Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-53189

Exception during Test LDAP settings in group search filter

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • ldap-plugin
    • None
    • Jenkins 2.121.3, ldap-plugin 1.20

      As I configure LDAP and press Test LDAP settings, then fill my user ID and password, the following exception appears.

      I understand that "/" must be excaped in LDAP queries as \27.

      The Group search filter is (&(objectclass=group)(cn={0})) .

      Some other user IDs are not causing exceptions as they are not member in those fancy groups. Our productive use with simple named groups is not affected.

      Removing the search filter also gets rid of the exception, but then groups cannot be used for authorization at all. (active directory)

       

      javax.naming.InvalidNameException: Invalid name: "CN=BU1/XDEP,OU=Departments,OU=Bu00,OU=Distributionlists,OU=Cng4,DC=EU",DC=example,DC=com
      at javax.naming.ldap.Rfc2253Parser.parseAttrType(Rfc2253Parser.java:155)
      at javax.naming.ldap.Rfc2253Parser.doParse(Rfc2253Parser.java:108)
      at javax.naming.ldap.Rfc2253Parser.parseDn(Rfc2253Parser.java:70)
      at javax.naming.ldap.LdapName.parse(LdapName.java:785)
      at javax.naming.ldap.LdapName.<init>(LdapName.java:123)
      at hudson.security.LDAPSecurityRealm$GroupDetailsMapper.mapAttributes(LDAPSecurityRealm.java:972)
      at hudson.security.LDAPSecurityRealm$GroupDetailsMapper.mapAttributes(LDAPSecurityRealm.java:969)
      at jenkins.security.plugins.ldap.LDAPExtendedTemplate$SearchResultEnumeration.next(LDAPExtendedTemplate.java:163)
      at jenkins.security.plugins.ldap.LDAPExtendedTemplate.searchForFirstEntry(LDAPExtendedTemplate.java:74)
      Caused: org.acegisecurity.ldap.LdapDataAccessException: Unable to get first element; nested exception is javax.naming.InvalidNameException: Invalid name: "CN=BU1/XDEP,OU=Departments,OU=Bu00,OU=Distributionlists,OU=Cng4,DC=EU",DC=example,DC=com
      at jenkins.security.plugins.ldap.LDAPExtendedTemplate.searchForFirstEntry(LDAPExtendedTemplate.java:76)
      at hudson.security.LDAPSecurityRealm.searchForGroupName(LDAPSecurityRealm.java:895)
      at hudson.security.LDAPSecurityRealm.loadGroupByGroupname(LDAPSecurityRealm.java:876)
      at hudson.security.LDAPSecurityRealm.loadGroupByGroupname(LDAPSecurityRealm.java:848)
      at hudson.security.LDAPSecurityRealm$DescriptorImpl.validate(LDAPSecurityRealm.java:1903)
      at hudson.security.LDAPSecurityRealm$DescriptorImpl.doValidate(LDAPSecurityRealm.java:1595)
      at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627)
      at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:343)
      at org.kohsuke.stapler.interceptor.RequirePOST$Processor.invoke(RequirePOST.java:77)
      at org.kohsuke.stapler.PreInvokeInterceptedFunction.invoke(PreInvokeInterceptedFunction.java:26)
      at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:184)
      at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:117)
      at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:129)
      at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
      at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:734)
      Caused: javax.servlet.ServletException
      at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:784)
      at org.kohsuke.stapler.Stapler.invoke(Stapler.java:864)
      at org.kohsuke.stapler.MetaClass$5.doDispatch(MetaClass.java:248)

      ...

          [JENKINS-53189] Exception during Test LDAP settings in group search filter

          Esmat Hassan added a comment -

          I face the same issue, is there a solution for it?

          Esmat Hassan added a comment - I face the same issue, is there a solution for it?

          Belinda Cowey added a comment -

          I get a similar issue, with

          group search base: cn=jenkins-admins,ou=Groups
          group search filter: (&(objectclass=groupOfNames)(cn={0}))   (or blank)
          javax.naming.InvalidNameException: Invalid name: ,cn=jenkins-admins,ou=Groups,dc=xxx,dc=xxx

          If I use

          group search base: cn=jenkins-admins,ou=Groups
          group search filter: (&(objectclass=group)(cn={0}))
          Lookup
          User lookup: successful
          User groups consistent (login and lookup)
            LDAP Group lookup: failed for 1 group:jenkins-admins
          Does the Manager Dn have permissions to perform group lookup?
          Are the group search base and group search filter settings correct?

          Belinda Cowey added a comment - I get a similar issue, with group search base: cn=jenkins-admins,ou=Groups group search filter: (&(objectclass=groupOfNames)(cn={0})) (or blank) javax.naming.InvalidNameException: Invalid name: ,cn=jenkins-admins,ou=Groups,dc=xxx,dc=xxx If I use group search base: cn=jenkins-admins,ou=Groups group search filter: (&(objectclass=group)(cn={0})) Lookup User lookup: successful User groups consistent (login and lookup) LDAP Group lookup: failed for 1 group:jenkins-admins Does the Manager Dn have permissions to perform group lookup? Are the group search base and group search filter settings correct?

          Same issue here. Any workaround known?

          Christian Opitz added a comment - Same issue here. Any workaround known?

          It seems that if you add quotation marks it is working. Not nice, but might be a helpful workaround:

          (&(objectclass=group)(cn="{0}"))

          Christian Opitz added a comment - It seems that if you add quotation marks it is working. Not nice, but might be a helpful workaround: (&(objectclass=group)(cn="{0}"))

            Unassigned Unassigned
            pvohmann Peter Vohmann
            Votes:
            1 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: