Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-70270

Active Directory plugin 2.29 some users cannot login or be displayed

      Since updating to Active Directory plugin 2.29 (see https://plugins.jenkins.io/active-directory/#releases), some users cannot login anymore and also cannot be displayed anymore in the user view.

      For the user that is broken in the user view, we get a response:
      Status Code: 500
      2022_12_13-broken-user-respone.html

      When trying to login with this user we get:
      https://our-jenkins/j_spring_security_check
      Status Code: 500
      2022_12_13-broken-user-login-respone.html

      Some other users can login and be viewed via the user list, while some other ones can be viewed via the list but cannot login.

      Rolling back to v2.28 fixed the issue.

      While investigating that issue I also noticed that v2.29 was only tagged but never released on github: https://github.com/jenkinsci/active-directory-plugin/releases vs. https://github.com/jenkinsci/active-directory-plugin/tags
      but the v2.29 still appears on jenkins plugins site: https://plugins.jenkins.io/active-directory/#releases

      Also, it seems that the test pipeline for the tagged v2.29 version never actually ran:
      https://github.com/jenkinsci/active-directory-plugin/commits
      https://github.com/jenkinsci/active-directory-plugin/runs/9848751383
      https://ci.jenkins.io/job/Plugins/job/active-directory-plugin/job/master/108/

          [JENKINS-70270] Active Directory plugin 2.29 some users cannot login or be displayed

          One thing that might be relevant is that we have set
          hudson.plugins.active_directory.referral.ignore=true
          in order not to have it query all the AD referral trees too, which is very slow.
          We than have it print in the log everytime somebody logs in:

          JENKINS-42687 Might be more members for user CN=*REMOVED*
          javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name '*REMOVED*'
          at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3022) at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2996) at java.naming/com.sun.jndi.ldap.AbstractLdapNamingEnumeration.getNextBatch(AbstractLdapNamingEnumeration.java:148) at java.naming/com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreImpl(AbstractLdapNamingEnumeration.java:217) at java.naming/com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMore(AbstractLdapNamingEnumeration.java:189) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.parseMembers(ActiveDirectoryUnixAuthenticationProvider.java:794) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.resolveGroups(ActiveDirectoryUnixAuthenticationProvider.java:660) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.lambda$retrieveUser$0(ActiveDirectoryUnixAuthenticationProvider.java:422) at com.github.benmanes.caffeine.cache.BoundedLocalCache.lambda$doComputeIfAbsent$14(BoundedLocalCache.java:2406) at java.base/java.util.concurrent.ConcurrentHashMap.compute(ConcurrentHashMap.java:1908) at com.github.benmanes.caffeine.cache.BoundedLocalCache.doComputeIfAbsent(BoundedLocalCache.java:2404) at com.github.benmanes.caffeine.cache.BoundedLocalCache.computeIfAbsent(BoundedLocalCache.java:2387) at com.github.benmanes.caffeine.cache.LocalCache.computeIfAbsent(LocalCache.java:108) at com.github.benmanes.caffeine.cache.LocalManualCache.get(LocalManualCache.java:62) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:454) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:297) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:223) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.authenticate(ActiveDirectorySecurityRealm.java:905) at hudson.security.AbstractPasswordBasedSecurityRealm.authenticate2(AbstractPasswordBasedSecurityRealm.java:74) at hudson.security.AbstractPasswordBasedSecurityRealm.doAuthenticate(AbstractPasswordBasedSecurityRealm.java:97) at hudson.security.AbstractPasswordBasedSecurityRealm$Authenticator.retrieveUser(AbstractPasswordBasedSecurityRealm.java:183) at org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:133) at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:182) at org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:85) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:227) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:217) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99) at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:97) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:112) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:82) at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:63) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99) at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:111) at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:172) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635) at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:53) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635) at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:86) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635) at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635) at jenkins.security.SuspiciousRequestFilter.doFilter(SuspiciousRequestFilter.java:38) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:527) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:131) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:549) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:223) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1571) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:221) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1378) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:176) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:484) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1544) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:174) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1300) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:129) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122) at org.eclipse.jetty.server.Server.handle(Server.java:562) at org.eclipse.jetty.server.HttpChannel.lambda$handle$0(HttpChannel.java:505) at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:762) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:497) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:282) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:319) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100) at org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:412) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:381) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:268) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.lambda$new$0(AdaptiveExecutionStrategy.java:138) at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:407) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:894) at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1038) at java.base/java.lang.Thread.run(Thread.java:829)

          Sebastian Racs added a comment - One thing that might be relevant is that we have set hudson.plugins.active_directory.referral.ignore=true in order not to have it query all the AD referral trees too, which is very slow. We than have it print in the log everytime somebody logs in: JENKINS-42687 Might be more members for user CN=* REMOVED * javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name '* REMOVED *' at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3022) at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2996) at java.naming/com.sun.jndi.ldap.AbstractLdapNamingEnumeration.getNextBatch(AbstractLdapNamingEnumeration.java:148) at java.naming/com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreImpl(AbstractLdapNamingEnumeration.java:217) at java.naming/com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMore(AbstractLdapNamingEnumeration.java:189) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.parseMembers(ActiveDirectoryUnixAuthenticationProvider.java:794) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.resolveGroups(ActiveDirectoryUnixAuthenticationProvider.java:660) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.lambda$retrieveUser$0(ActiveDirectoryUnixAuthenticationProvider.java:422) at com.github.benmanes.caffeine.cache.BoundedLocalCache.lambda$doComputeIfAbsent$14(BoundedLocalCache.java:2406) at java.base/java.util.concurrent.ConcurrentHashMap.compute(ConcurrentHashMap.java:1908) at com.github.benmanes.caffeine.cache.BoundedLocalCache.doComputeIfAbsent(BoundedLocalCache.java:2404) at com.github.benmanes.caffeine.cache.BoundedLocalCache.computeIfAbsent(BoundedLocalCache.java:2387) at com.github.benmanes.caffeine.cache.LocalCache.computeIfAbsent(LocalCache.java:108) at com.github.benmanes.caffeine.cache.LocalManualCache.get(LocalManualCache.java:62) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:454) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:297) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:223) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.authenticate(ActiveDirectorySecurityRealm.java:905) at hudson.security.AbstractPasswordBasedSecurityRealm.authenticate2(AbstractPasswordBasedSecurityRealm.java:74) at hudson.security.AbstractPasswordBasedSecurityRealm.doAuthenticate(AbstractPasswordBasedSecurityRealm.java:97) at hudson.security.AbstractPasswordBasedSecurityRealm$Authenticator.retrieveUser(AbstractPasswordBasedSecurityRealm.java:183) at org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:133) at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:182) at org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:85) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:227) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:217) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99) at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:97) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:112) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:82) at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:63) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99) at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:111) at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:172) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635) at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:53) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635) at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:86) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635) at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635) at jenkins.security.SuspiciousRequestFilter.doFilter(SuspiciousRequestFilter.java:38) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:527) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:131) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:549) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:223) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1571) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:221) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1378) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:176) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:484) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1544) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:174) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1300) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:129) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122) at org.eclipse.jetty.server.Server.handle(Server.java:562) at org.eclipse.jetty.server.HttpChannel.lambda$handle$0(HttpChannel.java:505) at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:762) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:497) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:282) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:319) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100) at org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:412) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:381) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:268) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.lambda$new$0(AdaptiveExecutionStrategy.java:138) at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:407) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:894) at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1038) at java.base/java.lang.Thread.run(Thread.java:829)

          James Nord added a comment - - edited

          one thing that might be relevant is that we have set
          hudson.plugins.active_directory.referral.ignore=true
          in order not to have it query all the AD referral trees too, which is very slow.

          You may find that you are better off not doing that and instead use the global catalog port for AD - it knows everything about everyone and you will not get any referals.

          https://learn.microsoft.com/en-us/windows/win32/ad/global-catalog
          https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc978012(v=technet.10)?redirectedfrom=MSDN

          GC port is 3268 or 3269 for SSL protected.

          users names, and their security groups should always available in the GC. Their email will usually be available (if not you could ask your admin to mark it for replication. in most modern setups it will be available IIRC)

          to do this just add the port to the end of the domain controller
          e.g where you have `dc1.example.com` -> `dc1.example.com:3268` or `dc1.example.com:636` -> `dc1.example.com:3269`

          please try using the global catalog and report back.

          James Nord added a comment - - edited one thing that might be relevant is that we have set hudson.plugins.active_directory.referral.ignore=true in order not to have it query all the AD referral trees too, which is very slow. You may find that you are better off not doing that and instead use the global catalog port for AD - it knows everything about everyone and you will not get any referals. https://learn.microsoft.com/en-us/windows/win32/ad/global-catalog https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc978012(v=technet.10)?redirectedfrom=MSDN GC port is 3268 or 3269 for SSL protected. users names, and their security groups should always available in the GC. Their email will usually be available (if not you could ask your admin to mark it for replication. in most modern setups it will be available IIRC) to do this just add the port to the end of the domain controller e.g where you have `dc1.example.com` -> `dc1.example.com:3268` or `dc1.example.com:636` -> `dc1.example.com:3269` please try using the global catalog and report back.

          James Nord added a comment -

          fbelzunc irrespective we probably should make this a warning only (with a better message), when `referral.ignore=true`) When the user opts in to not following referrals they have opted into partial results. May be interesting if anyone is using groups for filtering - so maybe run by the security team too.

          James Nord added a comment - fbelzunc irrespective we probably should make this a warning only (with a better message), when `referral.ignore=true`) When the user opts in to not following referrals they have opted into partial results. May be interesting if anyone is using groups for filtering - so maybe run by the security team too.

          Marian Degel added a comment -

          We experience the same issue on Jenkins 2.346.3 after updating to Active Directory plugin 2.29.

          The error seems to be somewhat redundant, especifally regarding the "security listener code" that teilo mentioned (the stackstrace is shortened, as it goes on for 1k lines with the same error):

          2023-01-23 12:25:00.470+0000 [id=1553718]       WARNING h.i.i.InstallUncaughtExceptionHandler#handleException: Caught unhandled exception with ID 0d93d340-ba48-4f62-bcc8-19d15da03ca9
          java.lang.StackOverflowError
                  at java.base/java.security.AccessController.doPrivileged(Native Method)
                  at java.naming/com.sun.naming.internal.VersionHelper.getJndiProperties(VersionHelper.java:166)
                  at java.naming/com.sun.naming.internal.ResourceManager.getInitialEnvironment(ResourceManager.java:165)
                  at java.naming/javax.naming.InitialContext.init(InitialContext.java:232)
                  at java.naming/javax.naming.InitialContext.<init>(InitialContext.java:208)
                  at java.naming/javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101)
                  at hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl.createDNSLookupContext(ActiveDirectorySecurityRealm.java:739)
                  at hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl.obtainLDAPServer(ActiveDirectorySecurityRealm.java:748)
                  at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.obtainLDAPServers(ActiveDirectoryUnixAuthenticationProvider.java:314)
                  at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:302)
                  at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:224)
                  at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:47)
                  at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:900)
                  at hudson.security.AbstractPasswordBasedSecurityRealm.loadUserByUsername2(AbstractPasswordBasedSecurityRealm.java:118)
                  at jenkins.security.ImpersonatingUserDetailsService2.loadUserByUsername(ImpersonatingUserDetailsService2.java:29)
                  at org.acegisecurity.userdetails.UserDetailsService.lambda$fromSpring$0(UserDetailsService.java:42)
                  at hudson.plugins.active_directory.ActiveDirectoryMailAddressResolverImpl.findMailAddressFor(ActiveDirectoryMailAddressResolverImpl.java:55)
                  at hudson.tasks.MailAddressResolver.resolve(MailAddressResolver.java:122)
                  at hudson.tasks.Mailer$UserProperty.getAddress(Mailer.java:748)
                  at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.logUserAuthentication(AuthenticatedUsersAuditor.java:85)
                  at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.authenticated(AuthenticatedUsersAuditor.java:47)
                  at jenkins.security.SecurityListener.authenticated2(SecurityListener.java:55)
                  at jenkins.security.SecurityListener.fireAuthenticated2(SecurityListener.java:117)
                  at jenkins.security.SecurityListener.fireAuthenticated(SecurityListener.java:127)
                  at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:225)
                  at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:47)
                  at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:900)
                  at hudson.security.AbstractPasswordBasedSecurityRealm.loadUserByUsername2(AbstractPasswordBasedSecurityRealm.java:118)
                  at jenkins.security.ImpersonatingUserDetailsService2.loadUserByUsername(ImpersonatingUserDetailsService2.java:29)
                  at org.acegisecurity.userdetails.UserDetailsService.lambda$fromSpring$0(UserDetailsService.java:42)
                  at hudson.plugins.active_directory.ActiveDirectoryMailAddressResolverImpl.findMailAddressFor(ActiveDirectoryMailAddressResolverImpl.java:55)
                  at hudson.tasks.MailAddressResolver.resolve(MailAddressResolver.java:122)
                  at hudson.tasks.Mailer$UserProperty.getAddress(Mailer.java:748)
                  at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.logUserAuthentication(AuthenticatedUsersAuditor.java:85)
                  at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.authenticated(AuthenticatedUsersAuditor.java:47)
                  at jenkins.security.SecurityListener.authenticated2(SecurityListener.java:55)
                  at jenkins.security.SecurityListener.fireAuthenticated2(SecurityListener.java:117)
                  at jenkins.security.SecurityListener.fireAuthenticated(SecurityListener.java:127)
                  at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:225)
                  at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:47)
                  at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:900)
                  at hudson.security.AbstractPasswordBasedSecurityRealm.loadUserByUsername2(AbstractPasswordBasedSecurityRealm.java:118)
                  at jenkins.security.ImpersonatingUserDetailsService2.loadUserByUsername(ImpersonatingUserDetailsService2.java:29)
                  at org.acegisecurity.userdetails.UserDetailsService.lambda$fromSpring$0(UserDetailsService.java:42)
                  at hudson.plugins.active_directory.ActiveDirectoryMailAddressResolverImpl.findMailAddressFor(ActiveDirectoryMailAddressResolverImpl.java:55)
                  at hudson.tasks.MailAddressResolver.resolve(MailAddressResolver.java:122)
                  at hudson.tasks.Mailer$UserProperty.getAddress(Mailer.java:748)
                  at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.logUserAuthentication(AuthenticatedUsersAuditor.java:85)
                  at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.authenticated(AuthenticatedUsersAuditor.java:47)
                  at jenkins.security.SecurityListener.authenticated2(SecurityListener.java:55)
                  at jenkins.security.SecurityListener.fireAuthenticated2(SecurityListener.java:117)
                  at jenkins.security.SecurityListener.fireAuthenticated(SecurityListener.java:127)
                  at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:225)
                  at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:47)
                  at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:900)
                  at hudson.security.AbstractPasswordBasedSecurityRealm.loadUserByUsername2(AbstractPasswordBasedSecurityRealm.java:118)
                  at jenkins.security.ImpersonatingUserDetailsService2.loadUserByUsername(ImpersonatingUserDetailsService2.java:29)
                  at org.acegisecurity.userdetails.UserDetailsService.lambda$fromSpring$0(UserDetailsService.java:42)
                  at hudson.plugins.active_directory.ActiveDirectoryMailAddressResolverImpl.findMailAddressFor(ActiveDirectoryMailAddressResolverImpl.java:55)
                  at hudson.tasks.MailAddressResolver.resolve(MailAddressResolver.java:122)
                  at hudson.tasks.Mailer$UserProperty.getAddress(Mailer.java:748)
                  at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.logUserAuthentication(AuthenticatedUsersAuditor.java:85)
                  at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.authenticated(AuthenticatedUsersAuditor.java:47)
                  at jenkins.security.SecurityListener.authenticated2(SecurityListener.java:55)
                  at jenkins.security.SecurityListener.fireAuthenticated2(SecurityListener.java:117)
                  at jenkins.security.SecurityListener.fireAuthenticated(SecurityListener.java:127)
                  at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:225)
                  at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:47)
                  at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:900)
                  at hudson.security.AbstractPasswordBasedSecurityRealm.loadUserByUsername2(AbstractPasswordBasedSecurityRealm.java:118)
                  at jenkins.security.ImpersonatingUserDetailsService2.loadUserByUsername(ImpersonatingUserDetailsService2.java:29)
                  at org.acegisecurity.userdetails.UserDetailsService.lambda$fromSpring$0(UserDetailsService.java:42)
                  at hudson.plugins.active_directory.ActiveDirectoryMailAddressResolverImpl.findMailAddressFor(ActiveDirectoryMailAddressResolverImpl.java:55)
                  at hudson.tasks.MailAddressResolver.resolve(MailAddressResolver.java:122)
                  at hudson.tasks.Mailer$UserProperty.getAddress(Mailer.java:748)
                  at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.logUserAuthentication(AuthenticatedUsersAuditor.java:85)
                  at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.authenticated(AuthenticatedUsersAuditor.java:47)
                  at jenkins.security.SecurityListener.authenticated2(SecurityListener.java:55)
                  at jenkins.security.SecurityListener.fireAuthenticated2(SecurityListener.java:117)
                  at jenkins.security.SecurityListener.fireAuthenticated(SecurityListener.java:127)
                  at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:225)
                  at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:47)
                  at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:900)
                  at hudson.security.AbstractPasswordBasedSecurityRealm.loadUserByUsername2(AbstractPasswordBasedSecurityRealm.java:118)
                  at jenkins.security.ImpersonatingUserDetailsService2.loadUserByUsername(ImpersonatingUserDetailsService2.java:29)
                  at org.acegisecurity.userdetails.UserDetailsService.lambda$fromSpring$0(UserDetailsService.java:42)
                  at hudson.plugins.active_directory.ActiveDirectoryMailAddressResolverImpl.findMailAddressFor(ActiveDirectoryMailAddressResolverImpl.java:55)
                  at hudson.tasks.MailAddressResolver.resolve(MailAddressResolver.java:122)
                  at hudson.tasks.Mailer$UserProperty.getAddress(Mailer.java:748)
                  at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.logUserAuthentication(AuthenticatedUsersAuditor.java:85)
                  at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.authenticated(AuthenticatedUsersAuditor.java:47)
                  at jenkins.security.SecurityListener.authenticated2(SecurityListener.java:55)
                  at jenkins.security.SecurityListener.fireAuthenticated2(SecurityListener.java:117)
                  at jenkins.security.SecurityListener.fireAuthenticated(SecurityListener.java:127)
                  at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:225)
                  at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:47)
                  at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:900)
                  at hudson.security.AbstractPasswordBasedSecurityRealm.loadUserByUsername2(AbstractPasswordBasedSecurityRealm.java:118)
                  at jenkins.security.ImpersonatingUserDetailsService2.loadUserByUsername(ImpersonatingUserDetailsService2.java:29)
                  at org.acegisecurity.userdetails.UserDetailsService.lambda$fromSpring$0(UserDetailsService.java:42)
                  at hudson.plugins.active_directory.ActiveDirectoryMailAddressResolverImpl.findMailAddressFor(ActiveDirectoryMailAddressResolverImpl.java:55)
                  at hudson.tasks.MailAddressResolver.resolve(MailAddressResolver.java:122)
                  at hudson.tasks.Mailer$UserProperty.getAddress(Mailer.java:748)
                  at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.logUserAuthentication(AuthenticatedUsersAuditor.java:85)
                  at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.authenticated(AuthenticatedUsersAuditor.java:47)
                  at jenkins.security.SecurityListener.authenticated2(SecurityListener.java:55)
                  at jenkins.security.SecurityListener.fireAuthenticated2(SecurityListener.java:117)
                  at jenkins.security.SecurityListener.fireAuthenticated(SecurityListener.java:127)
                  at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:225)
                  at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:47)
                  at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:900)
                  at hudson.security.AbstractPasswordBasedSecurityRealm.loadUserByUsername2(AbstractPasswordBasedSecurityRealm.java:118)
                  at jenkins.security.ImpersonatingUserDetailsService2.loadUserByUsername(ImpersonatingUserDetailsService2.java:29)
                  at org.acegisecurity.userdetails.UserDetailsService.lambda$fromSpring$0(UserDetailsService.java:42)
                  at hudson.plugins.active_directory.ActiveDirectoryMailAddressResolverImpl.findMailAddressFor(ActiveDirectoryMailAddressResolverImpl.java:55)
                  at hudson.tasks.MailAddressResolver.resolve(MailAddressResolver.java:122)
                  at hudson.tasks.Mailer$UserProperty.getAddress(Mailer.java:748)
                  at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.logUserAuthentication(AuthenticatedUsersAuditor.java:85)
                  at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.authenticated(AuthenticatedUsersAuditor.java:47)
                  at jenkins.security.SecurityListener.authenticated2(SecurityListener.java:55)
                  at jenkins.security.SecurityListener.fireAuthenticated2(SecurityListener.java:117)
                  at jenkins.security.SecurityListener.fireAuthenticated(SecurityListener.java:127)
                  at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:225)
                  at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:47)
                  at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:900)
                  at hudson.security.AbstractPasswordBasedSecurityRealm.loadUserByUsername2(AbstractPasswordBasedSecurityRealm.java:118)
                  at jenkins.security.ImpersonatingUserDetailsService2.loadUserByUsername(ImpersonatingUserDetailsService2.java:29)
                  at org.acegisecurity.userdetails.UserDetailsService.lambda$fromSpring$0(UserDetailsService.java:42)
                  at hudson.plugins.active_directory.ActiveDirectoryMailAddressResolverImpl.findMailAddressFor(ActiveDirectoryMailAddressResolverImpl.java:55)
                  at hudson.tasks.MailAddressResolver.resolve(MailAddressResolver.java:122)
                  at hudson.tasks.Mailer$UserProperty.getAddress(Mailer.java:748)
                  at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.logUserAuthentication(AuthenticatedUsersAuditor.java:85)
                  at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.authenticated(AuthenticatedUsersAuditor.java:47)
                  at jenkins.security.SecurityListener.authenticated2(SecurityListener.java:55)
                  at jenkins.security.SecurityListener.fireAuthenticated2(SecurityListener.java:117)
                  at jenkins.security.SecurityListener.fireAuthenticated(SecurityListener.java:127)
                  at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:225)
                  at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:47)
                  at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:900)
                  at hudson.security.AbstractPasswordBasedSecurityRealm.loadUserByUsername2(AbstractPasswordBasedSecurityRealm.java:118)
                  at jenkins.security.ImpersonatingUserDetailsService2.loadUserByUsername(ImpersonatingUserDetailsService2.java:29)
                  at org.acegisecurity.userdetails.UserDetailsService.lambda$fromSpring$0(UserDetailsService.java:42)
                  at hudson.plugins.active_directory.ActiveDirectoryMailAddressResolverImpl.findMailAddressFor(ActiveDirectoryMailAddressResolverImpl.java:55)
                  at hudson.tasks.MailAddressResolver.resolve(MailAddressResolver.java:122)
                  at hudson.tasks.Mailer$UserProperty.getAddress(Mailer.java:748)
                  at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.logUserAuthentication(AuthenticatedUsersAuditor.java:85)
                  at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.authenticated(AuthenticatedUsersAuditor.java:47)
                  at jenkins.security.SecurityListener.authenticated2(SecurityListener.java:55)
                  at jenkins.security.SecurityListener.fireAuthenticated2(SecurityListener.java:117)
                  at jenkins.security.SecurityListener.fireAuthenticated(SecurityListener.java:127)
                  at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:225)
                  at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:47)
                  at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:900)
                  at hudson.security.AbstractPasswordBasedSecurityRealm.loadUserByUsername2(AbstractPasswordBasedSecurityRealm.java:118)
                  at jenkins.security.ImpersonatingUserDetailsService2.loadUserByUsername(ImpersonatingUserDetailsService2.java:29)
                  at org.acegisecurity.userdetails.UserDetailsService.lambda$fromSpring$0(UserDetailsService.java:42)
                  at hudson.plugins.active_directory.ActiveDirectoryMailAddressResolverImpl.findMailAddressFor(ActiveDirectoryMailAddressResolverImpl.java:55)
                  at hudson.tasks.MailAddressResolver.resolve(MailAddressResolver.java:122)
                  [...]
                  at hudson.tasks.Mailer$UserProperty.getAddress(Mailer.java:748)
                  at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.logUserAuthentication(AuthenticatedUsersAuditor.java:85)
                  at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.authenticated(AuthenticatedUsersAuditor.java:47)
                  at jenkins.security.SecurityListener.authenticated2(SecurityListener.java:55)
                  at jenkins.security.SecurityListener.fireAuthenticated2(SecurityListener.java:117)
                  at jenkins.security.SecurityListener.fireAuthenticated(SecurityListener.java:127)
                  at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:225)
                  at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:47)
                  at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:900)
                  at hudson.security.AbstractPasswordBasedSecurityRealm.loadUserByUsername2(AbstractPasswordBasedSecurityRealm.java:118)
                  at jenkins.security.ImpersonatingUserDetailsService2.loadUserByUsername(ImpersonatingUserDetailsService2.java:29)
                  at org.acegisecurity.userdetails.UserDetailsService.lambda$fromSpring$0(UserDetailsService.java:42)
          

