-
Bug
-
Resolution: Fixed
-
Major
-
None
-
-
724.v5eb_2e3cdb_04c
LDAP Plugin 2.7 has incorrect logic for Oracle Internet Directory (OID) when checking if a user is administratively disabled or not. This is preventing user login for some of our users, and does not adhere to some of the Oracle published documentation.
I dont recall this being an issue in the past – perhaps this logic has changed recently? Not sure.
Typical exception is:
com.google.common.util.concurrent.UncheckedExecutionException: org.springframework.security.authentication.DisabledException: The user "john.smith" is administratively disabled.
at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2234)
at com.google.common.cache.LocalCache.get(LocalCache.java:3965)
at com.google.common.cache.LocalCache$LocalManualCache.get(LocalCache.java:4764)
at jenkins.security.UserDetailsCache.loadUserByUsername(UserDetailsCache.java:122)
at hudson.model.User$UserIDCanonicalIdResolver.resolveCanonicalId(User.java:1241)
at hudson.model.User$CanonicalIdResolver.resolve(User.java:1182)
at hudson.model.User.get(User.java:516)
at hudson.model.User.getOrCreateByIdOrFullName(User.java:579)
at hudson.model.User.get(User.java:560)
at hudson.security.LDAPSecurityRealm.updateUserDetails(LDAPSecurityRealm.java:779)
at hudson.security.LDAPSecurityRealm.updateUserDetails(LDAPSecurityRealm.java:773)
at hudson.security.LDAPSecurityRealm.updateUserDetails(LDAPSecurityRealm.java:767)
at hudson.security.LDAPSecurityRealm$LDAPAuthenticationManager.authenticate(LDAPSecurityRealm.java:995)
at org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:85)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:222)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97)
at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:110)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:80)
at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:62)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97)
at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:109)
at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:168)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:51)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at jenkins.security.SuspiciousRequestFilter.doFilter(SuspiciousRequestFilter.java:36)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:607)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:668)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:770)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1415)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.springframework.security.authentication.DisabledException: The user "john.smith" is administratively disabled.
at hudson.security.UserAttributesHelper.checkIfUserEnabled(UserAttributesHelper.java:118)
at hudson.security.LDAPSecurityRealm$LDAPUserDetailsService.loadUserByUsername(LDAPSecurityRealm.java:1315)
at hudson.security.LDAPSecurityRealm$DelegateLDAPUserDetailsService.loadUserByUsername(LDAPSecurityRealm.java:1228)
at hudson.security.LDAPSecurityRealm.loadUserByUsername2(LDAPSecurityRealm.java:763)
at jenkins.security.UserDetailsCache$Retriever.call(UserDetailsCache.java:165)
at jenkins.security.UserDetailsCache$Retriever.call(UserDetailsCache.java:154)
at com.google.common.cache.LocalCache$LocalManualCache$1.load(LocalCache.java:4767)
at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3568)
at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2350)
at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2313)
at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2228)
... 55 more
The logic (from hudson.security.UserAttributesHelper, checkIfUserEnabled method) in LDAP v2.7 is:
// Oracle attributes (they were documented on the wiki at least)
String oracleIsEnabled = getStringAttribute(attributes, ATTR_ORACLE_IS_ENABLED);
if (oracleIsEnabled != null && !oracleIsEnabled.equalsIgnoreCase("enabled"))
in other words, only users with a null or 'enabled' (ignoring case) orclisenabled value are allowed to login. All other users are administratively disabled, and login is blocked.
The 'orclisenabled' OID LDAP attribute is described in several places on the web, and there is some ambiguity regarding which values indicate enabled. However, it is very clear that the value 'disabled' (ignoring case) always means disabled. This OID 11.1.1 page at https://docs.oracle.com/cd/E15586_01/oid.1111/e10029/oid_susers.htm in particular, has the following text:
>>>
12.2.1 Enabling and Disabling Accounts by Using Command-Line Tools
You can temporarily disable a user's account, then enable it again, by using command-line tools.
To permanently disable the account, set the orclisenabled attribute to DISABLED. Setting this attribute to any other value enables the account.
>>>
In our OID server, the orclisenabled attribute value is 'True' for users which are allowed to Login, and so the existing logic did not work properly, and blocked valid users from logging in.
Please tweak the LDAP OID logic to allow users with orclisenabled=null or orclisenabled != 'disabled' (ignoring case) to login. That logic aligns with the OID 11.1.1 page above, and would resolve this issue for our users.
- is caused by
-
JENKINS-55813 Improve AD/LDAP attribute analysis for locked accounts
- Resolved
- links to