Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-59639

LDAP tries to connect to DomainDNSZones, instead of connecting to the specified controller

      LDAP tries to connect to DomainDNSZones, instead of connecting to the specified controller. 

       

       

      This is a problem because we have one DC in a specific subnet that I don't have access. And sometimes we try connect to it. Because of this, sometimes we get an error:

       

      WARNING: Failed communication with ldap server JGkd1ZeRNKYEKqw498EhYw== (ldaps://appauth.corp.emc.com:636), will try the next configuration org.acegisecurity.AuthenticationServiceException: LdapCallback;null; nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: DomainDnsZones.corp.emc.com:636 [Root exception is java.net.SocketTimeoutException: connect timed out]]; nested exception is org.acegisecurity.ldap.LdapDataAccessException: LdapCallback;null; nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: DomainDnsZones.corp.emc.com:636 [Root exception is java.net.SocketTimeoutException: connect timed out]] at org.acegisecurity.providers.ldap.LdapAuthenticationProvider.retrieveUser(LdapAuthenticationProvider.java:238) at org.acegisecurity.providers.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:122) at org.acegisecurity.providers.ProviderManager.doAuthentication(ProviderManager.java:200) at org.acegisecurity.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:47) at hudson.security.LDAPSecurityRealm$LDAPAuthenticationManager.authenticate(LDAPSecurityRealm.java:1006) at jenkins.security.BasicHeaderRealPasswordAuthenticator.authenticate(BasicHeaderRealPasswordAuthenticator.java:56) at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:79) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249) at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90) at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:524) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1340) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1242) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.Server.handle(Server.java:503) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:364) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:411) at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:305) at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:159) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126) at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765) at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683) at java.lang.Thread.run(Thread.java:748) Caused by: org.acegisecurity.ldap.LdapDataAccessException: LdapCallback;null; nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: DomainDnsZones.corp.emc.com:636 [Root exception is java.net.SocketTimeoutException: connect timed out]] at org.acegisecurity.ldap.LdapTemplate$LdapExceptionTranslator.translate(LdapTemplate.java:295) at org.acegisecurity.ldap.LdapTemplate.execute(LdapTemplate.java:128) at org.acegisecurity.ldap.LdapTemplate.searchForSingleEntry(LdapTemplate.java:246) at org.acegisecurity.ldap.search.FilterBasedLdapUserSearch.searchForUser(FilterBasedLdapUserSearch.java:119) at org.acegisecurity.providers.ldap.authenticator.BindAuthenticator.authenticate(BindAuthenticator.java:71) at org.acegisecurity.providers.ldap.authenticator.BindAuthenticator2.authenticate(BindAuthenticator2.java:49) at org.acegisecurity.providers.ldap.LdapAuthenticationProvider.retrieveUser(LdapAuthenticationProvider.java:233) ... 52 more Caused by: javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: DomainDnsZones.corp.emc.com:636 [Root exception is java.net.SocketTimeoutException: connect timed out]] at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreImpl(AbstractLdapNamingEnumeration.java:237) at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMore(AbstractLdapNamingEnumeration.java:189) at org.acegisecurity.ldap.LdapTemplate$3.doInDirContext(LdapTemplate.java:257) at org.acegisecurity.ldap.LdapTemplate.execute(LdapTemplate.java:126) ... 57 more Caused by: javax.naming.CommunicationException: DomainDnsZones.corp.emc.com:636 [Root exception is java.net.SocketTimeoutException: connect timed out] at com.sun.jndi.ldap.LdapReferralContext.<init>(LdapReferralContext.java:96) at com.sun.jndi.ldap.LdapReferralException.getReferralContext(LdapReferralException.java:151) at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreReferrals(AbstractLdapNamingEnumeration.java:325) at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreImpl(AbstractLdapNamingEnumeration.java:227) ... 60 more Caused by: java.net.SocketTimeoutException: connect timed out at java.net.PlainSocketImpl.socketConnect(Native Method) at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) at java.net.Socket.connect(Socket.java:589) at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:666) at sun.reflect.GeneratedMethodAccessor161.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at com.sun.jndi.ldap.Connection.createSocket(Connection.java:323) at com.sun.jndi.ldap.Connection.<init>(Connection.java:215) at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137) at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1615) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749) at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:151) at com.sun.jndi.url.ldap.ldapURLContextFactory.getObjectInstance(ldapURLContextFactory.java:52) at javax.naming.spi.NamingManager.getURLObject(NamingManager.java:601) at javax.naming.spi.NamingManager.processURL(NamingManager.java:381) at javax.naming.spi.NamingManager.processURLAddrs(NamingManager.java:361) at javax.naming.spi.NamingManager.getObjectInstance(NamingManager.java:333) at com.sun.jndi.ldap.LdapReferralContext.<init>(LdapReferralContext.java:119) ... 63 more

      Thus, we can work because the next request is to be sent to other DCs.

      I tried specific DC as:

       

      ldaps://<FQDN>:636
      ldaps://<IP>:636
      ldaps://<IP>
      

       

       

      Does anyone know how to specify a URL on an LDAP server (DC) so that it only works with it?

       

       

       

          [JENKINS-59639] LDAP tries to connect to DomainDNSZones, instead of connecting to the specified controller

          Marc S. added a comment -

          We have the same error on our system, same log entry.

          The main behavior for users is that sometimes users can not log in.

          After a research with wireguard on LDAP-Servers site, we see this behavior:

          1. Search request for configured group with the configured filter {example: (&(objectclass=group)(cn=group1))} -> group1 with X members found
          2. Search request for user with the configured filter {example: (&(sAMAccountName= {0}

            )(objectClass=Person))} -> user found

          3. Search request for a user with the group name under DC=ForestDnsZones {Filter is (sAMAccountName=group1)} -> nothing found
          4. Search request for a user with the group name under DC=Configuration {Filter is (sAMAccountName=group1)} -> nothing found
          5. Search request for a user with the group name under DC=Schema,DC=Configuration {Filter is (sAMAccountName=group1)} -> nothing found

           

          Sometimes the AD controller don't answer to one of the last three requests, what result in the reported bug.

          I do not understand why the request three to five is done by jenkins after he gets the information that he want to and why the heck it searches in the DNS forest for a user?

          This makes absolutely no sense and seems to be a bug.

          Marc S. added a comment - We have the same error on our system, same log entry. The main behavior for users is that sometimes users can not log in. After a research with wireguard on LDAP-Servers site, we see this behavior: Search request for configured group with the configured filter {example: (&(objectclass=group)(cn=group1))} -> group1 with X members found Search request for user with the configured filter {example: (&(sAMAccountName= {0} )(objectClass=Person))} -> user found Search request for a user with the group name under DC=ForestDnsZones {Filter is (sAMAccountName=group1)} -> nothing found Search request for a user with the group name under DC=Configuration {Filter is (sAMAccountName=group1)} -> nothing found Search request for a user with the group name under DC=Schema,DC=Configuration {Filter is (sAMAccountName=group1)} -> nothing found   Sometimes the AD controller don't answer to one of the last three requests, what result in the reported bug. I do not understand why the request three to five is done by jenkins after he gets the information that he want to and why the heck it searches in the DNS forest for a user? This makes absolutely no sense and seems to be a bug.

          ben added a comment -

          Are there any updates on this bug it is causing all of our instances issues

          ben added a comment - Are there any updates on this bug it is causing all of our instances issues

            fbelzunc FĂ©lix Belzunce Arcos
            xed Anatoliy Pavlov
            Votes:
            1 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: