Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-56421

Reverse Proxy Auth Plugin 1.6.3 broke LDAP anonymous BIND

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Blocker
    • Resolution: Not A Defect
    • Labels:
      None
    • Environment:
      Jenkins 2.166, Reverse Proxy Auth Plugin 1.6.3
    • Similar Issues:

      Description

      I have updated jenkins to 2.166 and all latest plugin updates. Going from Reverse Proxy Auth Plugin 1.5 to 1.6.3 has broken my ssl config that was previously working. Anonymous BIND to our LDAP is no longer working and is trying to BIND with the username which is not allowed. We do not store any password info in LDAP. What does work is the resolution in Matrix-based security section of our users from the HTTP Header by reverse proxy Server. I did try adding the CN manager and password for an authenticated BIND but did not change my error. I can get back to a working system by reverting to reverse proxy 1.5 except I have issues saving changes to views with this downrev reverse proxy 1.5. Is this a know issue or do you have troubleshooting recommendations? This error is preventing forward progress on an up to date jenkins deployment.

      Mar 05, 2019 12:00:24 PM org.acegisecurity.providers.ldap.authenticator.BindAuthenticator2 handleBindException
      WARNING: Failed to bind to LDAP: userDnuid=myusername,ou=People, my root DN username=myusername
      javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]
      at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3154)
      at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100)
      at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2886)
      at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2800)
      at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
      at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
      at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
      at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
      at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
      at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
      at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
      at javax.naming.InitialContext.init(InitialContext.java:244)
      at javax.naming.InitialContext.<init>(InitialContext.java:216)
      at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101)
      at org.acegisecurity.ldap.DefaultInitialDirContextFactory.connect(DefaultInitialDirContextFactory.java:180)
      at org.acegisecurity.ldap.DefaultInitialDirContextFactory.newInitialDirContext(DefaultInitialDirContextFactory.java:261)
      at org.acegisecurity.ldap.LdapTemplate.execute(LdapTemplate.java:123)
      at org.acegisecurity.ldap.LdapTemplate.retrieveEntry(LdapTemplate.java:165)
      at org.acegisecurity.providers.ldap.authenticator.BindAuthenticator.bindWithDn(BindAuthenticator.java:87)
      at org.acegisecurity.providers.ldap.authenticator.BindAuthenticator.authenticate(BindAuthenticator.java:72)
      at org.acegisecurity.providers.ldap.authenticator.BindAuthenticator2.authenticate(BindAuthenticator2.java:49)
      at org.acegisecurity.providers.ldap.LdapAuthenticationProvider.retrieveUser(LdapAuthenticationProvider.java:233)
      at org.acegisecurity.providers.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:122)
      at org.acegisecurity.providers.ProviderManager.doAuthentication(ProviderManager.java:200)
      at org.acegisecurity.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:47)
      at jenkins.security.BasicHeaderRealPasswordAuthenticator.authenticate(BasicHeaderRealPasswordAuthenticator.java:56)
      at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:79)
      at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
      at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
      at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90)
      at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90)
      at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171)
      at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)
      at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49)
      at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)
      at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82)
      at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)
      at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
      at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)
      at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533)
      at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146)
      at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:524)
      at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
      at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257)
      at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595)
      at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)
      at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1340)
      at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203)
      at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473)
      at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564)
      at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201)
      at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1242)
      at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)
      at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
      at org.eclipse.jetty.server.Server.handle(Server.java:503)
      at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:364)
      at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260)
      at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305)
      at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
      at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118)
      at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765)
      at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683)
      at java.lang.Thread.run(Thread.java:748)

        Attachments

          Activity

          Hide
          tbouvet Timothy Bouvet added a comment - - edited

          It appears to me that reverse proxy 1.6.3 has changed they way it connects to the LDAP server from reverse proxy 1.5 that worked just fine. Even with the manager password specified (did not need that in version 1.5 for anonymous bind) in the HTTP Header by reverse proxy  Manager DN and password the connection to LDAP attempts a BIND as the user which we do not allow.

          Show
          tbouvet Timothy Bouvet added a comment - - edited It appears to me that reverse proxy 1.6.3 has changed they way it connects to the LDAP server from reverse proxy 1.5 that worked just fine. Even with the manager password specified (did not need that in version 1.5 for anonymous bind) in the HTTP Header by reverse proxy  Manager DN and password the connection to LDAP attempts a BIND as the user which we do not allow.
          Hide
          tbouvet Timothy Bouvet added a comment -

          looking at this page I may have found the answer by adding RequestHeader unset Authorization
          https://wiki.jenkins.io/display/JENKINS/Reverse+Proxy+Auth+Plugin

          In my /etc/httpd/conf.d/ssl.conf

          in <VirtualHost default:443> stanza

          ServerName myserver
          RequestHeader unset Authorization

           

          Show
          tbouvet Timothy Bouvet added a comment - looking at this page I may have found the answer by adding RequestHeader unset Authorization https://wiki.jenkins.io/display/JENKINS/Reverse+Proxy+Auth+Plugin In my /etc/httpd/conf.d/ssl.conf in <VirtualHost default :443> stanza ServerName myserver RequestHeader unset Authorization  
          Hide
          jglick Jesse Glick added a comment -

          Closing according to the latest comments.

          Show
          jglick Jesse Glick added a comment - Closing according to the latest comments.

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            tbouvet Timothy Bouvet
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: