Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-55950

Remember me causes excessive requests to LDAP Server after changing passwords

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Blocker
    • Resolution: Unresolved
    • Component/s: core
    • Labels:
    • Environment:
      Windows Server 2012 R2 Standard.
      Jenkins ver. 2.150.2
    • Similar Issues:

      Description

      In our company it is mandatory to change the passwords regularly. The last batch of password changes caused an overload on the LDAP-Server (Kerberos). It took a long time to figure out the cause:

      Due to the remember me and the corresponding cookie a user grants access to the Jenkins automatically although his password changed. In the background the Jenkins starts to poll the LDAP-Server. Like that a single user causes an overload to the LDAP Server. The IT then simply isolates the Jenkins - making it unavailable. As soon as the user logs out and in again the LDAP requests quite down. 

      An image of the stacktrace is attached that I assume to show the corresponding code area.

      Workaround: We sent a mail to all our Jenkins-Users to logout an all running instances immediately. This is unreliable as some fail to follow this instructions causing the service to be offline frequently. A clear password cache does not seem to be possible as administrator.

        Attachments

          Activity

          Hide
          vlazdra Vladimir Zdravkovic added a comment -

          Hi quick question, is there any UI issues in regards to this?
          Because what I found out is that while you are logged in with the "Remember me" the UI starts to lag and the entire web part of Jenkins takes a lot of time to load anything. The CPU usage on the server is at minimum so it's not the backend issues.

          Logging out of Jenkins and logging in back makes everything super fast again! A valid note here is that my Jenkins master is hosted locally so there shouldn't be any network latency.

          Show
          vlazdra Vladimir Zdravkovic added a comment - Hi quick question, is there any UI issues in regards to this? Because what I found out is that while you are logged in with the "Remember me" the UI starts to lag and the entire web part of Jenkins takes a lot of time to load anything. The CPU usage on the server is at minimum so it's not the backend issues. Logging out of Jenkins and logging in back makes everything super fast again! A valid note here is that my Jenkins master is hosted locally so there shouldn't be any network latency.
          Hide
          robert_ilg Robert Ilg added a comment - - edited

          Yeah, that's a detail I forgot to add. It's exactly the way you describe it.

          Show
          robert_ilg Robert Ilg added a comment - - edited Yeah, that's a detail I forgot to add. It's exactly the way you describe it.
          Hide
          vlazdra Vladimir Zdravkovic added a comment -

          Also forgot to mention that we are running the latest version: 2.163

          Show
          vlazdra Vladimir Zdravkovic added a comment - Also forgot to mention that we are running the latest version: 2.163
          Hide
          danielbeck Daniel Beck added a comment -

          FWIW the fix for SECURITY-901 might allow you a workaround. Click 'Invalidate all sessions' (or similar) in a user profile in Jenkins.

          Beyond that, Wadeck Follonier? Any idea?

          Show
          danielbeck Daniel Beck added a comment - FWIW the fix for SECURITY-901 might allow you a workaround. Click 'Invalidate all sessions' (or similar) in a user profile in Jenkins. Beyond that, Wadeck Follonier ? Any idea?
          Hide
          wfollonier Wadeck Follonier added a comment -

          Hello Robert Ilg,

          Thank you for the report. In addition to the new feature we added recently as mentioned by Daniel, I can propose you to configure the cache in the LDAP plugin, as explained in details in this page. That could resolve your problem.

          Show
          wfollonier Wadeck Follonier added a comment - Hello Robert Ilg , Thank you for the report. In addition to the new feature we added recently as mentioned by Daniel, I can propose you to configure the cache in the LDAP plugin, as explained in details in this page . That could resolve your problem.

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            robert_ilg Robert Ilg
            Votes:
            3 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated: