-
Bug
-
Resolution: Duplicate
-
Critical
-
None
-
Jenkins 2.368
Active Directory plugin 2.26
-
-
2.27
Our Jenkins server was very out of date. I don't remember the previous version but after updating to 2.368 which seems to require Java 17 (server won't start with Java 11.0.2) the Active Directory plugin fails with (Active Directory plugin was updated to latest):
2022-09-15 21:01:00.271+0000 [id=493163] WARNING h.i.i.InstallUncaughtExceptionHandler#handleException: Caught unhandled exception with ID f5d3268f-6af3-40c4-bcbd-08bea4c7838acom4j.ComException: 8007203a The server is not operational. : The server is not operational. : .\invoke.cpp:517at com4j.Native.invoke(Native Method)at com4j.StandardComMethod.invoke(StandardComMethod.java:35)at com4j.Wrapper$InvocationThunk.call(Wrapper.java:356)at com4j.Task.invoke(Task.java:50)at com4j.ComThread.run0(ComThread.java:172)at com4j.ComThread.run(ComThread.java:153)Caused: com4j.ComException: 8007203a The server is not operational. : The server is not operational. : .\invoke.cpp:517at com4j.Wrapper.invoke(Wrapper.java:187)at jdk.proxy8/jdk.proxy8.$Proxy55.openDSObject(Unknown Source)at hudson.plugins.active_directory.ActiveDirectoryAuthenticationProvider.<init>(ActiveDirectoryAuthenticationProvider.java:150)at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.createAuthenticationProvider(ActiveDirectorySecurityRealm.java:890)at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.getAuthenticationProvider(ActiveDirectorySecurityRealm.java:882)at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:899)at hudson.security.AbstractPasswordBasedSecurityRealm.loadUserByUsername2(AbstractPasswordBasedSecurityRealm.java:118)at jenkins.security.UserDetailsCache$Retriever.call(UserDetailsCache.java:170)at jenkins.security.UserDetailsCache$Retriever.call(UserDetailsCache.java:159)at com.google.common.cache.LocalCache$LocalManualCache$1.load(LocalCache.java:4868)at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3533)at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2282)at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2159)at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2049)Caused: com.google.common.util.concurrent.UncheckedExecutionException
The Jenkins UI for Configuring global security contains the attached image at the bottom of the page.
It seems this plugin still requires Java 8 and won't work with newer versions which is a issue since Jenkins needs Java 17 or that is as much as I can determine why it would have stopped working.
- duplicates
-
-
- Closed
-
[JENKINS-69639] Active Directory plugin crashes with Jenkins 2.368 and Java 17
I saw this issue with OpenLiberty, the fix for that container is https://github.com/OpenLiberty/open-liberty/commit/a763b20e8a5b85f2458a460fec3794844d8b99f0
Jenkins does not require Java 17. Jenkins 2.357 and later require Java 11 and also support Java 17. See the 2.357 changelog and the 2.361.1 changelog.
If it was failing with Java 11.0.2 that might be expected because the current Java release is 11.0.16.1. Try the most recent Java 11 patch version.
Øystein Walle
added a comment - Using Java 11 fixes this issue for me. I had misunderstood the Jenkins docs; I thought 17 was the recommended version. But I'm not OP.
Øystein Walle
added a comment - Using Java 11 fixes this issue for me. I had misunderstood the Jenkins docs; I thought 17 was the recommended version. But I'm not OP. Thanks for your comments markewaite. The server will start with Java 11.0.16.1 but I still end up with the same stack trace for the Active Directory plugin. Is there a specific build of Java 11 I should try. I tried with Microsoft's openJDK.
FWIW, the blog posts mentioned as well as Jenkins' own docs say that openJDK 11 versions are supported. So I grabbed the GA the last GA release 11.0.2 which prevents the server from starting. Might be worth clarifying only supporting latest versions of each JDK/JRE.
Brandon Walter
added a comment - - edited Thanks for your comments markewaite . The server will start with Java 11.0.16.1 but I still end up with the same stack trace for the Active Directory plugin. Is there a specific build of Java 11 I should try. I tried with Microsoft's openJDK.
FWIW, the blog posts mentioned as well as Jenkins' own docs say that openJDK 11 versions are supported. So I grabbed the GA the last GA release 11.0.2 which prevents the server from starting. Might be worth clarifying only supporting latest versions of each JDK/JRE. If the failure you're seeing is when you press the "Test connection", then that is a known issue.
I just tried the Adoptium (Temurin build) and still same issue as reported. Are there any additional steps that need to be checked around that plugin? Again, it worked fine until after upgrading Jenkins. I will try to uninstall the plugin and reinstall.
markewaite no. That is the error when the server starts and the Configure Global Security page contains the Jenkins 'Oops' image at the bottom. If I try to add a matrix based authentication, it just throws more stack traces.
Brandon Walter
added a comment - - edited I just tried the Adoptium (Temurin build) and still same issue as reported. Are there any additional steps that need to be checked around that plugin? Again, it worked fine until after upgrading Jenkins. I will try to uninstall the plugin and reinstall.
markewaite no. That is the error when the server starts and the Configure Global Security page contains the Jenkins 'Oops' image at the bottom. If I try to add a matrix based authentication, it just throws more stack traces. Unfortunately, I don't have any other suggestions to offer beyond trying older versions of the plugin to see if they behave better. Java 11.0.16.1 is a good choice, no matter which vendor you choose. We use Adoptium, but I've not heard of any issues from any of the other JDK providers.
Brandon Walter
added a comment - I had a chance to uninstall and reinstall the plugin. I did have to remove the plugin entry from the config.xml for the server to start after uninstalling to reinstall the plugin. The errors have gone away and it is working as expected.
Brandon Walter
added a comment - I had a chance to uninstall and reinstall the plugin. I did have to remove the plugin entry from the config.xml for the server to start after uninstalling to reinstall the plugin. The errors have gone away and it is working as expected. 
Basil Crow
added a comment - Recent Jenkins LTS and weekly releases require Java 11 or newer and fully support both Java 11 and Java 17. Active Directory 2.26 and earlier failed on Java 17 with IllegalAccessError: "module java.naming does not export com.sun.jndi.ldap to unnamed module", tracked in JENKINS-68947 (which this ticket duplicates), fixed in jenkinsci/active-directory-plugin#133, and released in Active Directory 2.27. If you continue to encounter issues, please open a new ticket with steps to reproduce the problem from scratch as well as details about your Java version and Active Directory server.
Basil Crow
added a comment - Recent Jenkins LTS and weekly releases require Java 11 or newer and fully support both Java 11 and Java 17. Active Directory 2.26 and earlier failed on Java 17 with IllegalAccessError : "module java.naming does not export com.sun.jndi.ldap to unnamed module ", tracked in JENKINS-68947 (which this ticket duplicates), fixed in jenkinsci/active-directory-plugin#133 , and released in Active Directory 2.27 . If you continue to encounter issues, please open a new ticket with steps to reproduce the problem from scratch as well as details about your Java version and Active Directory server. 
I have a similar issue that I suspect is highly related. Both 2.346.1 and 2.361.1 starts just fine using Adoptium Java 17, but as soon as I try to log in jenkins.err.out shows:
2022-09-21 06:47:43.161+0000 [id=47] WARNING h.i.i.InstallUncaughtExceptionHandler#handleException: Caught unhandled exception with ID 41d1c431-5f7e-4ca1-91bc-35211f0d56cf
java.lang.IllegalAccessError: class hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl (in unnamed module @0x7d887115) cannot access class com.sun.jndi.ldap.LdapCtxFactory (in module java.naming) because module java.naming does not export com.sun.jndi.ldap to unnamed module @0x7d887115
at hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl.bind(ActiveDirectorySecurityRealm.java:670)
at hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl.bind(ActiveDirectorySecurityRealm.java:601)
at hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl.bind(ActiveDirectorySecurityRealm.java:566)
at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.lambda$retrieveUser$0(ActiveDirectoryUnixAuthenticationProvider.java:354)
at com.github.benmanes.caffeine.cache.BoundedLocalCache.lambda$doComputeIfAbsent$14(BoundedLocalCache.java:2406)
(...)