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90) at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:524) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:190) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:188) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1253) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:168) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:166) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1155) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.Server.handle(Server.java:564) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:317) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:251) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:279) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:110) at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:124) at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748)

           

          In my ldap's logs, It's seems the request for detecting what group belong each user ask for attrs=1.1.

          In ldapsearch man, "1.1" doesn't return any attribute.

          In my previous ldap plugin version (1.11), this request was asking for attribute cn.

          Oli Vier added a comment - I have the same problem (plugin version 1.20). Testing Ldap settings give me an error : javax.naming.InvalidNameException: Invalid name: "cn=mygroup,ou=Entity,ou=FonctionnalGroup,dc=shom,dc=fr at javax.naming.ldap.Rfc2253Parser.parseAttrType(Rfc2253Parser.java:155) at javax.naming.ldap.Rfc2253Parser.doParse(Rfc2253Parser.java:108) at javax.naming.ldap.Rfc2253Parser.parseDn(Rfc2253Parser.java:70) at javax.naming.ldap.LdapName.parse(LdapName.java:785) at javax.naming.ldap.LdapName.<init>(LdapName.java:123) at hudson.security.LDAPSecurityRealm$GroupDetailsMapper.mapAttributes(LDAPSecurityRealm.java:961) at hudson.security.LDAPSecurityRealm$GroupDetailsMapper.mapAttributes(LDAPSecurityRealm.java:958) at jenkins.security.plugins.ldap.LDAPExtendedTemplate$SearchResultEnumeration.next(LDAPExtendedTemplate.java:163) at jenkins.security.plugins.ldap.LDAPExtendedTemplate.searchForFirstEntry(LDAPExtendedTemplate.java:74) Caused: org.acegisecurity.ldap.LdapDataAccessException: Unable to get first element; nested exception is javax.naming.InvalidNameException: Invalid name: "cn=DMGS/INF/ISI/BSL",ou=Entity,ou=FonctionnalGroup,dc=shom,dc=fr at jenkins.security.plugins.ldap.LDAPExtendedTemplate.searchForFirstEntry(LDAPExtendedTemplate.java:76) at hudson.security.LDAPSecurityRealm.searchForGroupName(LDAPSecurityRealm.java:894) at hudson.security.LDAPSecurityRealm.loadGroupByGroupname(LDAPSecurityRealm.java:875) at hudson.security.LDAPSecurityRealm.loadGroupByGroupname(LDAPSecurityRealm.java:847) at hudson.security.LDAPSecurityRealm$DescriptorImpl.validate(LDAPSecurityRealm.java:1902) at hudson.security.LDAPSecurityRealm$DescriptorImpl.doValidate(LDAPSecurityRealm.java:1594) at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627) at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:343) at org.kohsuke.stapler.interceptor.RequirePOST$Processor.invoke(RequirePOST.java:52) at org.kohsuke.stapler.PreInvokeInterceptedFunction.invoke(PreInvokeInterceptedFunction.java:26) at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:184) at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:117) at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:129) at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:715) Caused: javax.servlet.ServletException at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:765) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:845) at org.kohsuke.stapler.MetaClass$5.doDispatch(MetaClass.java:248) at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:715) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:845) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:649) at org.kohsuke.stapler.Stapler.service(Stapler.java:238) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:841) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1650) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:135) at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:138) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:49) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84) at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:142) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:92) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249) at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90) at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:524) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:190) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:188) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1253) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:168) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:166) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1155) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.Server.handle(Server.java:564) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:317) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:251) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:279) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:110) at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:124) at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748)   In my ldap's logs, It's seems the request for detecting what group belong each user ask for attrs=1.1. In ldapsearch man, "1.1" doesn't return any attribute. In my previous ldap plugin version (1.11), this request was asking for attribute cn.

          Oleg Nenashev added a comment -

          In order to set proper expectation, I have unassigned Kohsuke from this tickets.
          Currently there is no Default assignee in the LDAP plugin, any contributions will be appreciated.

          Oleg Nenashev added a comment - In order to set proper expectation, I have unassigned Kohsuke from this tickets. Currently there is no Default assignee in the LDAP plugin, any contributions will be appreciated.

            Unassigned Unassigned
            estev82 Este Lopez
            Votes:
            1 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: