Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-65117

LDAP Plugin with 'Dn inconsistent' message using ActiveDirectory

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • ldap-plugin
    • None
    • Jenkins: 2.277.1
      OS: Windows Server 2016 - 10.0
      Tomcat 8.5
      ActiveDirectory
      ---
      ldap:2.4
    • ldap 2.10.1

      We are using the LDAP plugin to authenticate the users against MS Active Directory.

      If I test the LDAP settings we get this warning message (see also the picture: Dn_inconsistent_example.png):

      Dn inconsistent (login cn=User Xyz,ou=Employees,ou=Example AG,dc=example,dc=com versus lookup CN=User Xyz,OU=Employees,OU=Example AG,DC=example,DC=com)
      

      In your code I saw you just string compare the both 'inputs'. Is it important for other LDAP backends (like OpenLDAP) to do this check case sensitive? Is "DC=", "OU=" and so on case sensitive? I don't know the details here.

      What are the implications for running Jenkins when I get such a message?

          [JENKINS-65117] LDAP Plugin with 'Dn inconsistent' message using ActiveDirectory

          Kader added a comment -

          +1 

          Kader added a comment - +1 

          Right, it is case sensitive: https://github.com/jenkinsci/ldap-plugin/blob/ldap-2.4/src/main/java/hudson/security/LDAPSecurityRealm.java#L1780-L1786. The case sensitivity might not be required for attribuet names. However for values, it might. cc fbelzunc teilo

          Allan BURDAJEWICZ added a comment - Right, it is case sensitive: https://github.com/jenkinsci/ldap-plugin/blob/ldap-2.4/src/main/java/hudson/security/LDAPSecurityRealm.java#L1780-L1786 . The case sensitivity might not be required for attribuet names. However for values, it might. cc fbelzunc teilo

          James Nord added a comment -

          LDAP attribute names are case insensitive, but the attribute values may or may not be sensitive.

          in other words the "DN=" is the same as "dn=", but "cn=myuser" may or may not be the same as "cn=MyUser" (in the case of Active Driectory they are the same).

          The trivial workaroiund for this is to specify the search in the canonical way that is returned by the server (e.g. if your server returns CN=User Xyz,OU=Employees,OU=Example AG,DC=example,DC=com then make sure your searchgroups, memober lookups etc all use the same form (capitals for attribute names).

          The code should not really be looking at the string as a whole, but the individual parts and comparing them with the actual case sensitivity set for the plugin.

          James Nord added a comment - LDAP attribute names are case insensitive, but the attribute values may or may not be sensitive. in other words the " DN= " is the same as " dn= ", but " cn=myuser " may or may not be the same as " cn=MyUser " (in the case of Active Driectory they are the same). The trivial workaroiund for this is to specify the search in the canonical way that is returned by the server (e.g. if your server returns CN=User Xyz,OU=Employees,OU=Example AG,DC=example,DC=com then make sure your searchgroups, memober lookups etc all use the same form (capitals for attribute names). The code should not really be looking at the string as a whole, but the individual parts and comparing them with the actual case sensitivity set for the plugin.

          Klaus added a comment - - edited

          Today I installed the new plugin version (v2.5). Now it works (for me), no warning message anymore.
          Thanks for your quick response!

          Klaus added a comment - - edited Today I installed the new plugin version (v2.5). Now it works (for me), no warning message anymore. Thanks for your quick response!

            teilo James Nord
            klno Klaus
            Votes:
            1 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: