Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-42465

LDAP lockout when using Gerrit HTTP password

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved (View Workflow)
    • Major
    • Resolution: Fixed
    • sonar-gerrit-plugin
    • None
    • Jenkins 2.32.1
      Sonar Gerrit Plugin 1.0.7.6
      Gerrit 2.12.2

    Description

      We have a Gerrit server configured to authenticate users against LDAP. However, we have configured Gerrit integration processes to use an LDAP service account and configured the Jenkins Gerrit integratoin to authenticate with a Gerrit HTTP password when accessing the REST API. This causes our service account to become locked out due to invalid authentication attempts.

      This is happening because the underlying java library being used by the sonar-gerrit-plugin (com.urswolfer.gerrit.client.rest:gerrit-rest-java-client:0.8.5) attempts to authenticate all requests against the Gerrit /login page in order to obtain a session cookie. This does not work when using Gerrit HTTP passwords against a server which is configured to authenticate against LDAP. The java client will attempt to pass the Gerrit HTTP password to the /login page for authentication, which Gerrit then attempts to validate against LDAP, causing a failed authentication attempt. After multiple client calls, the account becomes locked out in LDAP and cannot be used by other processes which might also be using the same credentials to authenticate against LDAP.

      Attachments

        Activity

          Ascending order - Click to sort in descending order
          shawnstafford Shawn Stafford created issue -
          shawnstafford Shawn Stafford added a comment -

          Here is a description of the underlying gerrit-rest-java-client defect:
          https://github.com/uwolfer/gerrit-rest-java-client/issues/46

          A fix for this issue is available in the 0.8.11 release of the client. I then submitted the following pull request to upgrade the sonar-gerrit-plugin to use the latest version (0.8.11) of this client and to invoke the new GerritAuthData constructor with an additional argument which will allow the client to bypass the /login page when a Gerrit HTTP password is being used:
          https://github.com/jenkinsci/sonar-gerrit-plugin/pull/17

          Please review the pull request and release a new version of the sonar-gerrit-plugin when possible. This will help us to prevent the LDAP lock-out issue that we are currently experiencing.

          shawnstafford Shawn Stafford added a comment - Here is a description of the underlying gerrit-rest-java-client defect: https://github.com/uwolfer/gerrit-rest-java-client/issues/46 A fix for this issue is available in the 0.8.11 release of the client. I then submitted the following pull request to upgrade the sonar-gerrit-plugin to use the latest version (0.8.11) of this client and to invoke the new GerritAuthData constructor with an additional argument which will allow the client to bypass the /login page when a Gerrit HTTP password is being used: https://github.com/jenkinsci/sonar-gerrit-plugin/pull/17 Please review the pull request and release a new version of the sonar-gerrit-plugin when possible. This will help us to prevent the LDAP lock-out issue that we are currently experiencing.
          aquarellian Tatiana Didik added a comment -

          Fixed 1.0.8

          aquarellian Tatiana Didik added a comment - Fixed 1.0.8
          aquarellian Tatiana Didik made changes -
          Field Original Value New Value
          Resolution Fixed [ 1 ]
          Status Open [ 1 ] Resolved [ 5 ]

          People

            aquarellian Tatiana Didik
            shawnstafford Shawn Stafford
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: