-
Bug
-
Resolution: Unresolved
-
Major
-
Jenkins 2.73.3, LDAP Plugin 1.18
I've added my cert to the Java keystore. I've configured my LDAP properly. I've confirmed that these settings DO work. However, they work intermittently.
I'm running the groovy script as specified in this link:
https://wiki.jenkins.io/display/JENKINS/LDAP+Plugin#LDAPPlugin-Troubleshooting
Sometimes running this script works, and I get the proper results back from my script. Other times, I get the following error:
LdapCallback;null; nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: <hostname>.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]]; nested exception is org.acegisecurity.ldap.LdapDataAccessException: LdapCallback;null; nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: hq.versive.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]]
Changing the configs under "Configure Global Security" seems to help occasionally. If I change a setting in the config and save it, I can run this query successfully. However, if I reload the script page (or wait a few minutes) the Groovy script goes back to giving the same error.
I've also downloaded the SSLPoke tool from Atlassian to debug:
This tool works just fine from my Jenkins server command line, 100% of the time. I've confirmed that if I remove the cert from my keystore I can replicate the same error I'm seeing in my Jenkins logs. But when the cert is in the keystore, the SSLPoke tool works fine.
Here's a case where I run the groovy script and it passes the first two times, but fails on the last:
(I redacted LDAP info)
Checking the name '<group name>'... It is a GROUP: hudson.security.LDAPSecurityRealm$GroupDetailsImpl@83cbc2
Checking the name '<user name>'... It is a USER: org.acegisecurity.userdetails.ldap.LdapUserDetailsImpl@29284818 Has groups/authorities: [<groups>]
Checking the name 'foo'... It is NOT a group, reason: LdapCallback;null; nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: hq.versive.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]] It is NOT a user, reason: LdapCallback;null; nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: hq.versive.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]]; nested exception is org.acegisecurity.ldap.LdapDataAccessException: LdapCallback;null; nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: hq.versive.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]]