Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-65806

LDAP plugin has wrong 'administratively disabled' logic for Oracle Internet Directory (OID)

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • ldap-plugin
    • None

      LDAP Plugin 2.7 has incorrect logic for Oracle Internet Directory (OID) when checking if a user is administratively disabled or not.   This is preventing user login for some of our users, and does not adhere to some of the Oracle published documentation.

      I dont recall this being an issue in the past – perhaps this logic has changed recently?  Not sure.

      Typical exception is:

       com.google.common.util.concurrent.UncheckedExecutionException: org.springframework.security.authentication.DisabledException: The user "john.smith" is administratively disabled.

              at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2234)

              at com.google.common.cache.LocalCache.get(LocalCache.java:3965)

              at com.google.common.cache.LocalCache$LocalManualCache.get(LocalCache.java:4764)

              at jenkins.security.UserDetailsCache.loadUserByUsername(UserDetailsCache.java:122)

              at hudson.model.User$UserIDCanonicalIdResolver.resolveCanonicalId(User.java:1241)

              at hudson.model.User$CanonicalIdResolver.resolve(User.java:1182)

              at hudson.model.User.get(User.java:516)

              at hudson.model.User.getOrCreateByIdOrFullName(User.java:579)

              at hudson.model.User.get(User.java:560)

              at hudson.security.LDAPSecurityRealm.updateUserDetails(LDAPSecurityRealm.java:779)

              at hudson.security.LDAPSecurityRealm.updateUserDetails(LDAPSecurityRealm.java:773)

              at hudson.security.LDAPSecurityRealm.updateUserDetails(LDAPSecurityRealm.java:767)

              at hudson.security.LDAPSecurityRealm$LDAPAuthenticationManager.authenticate(LDAPSecurityRealm.java:995)

              at org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:85)

              at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:222)

              at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)

              at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97)

              at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93)

              at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97)

              at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:110)

              at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:80)

              at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:62)

              at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97)

              at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:109)

              at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:168)

              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

              at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:51)

              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

              at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82)

              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

              at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)

              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

              at jenkins.security.SuspiciousRequestFilter.doFilter(SuspiciousRequestFilter.java:36)

              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

              at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)

              at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)

              at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:607)

              at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)

              at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)

              at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:668)

              at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)

              at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)

              at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408)

              at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)

              at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:770)

              at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1415)

              at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)

              at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)

              at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

              at java.lang.Thread.run(Thread.java:745)

      Caused by: org.springframework.security.authentication.DisabledException: The user "john.smith" is administratively disabled.

              at hudson.security.UserAttributesHelper.checkIfUserEnabled(UserAttributesHelper.java:118)

              at hudson.security.LDAPSecurityRealm$LDAPUserDetailsService.loadUserByUsername(LDAPSecurityRealm.java:1315)

              at hudson.security.LDAPSecurityRealm$DelegateLDAPUserDetailsService.loadUserByUsername(LDAPSecurityRealm.java:1228)

              at hudson.security.LDAPSecurityRealm.loadUserByUsername2(LDAPSecurityRealm.java:763)

              at jenkins.security.UserDetailsCache$Retriever.call(UserDetailsCache.java:165)

              at jenkins.security.UserDetailsCache$Retriever.call(UserDetailsCache.java:154)

              at com.google.common.cache.LocalCache$LocalManualCache$1.load(LocalCache.java:4767)

              at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3568)

              at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2350)

              at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2313)

              at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2228)

              ... 55 more

      The logic (from hudson.security.UserAttributesHelper, checkIfUserEnabled method) in LDAP v2.7 is:

      // Oracle attributes (they were documented on the wiki at least)
      String oracleIsEnabled = getStringAttribute(attributes, ATTR_ORACLE_IS_ENABLED);
      if (oracleIsEnabled != null && !oracleIsEnabled.equalsIgnoreCase("enabled"))

      { throw new DisabledException(Messages.UserDetails_Disabled(username)); }

      in other words, only users with a null or 'enabled' (ignoring case) orclisenabled value are allowed to login.  All other users are administratively disabled, and login is blocked.

      The 'orclisenabled' OID LDAP attribute is described in several places on the web, and there is some ambiguity regarding which values indicate enabled.  However, it is very clear that the value 'disabled' (ignoring case) always means disabled.  This OID 11.1.1 page at https://docs.oracle.com/cd/E15586_01/oid.1111/e10029/oid_susers.htm in particular, has the following text:

      >>>

      12.2.1 Enabling and Disabling Accounts by Using Command-Line Tools

      You can temporarily disable a user's account, then enable it again, by using command-line tools.

      To permanently disable the account, set the orclisenabled attribute to DISABLED. Setting this attribute to any other value enables the account.

      >>>

       

      In our OID server, the orclisenabled attribute value is 'True' for users which are allowed to Login, and so the existing logic did not work properly, and blocked valid users from logging in.

       

      Please tweak the LDAP OID logic to allow users with orclisenabled=null or orclisenabled != 'disabled' (ignoring case) to login.   That logic aligns with the OID 11.1.1 page above, and would resolve this issue for our users.

            Unassigned Unassigned
            sroth Steve Roth
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: