Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-55950

Remember me causes excessive requests to LDAP Server after changing passwords

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Blocker Blocker
    • core
    • Windows Server 2012 R2 Standard.
      Jenkins ver. 2.150.2

      In our company it is mandatory to change the passwords regularly. The last batch of password changes caused an overload on the LDAP-Server (Kerberos). It took a long time to figure out the cause:

      Due to the remember me and the corresponding cookie a user grants access to the Jenkins automatically although his password changed. In the background the Jenkins starts to poll the LDAP-Server. Like that a single user causes an overload to the LDAP Server. The IT then simply isolates the Jenkins - making it unavailable. As soon as the user logs out and in again the LDAP requests quite down. 

      An image of the stacktrace is attached that I assume to show the corresponding code area.

      Workaround: We sent a mail to all our Jenkins-Users to logout an all running instances immediately. This is unreliable as some fail to follow this instructions causing the service to be offline frequently. A clear password cache does not seem to be possible as administrator.

        1. Stacktrace.gif
          Stacktrace.gif
          66 kB

          [JENKINS-55950] Remember me causes excessive requests to LDAP Server after changing passwords

          Vladimir Zdravkovic added a comment -

          Hi quick question, is there any UI issues in regards to this?
          Because what I found out is that while you are logged in with the "Remember me" the UI starts to lag and the entire web part of Jenkins takes a lot of time to load anything. The CPU usage on the server is at minimum so it's not the backend issues.

          Logging out of Jenkins and logging in back makes everything super fast again! A valid note here is that my Jenkins master is hosted locally so there shouldn't be any network latency.

          Vladimir Zdravkovic added a comment - Hi quick question, is there any UI issues in regards to this? Because what I found out is that while you are logged in with the "Remember me" the UI starts to lag and the entire web part of Jenkins takes a lot of time to load anything. The CPU usage on the server is at minimum so it's not the backend issues. Logging out of Jenkins and logging in back makes everything super fast again! A valid note here is that my Jenkins master is hosted locally so there shouldn't be any network latency.

          Robert Ilg added a comment - - edited

          Yeah, that's a detail I forgot to add. It's exactly the way you describe it.

          Robert Ilg added a comment - - edited Yeah, that's a detail I forgot to add. It's exactly the way you describe it.

          Vladimir Zdravkovic added a comment -

          Also forgot to mention that we are running the latest version: 2.163

          Vladimir Zdravkovic added a comment - Also forgot to mention that we are running the latest version: 2.163

          Daniel Beck added a comment -

          FWIW the fix for SECURITY-901 might allow you a workaround. Click 'Invalidate all sessions' (or similar) in a user profile in Jenkins.

          Beyond that, wfollonier? Any idea?

          Daniel Beck added a comment - FWIW the fix for SECURITY-901 might allow you a workaround. Click 'Invalidate all sessions' (or similar) in a user profile in Jenkins. Beyond that, wfollonier ? Any idea?

          Wadeck Follonier added a comment -

          Hello robert_ilg,

          Thank you for the report. In addition to the new feature we added recently as mentioned by Daniel, I can propose you to configure the cache in the LDAP plugin, as explained in details in this page. That could resolve your problem.

          Wadeck Follonier added a comment - Hello robert_ilg , Thank you for the report. In addition to the new feature we added recently as mentioned by Daniel, I can propose you to configure the cache in the LDAP plugin, as explained in details in this page . That could resolve your problem.

            Unassigned Unassigned
            robert_ilg Robert Ilg
            Votes:
            3 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: