[JENKINS-55950] Remember me causes excessive requests to LDAP Server after changing passwords

Type: Bug
Resolution: Unresolved
Priority: Blocker
Component/s: core
Labels:
- cache
- login
- security
Environment:
Windows Server 2012 R2 Standard.
Jenkins ver. 2.150.2

Similar Issues:
Powered by SuggestiMate

Show

In our company it is mandatory to change the passwords regularly. The last batch of password changes caused an overload on the LDAP-Server (Kerberos). It took a long time to figure out the cause:

Due to the remember me and the corresponding cookie a user grants access to the Jenkins automatically although his password changed. In the background the Jenkins starts to poll the LDAP-Server. Like that a single user causes an overload to the LDAP Server. The IT then simply isolates the Jenkins - making it unavailable. As soon as the user logs out and in again the LDAP requests quite down.

An image of the stacktrace is attached that I assume to show the corresponding code area.

Workaround: We sent a mail to all our Jenkins-Users to logout an all running instances immediately. This is unreliable as some fail to follow this instructions causing the service to be offline frequently. A clear password cache does not seem to be possible as administrator.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

Stacktrace.gif
66 kB
2019-02-04 13:43

Robert Ilg created issue - 2019-02-04 13:43

Vladimir Zdravkovic added a comment - 2019-02-04 15:03

Hi quick question, is there any UI issues in regards to this?
Because what I found out is that while you are logged in with the "Remember me" the UI starts to lag and the entire web part of Jenkins takes a lot of time to load anything. The CPU usage on the server is at minimum so it's not the backend issues.

Logging out of Jenkins and logging in back makes everything super fast again! A valid note here is that my Jenkins master is hosted locally so there shouldn't be any network latency.

Vladimir Zdravkovic added a comment - 2019-02-04 15:03 Hi quick question, is there any UI issues in regards to this? Because what I found out is that while you are logged in with the "Remember me" the UI starts to lag and the entire web part of Jenkins takes a lot of time to load anything. The CPU usage on the server is at minimum so it's not the backend issues. Logging out of Jenkins and logging in back makes everything super fast again! A valid note here is that my Jenkins master is hosted locally so there shouldn't be any network latency.

Robert Ilg added a comment - 2019-02-04 15:45 - edited

Yeah, that's a detail I forgot to add. It's exactly the way you describe it.

Robert Ilg added a comment - 2019-02-04 15:45 - edited Yeah, that's a detail I forgot to add. It's exactly the way you describe it.

Vladimir Zdravkovic added a comment - 2019-02-05 07:41

Also forgot to mention that we are running the latest version: 2.163

Vladimir Zdravkovic added a comment - 2019-02-05 07:41 Also forgot to mention that we are running the latest version: 2.163

Daniel Beck added a comment - 2019-02-07 09:33

FWIW the fix for SECURITY-901 might allow you a workaround. Click 'Invalidate all sessions' (or similar) in a user profile in Jenkins.

Beyond that, wfollonier? Any idea?

Daniel Beck added a comment - 2019-02-07 09:33 FWIW the fix for SECURITY-901 might allow you a workaround. Click 'Invalidate all sessions' (or similar) in a user profile in Jenkins. Beyond that, wfollonier ? Any idea?

Wadeck Follonier added a comment - 2019-02-08 13:29

Hello robert_ilg,

Thank you for the report. In addition to the new feature we added recently as mentioned by Daniel, I can propose you to configure the cache in the LDAP plugin, as explained in details in this page. That could resolve your problem.

Wadeck Follonier added a comment - 2019-02-08 13:29 Hello robert_ilg , Thank you for the report. In addition to the new feature we added recently as mentioned by Daniel, I can propose you to configure the cache in the LDAP plugin, as explained in details in this page . That could resolve your problem.

Assignee:: Unassigned

Reporter:: Robert Ilg

Votes:: 3 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2019-02-04 13:43

Updated:: 2019-02-08 13:29

Jenkins

Details

Description

Attachments

Attachments

Activity

Collapse comment: Vladimir Zdravkovic added a comment - 2019-02-04 15:03

Expand comment: Vladimir Zdravkovic added a comment - 2019-02-04 15:03

Collapse comment: Robert Ilg added a comment - 2019-02-04 15:45, Edited by Robert Ilg - 2019-02-04 15:46

Expand comment: Robert Ilg added a comment - 2019-02-04 15:45, Edited by Robert Ilg - 2019-02-04 15:46

Collapse comment: Vladimir Zdravkovic added a comment - 2019-02-05 07:41

Expand comment: Vladimir Zdravkovic added a comment - 2019-02-05 07:41

Collapse comment: Daniel Beck added a comment - 2019-02-07 09:33

Expand comment: Daniel Beck added a comment - 2019-02-07 09:33

Collapse comment: Wadeck Follonier added a comment - 2019-02-08 13:29

Expand comment: Wadeck Follonier added a comment - 2019-02-08 13:29

People

Dates