          For the groupLookupStrategy we use RECURSIVE, which souldn't cause the issue IMHO.

          Strangely enough the error does not seem to appear on our similarly setup test server which is running Jenkins 2.361.4 with Active Directory plugin 2.29.

          Marian Degel added a comment - We experience the same issue on Jenkins 2.346.3 after updating to Active Directory plugin 2.29. The error seems to be somewhat redundant, especifally regarding the "security listener code" that teilo mentioned (the stackstrace is shortened, as it goes on for 1k lines with the same error): 2023-01-23 12:25:00.470+0000 [id=1553718] WARNING h.i.i.InstallUncaughtExceptionHandler #handleException: Caught unhandled exception with ID 0d93d340-ba48-4f62-bcc8-19d15da03ca9 java.lang.StackOverflowError at java.base/java.security.AccessController.doPrivileged(Native Method) at java.naming/com.sun.naming.internal.VersionHelper.getJndiProperties(VersionHelper.java:166) at java.naming/com.sun.naming.internal.ResourceManager.getInitialEnvironment(ResourceManager.java:165) at java.naming/javax.naming.InitialContext.init(InitialContext.java:232) at java.naming/javax.naming.InitialContext.<init>(InitialContext.java:208) at java.naming/javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm $DescriptorImpl .createDNSLookupContext(ActiveDirectorySecurityRealm.java:739) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm $DescriptorImpl .obtainLDAPServer(ActiveDirectorySecurityRealm.java:748) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.obtainLDAPServers(ActiveDirectoryUnixAuthenticationProvider.java:314) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:302) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:224) at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:47) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:900) at hudson.security.AbstractPasswordBasedSecurityRealm.loadUserByUsername2(AbstractPasswordBasedSecurityRealm.java:118) at jenkins.security.ImpersonatingUserDetailsService2.loadUserByUsername(ImpersonatingUserDetailsService2.java:29) at org.acegisecurity.userdetails.UserDetailsService.lambda $fromSpring $0 (UserDetailsService.java:42) at hudson.plugins.active_directory.ActiveDirectoryMailAddressResolverImpl.findMailAddressFor(ActiveDirectoryMailAddressResolverImpl.java:55) at hudson.tasks.MailAddressResolver.resolve(MailAddressResolver.java:122) at hudson.tasks.Mailer $UserProperty .getAddress(Mailer.java:748) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.logUserAuthentication(AuthenticatedUsersAuditor.java:85) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.authenticated(AuthenticatedUsersAuditor.java:47) at jenkins.security.SecurityListener.authenticated2(SecurityListener.java:55) at jenkins.security.SecurityListener.fireAuthenticated2(SecurityListener.java:117) at jenkins.security.SecurityListener.fireAuthenticated(SecurityListener.java:127) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:225) at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:47) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:900) at hudson.security.AbstractPasswordBasedSecurityRealm.loadUserByUsername2(AbstractPasswordBasedSecurityRealm.java:118) at jenkins.security.ImpersonatingUserDetailsService2.loadUserByUsername(ImpersonatingUserDetailsService2.java:29) at org.acegisecurity.userdetails.UserDetailsService.lambda $fromSpring $0 (UserDetailsService.java:42) at hudson.plugins.active_directory.ActiveDirectoryMailAddressResolverImpl.findMailAddressFor(ActiveDirectoryMailAddressResolverImpl.java:55) at hudson.tasks.MailAddressResolver.resolve(MailAddressResolver.java:122) at hudson.tasks.Mailer $UserProperty .getAddress(Mailer.java:748) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.logUserAuthentication(AuthenticatedUsersAuditor.java:85) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.authenticated(AuthenticatedUsersAuditor.java:47) at jenkins.security.SecurityListener.authenticated2(SecurityListener.java:55) at jenkins.security.SecurityListener.fireAuthenticated2(SecurityListener.java:117) at jenkins.security.SecurityListener.fireAuthenticated(SecurityListener.java:127) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:225) at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:47) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:900) at hudson.security.AbstractPasswordBasedSecurityRealm.loadUserByUsername2(AbstractPasswordBasedSecurityRealm.java:118) at jenkins.security.ImpersonatingUserDetailsService2.loadUserByUsername(ImpersonatingUserDetailsService2.java:29) at org.acegisecurity.userdetails.UserDetailsService.lambda $fromSpring $0 (UserDetailsService.java:42) at hudson.plugins.active_directory.ActiveDirectoryMailAddressResolverImpl.findMailAddressFor(ActiveDirectoryMailAddressResolverImpl.java:55) at hudson.tasks.MailAddressResolver.resolve(MailAddressResolver.java:122) at hudson.tasks.Mailer $UserProperty .getAddress(Mailer.java:748) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.logUserAuthentication(AuthenticatedUsersAuditor.java:85) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.authenticated(AuthenticatedUsersAuditor.java:47) at jenkins.security.SecurityListener.authenticated2(SecurityListener.java:55) at jenkins.security.SecurityListener.fireAuthenticated2(SecurityListener.java:117) at jenkins.security.SecurityListener.fireAuthenticated(SecurityListener.java:127) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:225) at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:47) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:900) at hudson.security.AbstractPasswordBasedSecurityRealm.loadUserByUsername2(AbstractPasswordBasedSecurityRealm.java:118) at jenkins.security.ImpersonatingUserDetailsService2.loadUserByUsername(ImpersonatingUserDetailsService2.java:29) at org.acegisecurity.userdetails.UserDetailsService.lambda $fromSpring $0 (UserDetailsService.java:42) at hudson.plugins.active_directory.ActiveDirectoryMailAddressResolverImpl.findMailAddressFor(ActiveDirectoryMailAddressResolverImpl.java:55) at hudson.tasks.MailAddressResolver.resolve(MailAddressResolver.java:122) at hudson.tasks.Mailer $UserProperty .getAddress(Mailer.java:748) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.logUserAuthentication(AuthenticatedUsersAuditor.java:85) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.authenticated(AuthenticatedUsersAuditor.java:47) at jenkins.security.SecurityListener.authenticated2(SecurityListener.java:55) at jenkins.security.SecurityListener.fireAuthenticated2(SecurityListener.java:117) at jenkins.security.SecurityListener.fireAuthenticated(SecurityListener.java:127) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:225) at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:47) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:900) at hudson.security.AbstractPasswordBasedSecurityRealm.loadUserByUsername2(AbstractPasswordBasedSecurityRealm.java:118) at jenkins.security.ImpersonatingUserDetailsService2.loadUserByUsername(ImpersonatingUserDetailsService2.java:29) at org.acegisecurity.userdetails.UserDetailsService.lambda $fromSpring $0 (UserDetailsService.java:42) at hudson.plugins.active_directory.ActiveDirectoryMailAddressResolverImpl.findMailAddressFor(ActiveDirectoryMailAddressResolverImpl.java:55) at hudson.tasks.MailAddressResolver.resolve(MailAddressResolver.java:122) at hudson.tasks.Mailer $UserProperty .getAddress(Mailer.java:748) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.logUserAuthentication(AuthenticatedUsersAuditor.java:85) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.authenticated(AuthenticatedUsersAuditor.java:47) at jenkins.security.SecurityListener.authenticated2(SecurityListener.java:55) at jenkins.security.SecurityListener.fireAuthenticated2(SecurityListener.java:117) at jenkins.security.SecurityListener.fireAuthenticated(SecurityListener.java:127) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:225) at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:47) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:900) at hudson.security.AbstractPasswordBasedSecurityRealm.loadUserByUsername2(AbstractPasswordBasedSecurityRealm.java:118) at jenkins.security.ImpersonatingUserDetailsService2.loadUserByUsername(ImpersonatingUserDetailsService2.java:29) at org.acegisecurity.userdetails.UserDetailsService.lambda $fromSpring $0 (UserDetailsService.java:42) at hudson.plugins.active_directory.ActiveDirectoryMailAddressResolverImpl.findMailAddressFor(ActiveDirectoryMailAddressResolverImpl.java:55) at hudson.tasks.MailAddressResolver.resolve(MailAddressResolver.java:122) at hudson.tasks.Mailer $UserProperty .getAddress(Mailer.java:748) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.logUserAuthentication(AuthenticatedUsersAuditor.java:85) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.authenticated(AuthenticatedUsersAuditor.java:47) at jenkins.security.SecurityListener.authenticated2(SecurityListener.java:55) at jenkins.security.SecurityListener.fireAuthenticated2(SecurityListener.java:117) at jenkins.security.SecurityListener.fireAuthenticated(SecurityListener.java:127) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:225) at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:47) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:900) at hudson.security.AbstractPasswordBasedSecurityRealm.loadUserByUsername2(AbstractPasswordBasedSecurityRealm.java:118) at jenkins.security.ImpersonatingUserDetailsService2.loadUserByUsername(ImpersonatingUserDetailsService2.java:29) at org.acegisecurity.userdetails.UserDetailsService.lambda $fromSpring $0 (UserDetailsService.java:42) at hudson.plugins.active_directory.ActiveDirectoryMailAddressResolverImpl.findMailAddressFor(ActiveDirectoryMailAddressResolverImpl.java:55) at hudson.tasks.MailAddressResolver.resolve(MailAddressResolver.java:122) at hudson.tasks.Mailer $UserProperty .getAddress(Mailer.java:748) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.logUserAuthentication(AuthenticatedUsersAuditor.java:85) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.authenticated(AuthenticatedUsersAuditor.java:47) at jenkins.security.SecurityListener.authenticated2(SecurityListener.java:55) at jenkins.security.SecurityListener.fireAuthenticated2(SecurityListener.java:117) at jenkins.security.SecurityListener.fireAuthenticated(SecurityListener.java:127) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:225) at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:47) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:900) at hudson.security.AbstractPasswordBasedSecurityRealm.loadUserByUsername2(AbstractPasswordBasedSecurityRealm.java:118) at jenkins.security.ImpersonatingUserDetailsService2.loadUserByUsername(ImpersonatingUserDetailsService2.java:29) at org.acegisecurity.userdetails.UserDetailsService.lambda $fromSpring $0 (UserDetailsService.java:42) at hudson.plugins.active_directory.ActiveDirectoryMailAddressResolverImpl.findMailAddressFor(ActiveDirectoryMailAddressResolverImpl.java:55) at hudson.tasks.MailAddressResolver.resolve(MailAddressResolver.java:122) at hudson.tasks.Mailer $UserProperty .getAddress(Mailer.java:748) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.logUserAuthentication(AuthenticatedUsersAuditor.java:85) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.authenticated(AuthenticatedUsersAuditor.java:47) at jenkins.security.SecurityListener.authenticated2(SecurityListener.java:55) at jenkins.security.SecurityListener.fireAuthenticated2(SecurityListener.java:117) at jenkins.security.SecurityListener.fireAuthenticated(SecurityListener.java:127) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:225) at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:47) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:900) at hudson.security.AbstractPasswordBasedSecurityRealm.loadUserByUsername2(AbstractPasswordBasedSecurityRealm.java:118) at jenkins.security.ImpersonatingUserDetailsService2.loadUserByUsername(ImpersonatingUserDetailsService2.java:29) at org.acegisecurity.userdetails.UserDetailsService.lambda $fromSpring $0 (UserDetailsService.java:42) at hudson.plugins.active_directory.ActiveDirectoryMailAddressResolverImpl.findMailAddressFor(ActiveDirectoryMailAddressResolverImpl.java:55) at hudson.tasks.MailAddressResolver.resolve(MailAddressResolver.java:122) at hudson.tasks.Mailer $UserProperty .getAddress(Mailer.java:748) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.logUserAuthentication(AuthenticatedUsersAuditor.java:85) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.authenticated(AuthenticatedUsersAuditor.java:47) at jenkins.security.SecurityListener.authenticated2(SecurityListener.java:55) at jenkins.security.SecurityListener.fireAuthenticated2(SecurityListener.java:117) at jenkins.security.SecurityListener.fireAuthenticated(SecurityListener.java:127) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:225) at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:47) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:900) at hudson.security.AbstractPasswordBasedSecurityRealm.loadUserByUsername2(AbstractPasswordBasedSecurityRealm.java:118) at jenkins.security.ImpersonatingUserDetailsService2.loadUserByUsername(ImpersonatingUserDetailsService2.java:29) at org.acegisecurity.userdetails.UserDetailsService.lambda $fromSpring $0 (UserDetailsService.java:42) at hudson.plugins.active_directory.ActiveDirectoryMailAddressResolverImpl.findMailAddressFor(ActiveDirectoryMailAddressResolverImpl.java:55) at hudson.tasks.MailAddressResolver.resolve(MailAddressResolver.java:122) at hudson.tasks.Mailer $UserProperty .getAddress(Mailer.java:748) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.logUserAuthentication(AuthenticatedUsersAuditor.java:85) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.authenticated(AuthenticatedUsersAuditor.java:47) at jenkins.security.SecurityListener.authenticated2(SecurityListener.java:55) at jenkins.security.SecurityListener.fireAuthenticated2(SecurityListener.java:117) at jenkins.security.SecurityListener.fireAuthenticated(SecurityListener.java:127) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:225) at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:47) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:900) at hudson.security.AbstractPasswordBasedSecurityRealm.loadUserByUsername2(AbstractPasswordBasedSecurityRealm.java:118) at jenkins.security.ImpersonatingUserDetailsService2.loadUserByUsername(ImpersonatingUserDetailsService2.java:29) at org.acegisecurity.userdetails.UserDetailsService.lambda $fromSpring $0 (UserDetailsService.java:42) at hudson.plugins.active_directory.ActiveDirectoryMailAddressResolverImpl.findMailAddressFor(ActiveDirectoryMailAddressResolverImpl.java:55) at hudson.tasks.MailAddressResolver.resolve(MailAddressResolver.java:122) [...] at hudson.tasks.Mailer $UserProperty .getAddress(Mailer.java:748) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.logUserAuthentication(AuthenticatedUsersAuditor.java:85) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.authenticated(AuthenticatedUsersAuditor.java:47) at jenkins.security.SecurityListener.authenticated2(SecurityListener.java:55) at jenkins.security.SecurityListener.fireAuthenticated2(SecurityListener.java:117) at jenkins.security.SecurityListener.fireAuthenticated(SecurityListener.java:127) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:225) at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:47) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:900) at hudson.security.AbstractPasswordBasedSecurityRealm.loadUserByUsername2(AbstractPasswordBasedSecurityRealm.java:118) at jenkins.security.ImpersonatingUserDetailsService2.loadUserByUsername(ImpersonatingUserDetailsService2.java:29) at org.acegisecurity.userdetails.UserDetailsService.lambda $fromSpring $0 (UserDetailsService.java:42) For the groupLookupStrategy we use RECURSIVE, which souldn't cause the issue IMHO. Strangely enough the error does not seem to appear on our similarly setup test server which is running Jenkins 2.361.4 with Active Directory plugin 2.29.

          Félix Belzunce Arcos added a comment - - edited

          I see the problem now. The thing is that each time there is a log-in, ActiveDirectoryUnixAuthenticationProvider.retrieveUser is called ,and it triggers SecurityListener.fireAuthenticated. This listener triggers in the user-activity plugin another process in which ActiveDirectoryUnixAuthenticationProvider.retrieveUser is called again, thus the java.lang.StackOverflowError happens over time.

          teilo From my point of view the fix is about changing this line of code https://github.com/jenkinsci/active-directory-plugin/blob/active-directory-2.29/src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java#L225

          SecurityListener.fireAuthenticated(userDetails);
          

          for

          if (authentication!= null)
             SecurityListener.fireAuthenticated(userDetails);
          

          so that we only trigger the fireAuthenticated when there is something injecting the password. I think this should avoid this recursive loop. WDYT?

          Félix Belzunce Arcos added a comment - - edited I see the problem now. The thing is that each time there is a log-in, ActiveDirectoryUnixAuthenticationProvider.retrieveUser is called ,and it triggers SecurityListener.fireAuthenticated. This listener triggers in the user-activity plugin another process in which ActiveDirectoryUnixAuthenticationProvider.retrieveUser is called again, thus the java.lang.StackOverflowError happens over time. teilo From my point of view the fix is about changing this line of code https://github.com/jenkinsci/active-directory-plugin/blob/active-directory-2.29/src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java#L225 SecurityListener.fireAuthenticated(userDetails); for if (authentication!= null ) SecurityListener.fireAuthenticated(userDetails); so that we only trigger the fireAuthenticated when there is something injecting the password. I think this should avoid this recursive loop. WDYT?

          Marian Degel added a comment -

          fbelzunc: Shouldn't this be causing the same issue for all users and not just some?

          Marian Degel added a comment - fbelzunc : Shouldn't this be causing the same issue for all users and not just some?

          James Nord added a comment -

          Stack overflow is something else, possibly related however the original report was not an overflow but a failure to follow a referal so that the details are not fully populated and that is not handled. Please create a new ticket with logs etc for the stack overflow.

          degelma Also `org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor` in your stack trace is from a commercial plugin. Please contact your vendor about this - it will get prioritized much better than trying to get help in an OSS jira tracker.

          James Nord added a comment - Stack overflow is something else, possibly related however the original report was not an overflow but a failure to follow a referal so that the details are not fully populated and that is not handled. Please create a new ticket with logs etc for the stack overflow. degelma Also `org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor` in your stack trace is from a commercial plugin. Please contact your vendor about this - it will get prioritized much better than trying to get help in an OSS jira tracker.

          James Nord added a comment -

          > the stack overflow looks like something else

          the AD plugin did not populate the email details (or otherwise save them), leading to a call to get the details in the authentication listener - which calls the retreiveUsers method which fires an authentication which....

          the loading of details to retrieve an email is definitely not an authentication event :slightly_smiling_face:

          I'm thinking that it should be Jenkins that fires the authentication event(s) not a plugin🤔

          James Nord added a comment - > the stack overflow looks like something else the AD plugin did not populate the email details (or otherwise save them), leading to a call to get the details in the authentication listener - which calls the retreiveUsers method which fires an authentication which.... the loading of details to retrieve an email is definitely not an authentication event :slightly_smiling_face: I'm thinking that it should be Jenkins that fires the authentication event(s) not a plugin🤔

          Félix Belzunce Arcos added a comment - - edited

          The java.lang.StackOverflowError is being addressed in https://issues.jenkins.io/browse/JENKINS-70492 / https://github.com/jenkinsci/active-directory-plugin/pull/162

          and it was already released in version 2.30

          Félix Belzunce Arcos added a comment - - edited The java.lang.StackOverflowError is being addressed in https://issues.jenkins.io/browse/JENKINS-70492 / https://github.com/jenkinsci/active-directory-plugin/pull/162 and it was already released in version 2.30

          James Nord added a comment -

          fbelzunc it may well be that the referal code when the property is set is incorrect.

          https://github.com/jenkinsci/active-directory-plugin/blob/2df43d8ca862c1abc2a87493c8e75297de6c016f/src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java#L792-L808 with the current approach as soon as you hit a referal that is it - however we only want to skip the processing for referrals not anything else.

          for the correct approach see https://docs.oracle.com/javase/jndi/tutorial/ldap/referral/throw.html which allows the code to throw a specific exception yet allows acallers to continue processing the enumeration.

          Still not entirely clear why this prevents some users from logging in, perhaps they are missing some groups that would be enumerated later - really need an exception that correlates to the login failure (see the logging id in the UI to correlate)

          James Nord added a comment - fbelzunc it may well be that the referal code when the property is set is incorrect. https://github.com/jenkinsci/active-directory-plugin/blob/2df43d8ca862c1abc2a87493c8e75297de6c016f/src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java#L792-L808 with the current approach as soon as you hit a referal that is it - however we only want to skip the processing for referrals not anything else. for the correct approach see https://docs.oracle.com/javase/jndi/tutorial/ldap/referral/throw.html which allows the code to throw a specific exception yet allows acallers to continue processing the enumeration. Still not entirely clear why this prevents some users from logging in, perhaps they are missing some groups that would be enumerated later - really need an exception that correlates to the login failure (see the logging id in the UI to correlate)

            fbelzunc Félix Belzunce Arcos
            sebracs Sebastian Racs
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated: