[JENKINS-4195] Authentication via LDAP fails

Type: Bug
Resolution: Postponed
Priority: Major
Component/s: core
Labels:
None
Environment:
Platform: PC, OS: Linux

Similar Issues:
Powered by SuggestiMate

Show

We have a perfectly fine LDAP server setup that things like ReviewBoard uses for
authentication. However, Hudson does not.

Example session when querying the user "chainsaw" via ldapsearch:
-----------------------------------------------------------------
ldapsearch -h 192.168.1.103 -x -D "cn=Manager,dc=domain,dc=name" -W uid=chainsaw
Enter LDAP Password: somethingdarkside

extended LDIF
#
LDAPv3
base <> with scope subtree
filter: uid=chainsaw
requesting: ALL
#

Jens B\C3\A4ckman, People, domain.name
uid: chainsaw
homeDirectory: /home/chainsaw
loginShell: /bin/bash
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
much-more-stuff-here-but-snipped

search result
search: 2
result: 0 Success

numResponses: 2
numEntries: 1

Hudson config file, the important parts:
-----------------------------------------------------------------
<version>1.319</version>
<securityRealm class="hudson.security.LDAPSecurityRealm">
<server>domain.name</server>
<rootDN></rootDN>
<userSearchBase></userSearchBase>
<userSearch>uid=

{0}

</userSearch>
<managerDN>cn=Manager,dc=domain,dc=name</managerDN>
<managerPassword>somethingdarkside</managerPassword>
</securityRealm>

Hudson backtrace:
-----------------------------------------------------------------
2009-aug-11 11:45:21 hudson.security.AuthenticationProcessingFilter2
onUnsuccessfulAuthentication

INFO: Login attempt failed
org.acegisecurity.AuthenticationServiceException: LdapCallback;[LDAP: error code
32 - No Such Object]; nested exception is javax.naming.NameNotFoundException:
[LDAP: error code 32 - No Such Object]; remaining name ''; nested exception is
org.acegisecurity.ldap.LdapDataAccessException: LdapCallback;[LDAP: error code
32 - No Such Object]; nested exception is javax.naming.NameNotFoundException:
[LDAP: error code 32 - No Such Object]; remaining name ''

at
org.acegisecurity.providers.ldap.LdapAuthenticationProvider.retrieveUser(LdapAuthenticationProvider.java:238)

at
org.acegisecurity.providers.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:119)

at
org.acegisecurity.providers.ProviderManager.doAuthentication(ProviderManager.java:195)

at
org.acegisecurity.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:45)

at
org.acegisecurity.ui.webapp.AuthenticationProcessingFilter.attemptAuthentication(AuthenticationProcessingFilter.java:71)

at
org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:252)

at
hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)

at
org.acegisecurity.ui.basicauth.BasicProcessingFilter.doFilter(BasicProcessingFilter.java:173)

at
hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)

at
org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)

at
hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:66)

at
hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)

at
hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)

at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:155)
at winstone.FilterConfiguration.execute(FilterConfiguration.java:195)
at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:368)
at winstone.RequestDispatcher.forward(RequestDispatcher.java:333)
at
winstone.RequestHandlerThread.processRequest(RequestHandlerThread.java:244)

at winstone.RequestHandlerThread.run(RequestHandlerThread.java:150)
at java.lang.Thread.run(Thread.java:636)
Caused by: org.acegisecurity.ldap.LdapDataAccessException: LdapCallback;[LDAP:
error code 32 - No Such Object]; nested exception is
javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object];
remaining name ''
at
org.acegisecurity.ldap.LdapTemplate$LdapExceptionTranslator.translate(LdapTemplate.java:295)
at org.acegisecurity.ldap.LdapTemplate.execute(LdapTemplate.java:128)
at
org.acegisecurity.ldap.LdapTemplate.searchForSingleEntry(LdapTemplate.java:246)
at
org.acegisecurity.ldap.search.FilterBasedLdapUserSearch.searchForUser(FilterBasedLdapUserSearch.java:119)
at
org.acegisecurity.providers.ldap.authenticator.BindAuthenticator.authenticate(BindAuthenticator.java:71)
at
org.acegisecurity.providers.ldap.authenticator.BindAuthenticator2.authenticate(BindAuthenticator2.java:49)
at
org.acegisecurity.providers.ldap.LdapAuthenticationProvider.retrieveUser(LdapAuthenticationProvider.java:233)
... 19 more
Caused by: javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such
Object]; remaining name ''
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3057)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2978)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2785)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1839)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1762)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1779)
at
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:412)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:394)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:376)
at
javax.naming.directory.InitialDirContext.search(InitialDirContext.java:284)
at
org.acegisecurity.ldap.LdapTemplate$3.doInDirContext(LdapTemplate.java:249)
at org.acegisecurity.ldap.LdapTemplate.execute(LdapTemplate.java:126)
... 24 more

is related to

JENKINS-7545 Login to hudson fails in an https and openLDAP environment

Open

czw added a comment - 2009-08-14 05:32

Turned on debugging on the server side, and got these messages. Ordinary login
via SSH gives these messages:

SRCH "dc=titv,dc=se" 2 0 1 0 0
filter: (&(objectClass=shadowAccount)(uid=chainsaw))
attrs: uid userPassword shadowLastChange shadowMax shadowMin shadowWarning
shadowInactive shadowExpire shadowFlag
bdb_idl_fetch_key: [b49d1940]
bdb_idl_fetch_key: [64a68d50]
<= bdb_equality_candidates: (uid) not indexed
send_ldap_result: err=0 matched="" text=""

Logging in via Hudson (and failing) gives me this:

SRCH "dc=titc,dc=se" 2 3 0 0 0
filter: (&(objectClass=shadowAccount)(uid=chainsaw))
attrs:
send_ldap_result: err=10 matched="" text=""

czw added a comment - 2009-08-14 05:32 Turned on debugging on the server side, and got these messages. Ordinary login via SSH gives these messages: SRCH "dc=titv,dc=se" 2 0 1 0 0 filter: (&(objectClass=shadowAccount)(uid=chainsaw)) attrs: uid userPassword shadowLastChange shadowMax shadowMin shadowWarning shadowInactive shadowExpire shadowFlag bdb_idl_fetch_key: [b49d1940] bdb_idl_fetch_key: [64a68d50] <= bdb_equality_candidates: (uid) not indexed send_ldap_result: err=0 matched="" text="" Logging in via Hudson (and failing) gives me this: SRCH "dc=titc,dc=se" 2 3 0 0 0 filter: (&(objectClass=shadowAccount)(uid=chainsaw)) attrs: send_ldap_result: err=10 matched="" text=""

Alan Harder added a comment - 2009-09-09 15:15

any luck with this? I noticed titv.se vs titc.se in your server logging
output.. any chance there's a typo in the hudson config?

Alan Harder added a comment - 2009-09-09 15:15 any luck with this? I noticed titv.se vs titc.se in your server logging output.. any chance there's a typo in the hudson config?

czw added a comment - 2009-10-12 01:07

The C instead of V seems to be a slip when editing the post or something, it's
configured correctly. Just double checked the config files and doing another
login attempt, it still doesn't work. In order to get something working, we
switched to PAM authentication. At least it's a workaround.

czw added a comment - 2009-10-12 01:07 The C instead of V seems to be a slip when editing the post or something, it's configured correctly. Just double checked the config files and doing another login attempt, it still doesn't work. In order to get something working, we switched to PAM authentication. At least it's a workaround.

Alan Harder added a comment - 2009-12-10 21:17

We have a test build using Spring Security 2.0.5 (upgraded from 1.0.5 (acegi) used by Hudson today).. if you'd like to try it out, get this: http://moshpit.org/hudson.war
Please let me know if you can try a test install with this hudson.war and if it works with your LDAP.. otherwise let me know if we can close this issue, thanks.

Alan Harder added a comment - 2009-12-10 21:17 We have a test build using Spring Security 2.0.5 (upgraded from 1.0.5 (acegi) used by Hudson today).. if you'd like to try it out, get this: http://moshpit.org/hudson.war Please let me know if you can try a test install with this hudson.war and if it works with your LDAP.. otherwise let me know if we can close this issue, thanks.

kgoess added a comment - 2009-12-28 12:21

We were seeing this error, and it turned out that Hudson is looking for "ou=Groups" while we used "ou=Group" as the Group Search Base. We originally had nothing entered in that field, relying on the default value. Changing it to "ou=Group,dc=XXX,dc=com" solved our problem.

The "No Such Object" in the error message and ngrepping the ldap conversation were the keys to the solution.

kgoess added a comment - 2009-12-28 12:21 We were seeing this error, and it turned out that Hudson is looking for "ou=Groups" while we used "ou=Group" as the Group Search Base. We originally had nothing entered in that field, relying on the default value. Changing it to "ou=Group,dc=XXX,dc=com" solved our problem. The "No Such Object" in the error message and ngrepping the ldap conversation were the keys to the solution.

Alan Harder added a comment - 2010-01-04 16:49

Let us know if you can try a test install with the above hudson.war and if it works with your LDAP.. otherwise let us know if we can close this issue, thanks.

Alan Harder added a comment - 2010-01-04 16:49 Let us know if you can try a test install with the above hudson.war and if it works with your LDAP.. otherwise let us know if we can close this issue, thanks.

Alan Harder added a comment - 2010-01-18 10:11

Will close soon without further input, thanks.

Alan Harder added a comment - 2010-01-18 10:11 Will close soon without further input, thanks.

Alan Harder added a comment - 2010-03-13 08:29

No response.. closing. If you can try the spring framework 2.0.5 build above (I recently updated it to near-Hudson-1.350), let us know the results, thanks.

Alan Harder added a comment - 2010-03-13 08:29 No response.. closing. If you can try the spring framework 2.0.5 build above (I recently updated it to near-Hudson-1.350), let us know the results, thanks.

kolv99 added a comment - 2010-09-23 02:19

Hi!
Tested the build with Spring Security refered to above, NOT OK Please refer to Issue Hudson-7545.
Anyone that knows of a working Hudson setup with / openLDAP / https /No Apache Front end?

Regards

/kolv99

kolv99 added a comment - 2010-09-23 02:19 Hi! Tested the build with Spring Security refered to above, NOT OK Please refer to Issue Hudson-7545. Anyone that knows of a working Hudson setup with / openLDAP / https /No Apache Front end? Regards /kolv99

kolv99 added a comment - 2010-09-23 02:21

Errors with Spring Sec build

kolv99 added a comment - 2010-09-23 02:21 Errors with Spring Sec build

Assignee:: Unassigned

Reporter:: czw

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2009-08-11 02:47

Updated:: 2011-02-10 19:13

Resolved:: 2010-03-13 08:29

Details

Description

Attachments

Issue Links

Activity

Collapse comment: czw added a comment - 2009-08-14 05:32

Expand comment: czw added a comment - 2009-08-14 05:32

Collapse comment: Alan Harder added a comment - 2009-09-09 15:15

Expand comment: Alan Harder added a comment - 2009-09-09 15:15

Collapse comment: czw added a comment - 2009-10-12 01:07

Expand comment: czw added a comment - 2009-10-12 01:07

Collapse comment: Alan Harder added a comment - 2009-12-10 21:17

Expand comment: Alan Harder added a comment - 2009-12-10 21:17

Collapse comment: kgoess added a comment - 2009-12-28 12:21

Expand comment: kgoess added a comment - 2009-12-28 12:21

Collapse comment: Alan Harder added a comment - 2010-01-04 16:49

Expand comment: Alan Harder added a comment - 2010-01-04 16:49

Collapse comment: Alan Harder added a comment - 2010-01-18 10:11

Expand comment: Alan Harder added a comment - 2010-01-18 10:11

Collapse comment: Alan Harder added a comment - 2010-03-13 08:29

Expand comment: Alan Harder added a comment - 2010-03-13 08:29

Collapse comment: kolv99 added a comment - 2010-09-23 02:19

Expand comment: kolv99 added a comment - 2010-09-23 02:19

Collapse comment: kolv99 added a comment - 2010-09-23 02:21

Expand comment: kolv99 added a comment - 2010-09-23 02:21

People

Dates