-
Bug
-
Resolution: Unresolved
-
Critical
-
Powered by SuggestiMate
Since updating to Active Directory plugin 2.29 (see https://plugins.jenkins.io/active-directory/#releases), some users cannot login anymore and also cannot be displayed anymore in the user view.
For the user that is broken in the user view, we get a response:
Status Code: 500
2022_12_13-broken-user-respone.html
When trying to login with this user we get:
https://our-jenkins/j_spring_security_check
Status Code: 500
2022_12_13-broken-user-login-respone.html
Some other users can login and be viewed via the user list, while some other ones can be viewed via the list but cannot login.
Rolling back to v2.28 fixed the issue.
While investigating that issue I also noticed that v2.29 was only tagged but never released on github: https://github.com/jenkinsci/active-directory-plugin/releases vs. https://github.com/jenkinsci/active-directory-plugin/tags
but the v2.29 still appears on jenkins plugins site: https://plugins.jenkins.io/active-directory/#releases
Also, it seems that the test pipeline for the tagged v2.29 version never actually ran:
https://github.com/jenkinsci/active-directory-plugin/commits
https://github.com/jenkinsci/active-directory-plugin/runs/9848751383
https://ci.jenkins.io/job/Plugins/job/active-directory-plugin/job/master/108/
[JENKINS-70270] Active Directory plugin 2.29 some users cannot login or be displayed
one thing that might be relevant is that we have set
hudson.plugins.active_directory.referral.ignore=true
in order not to have it query all the AD referral trees too, which is very slow.
You may find that you are better off not doing that and instead use the global catalog port for AD - it knows everything about everyone and you will not get any referals.
https://learn.microsoft.com/en-us/windows/win32/ad/global-catalog
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc978012(v=technet.10)?redirectedfrom=MSDN
GC port is 3268 or 3269 for SSL protected.
users names, and their security groups should always available in the GC. Their email will usually be available (if not you could ask your admin to mark it for replication. in most modern setups it will be available IIRC)
to do this just add the port to the end of the domain controller
e.g where you have `dc1.example.com` -> `dc1.example.com:3268` or `dc1.example.com:636` -> `dc1.example.com:3269`
please try using the global catalog and report back.
fbelzunc irrespective we probably should make this a warning only (with a better message), when `referral.ignore=true`) When the user opts in to not following referrals they have opted into partial results. May be interesting if anyone is using groups for filtering - so maybe run by the security team too.
We experience the same issue on Jenkins 2.346.3 after updating to Active Directory plugin 2.29.
The error seems to be somewhat redundant, especifally regarding the "security listener code" that teilo mentioned (the stackstrace is shortened, as it goes on for 1k lines with the same error):
2023-01-23 12:25:00.470+0000 [id=1553718] WARNING h.i.i.InstallUncaughtExceptionHandler#handleException: Caught unhandled exception with ID 0d93d340-ba48-4f62-bcc8-19d15da03ca9 java.lang.StackOverflowError at java.base/java.security.AccessController.doPrivileged(Native Method) at java.naming/com.sun.naming.internal.VersionHelper.getJndiProperties(VersionHelper.java:166) at java.naming/com.sun.naming.internal.ResourceManager.getInitialEnvironment(ResourceManager.java:165) at java.naming/javax.naming.InitialContext.init(InitialContext.java:232) at java.naming/javax.naming.InitialContext.<init>(InitialContext.java:208) at java.naming/javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl.createDNSLookupContext(ActiveDirectorySecurityRealm.java:739) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl.obtainLDAPServer(ActiveDirectorySecurityRealm.java:748) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.obtainLDAPServers(ActiveDirectoryUnixAuthenticationProvider.java:314) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:302) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:224) at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:47) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:900) at hudson.security.AbstractPasswordBasedSecurityRealm.loadUserByUsername2(AbstractPasswordBasedSecurityRealm.java:118) at jenkins.security.ImpersonatingUserDetailsService2.loadUserByUsername(ImpersonatingUserDetailsService2.java:29) at org.acegisecurity.userdetails.UserDetailsService.lambda$fromSpring$0(UserDetailsService.java:42) at hudson.plugins.active_directory.ActiveDirectoryMailAddressResolverImpl.findMailAddressFor(ActiveDirectoryMailAddressResolverImpl.java:55) at hudson.tasks.MailAddressResolver.resolve(MailAddressResolver.java:122) at hudson.tasks.Mailer$UserProperty.getAddress(Mailer.java:748) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.logUserAuthentication(AuthenticatedUsersAuditor.java:85) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.authenticated(AuthenticatedUsersAuditor.java:47) at jenkins.security.SecurityListener.authenticated2(SecurityListener.java:55) at jenkins.security.SecurityListener.fireAuthenticated2(SecurityListener.java:117) at jenkins.security.SecurityListener.fireAuthenticated(SecurityListener.java:127) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:225) at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:47) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:900) at hudson.security.AbstractPasswordBasedSecurityRealm.loadUserByUsername2(AbstractPasswordBasedSecurityRealm.java:118) at jenkins.security.ImpersonatingUserDetailsService2.loadUserByUsername(ImpersonatingUserDetailsService2.java:29) at org.acegisecurity.userdetails.UserDetailsService.lambda$fromSpring$0(UserDetailsService.java:42) at hudson.plugins.active_directory.ActiveDirectoryMailAddressResolverImpl.findMailAddressFor(ActiveDirectoryMailAddressResolverImpl.java:55) at hudson.tasks.MailAddressResolver.resolve(MailAddressResolver.java:122) at hudson.tasks.Mailer$UserProperty.getAddress(Mailer.java:748) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.logUserAuthentication(AuthenticatedUsersAuditor.java:85) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.authenticated(AuthenticatedUsersAuditor.java:47) at jenkins.security.SecurityListener.authenticated2(SecurityListener.java:55) at jenkins.security.SecurityListener.fireAuthenticated2(SecurityListener.java:117) at jenkins.security.SecurityListener.fireAuthenticated(SecurityListener.java:127) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:225) at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:47) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:900) at hudson.security.AbstractPasswordBasedSecurityRealm.loadUserByUsername2(AbstractPasswordBasedSecurityRealm.java:118) at jenkins.security.ImpersonatingUserDetailsService2.loadUserByUsername(ImpersonatingUserDetailsService2.java:29) at org.acegisecurity.userdetails.UserDetailsService.lambda$fromSpring$0(UserDetailsService.java:42) at hudson.plugins.active_directory.ActiveDirectoryMailAddressResolverImpl.findMailAddressFor(ActiveDirectoryMailAddressResolverImpl.java:55) at hudson.tasks.MailAddressResolver.resolve(MailAddressResolver.java:122) at hudson.tasks.Mailer$UserProperty.getAddress(Mailer.java:748) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.logUserAuthentication(AuthenticatedUsersAuditor.java:85) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.authenticated(AuthenticatedUsersAuditor.java:47) at jenkins.security.SecurityListener.authenticated2(SecurityListener.java:55) at jenkins.security.SecurityListener.fireAuthenticated2(SecurityListener.java:117) at jenkins.security.SecurityListener.fireAuthenticated(SecurityListener.java:127) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:225) at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:47) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:900) at hudson.security.AbstractPasswordBasedSecurityRealm.loadUserByUsername2(AbstractPasswordBasedSecurityRealm.java:118) at jenkins.security.ImpersonatingUserDetailsService2.loadUserByUsername(ImpersonatingUserDetailsService2.java:29) at org.acegisecurity.userdetails.UserDetailsService.lambda$fromSpring$0(UserDetailsService.java:42) at hudson.plugins.active_directory.ActiveDirectoryMailAddressResolverImpl.findMailAddressFor(ActiveDirectoryMailAddressResolverImpl.java:55) at hudson.tasks.MailAddressResolver.resolve(MailAddressResolver.java:122) at hudson.tasks.Mailer$UserProperty.getAddress(Mailer.java:748) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.logUserAuthentication(AuthenticatedUsersAuditor.java:85) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.authenticated(AuthenticatedUsersAuditor.java:47) at jenkins.security.SecurityListener.authenticated2(SecurityListener.java:55) at jenkins.security.SecurityListener.fireAuthenticated2(SecurityListener.java:117) at jenkins.security.SecurityListener.fireAuthenticated(SecurityListener.java:127) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:225) at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:47) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:900) at hudson.security.AbstractPasswordBasedSecurityRealm.loadUserByUsername2(AbstractPasswordBasedSecurityRealm.java:118) at jenkins.security.ImpersonatingUserDetailsService2.loadUserByUsername(ImpersonatingUserDetailsService2.java:29) at org.acegisecurity.userdetails.UserDetailsService.lambda$fromSpring$0(UserDetailsService.java:42) at hudson.plugins.active_directory.ActiveDirectoryMailAddressResolverImpl.findMailAddressFor(ActiveDirectoryMailAddressResolverImpl.java:55) at hudson.tasks.MailAddressResolver.resolve(MailAddressResolver.java:122) at hudson.tasks.Mailer$UserProperty.getAddress(Mailer.java:748) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.logUserAuthentication(AuthenticatedUsersAuditor.java:85) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.authenticated(AuthenticatedUsersAuditor.java:47) at jenkins.security.SecurityListener.authenticated2(SecurityListener.java:55) at jenkins.security.SecurityListener.fireAuthenticated2(SecurityListener.java:117) at jenkins.security.SecurityListener.fireAuthenticated(SecurityListener.java:127) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:225) at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:47) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:900) at hudson.security.AbstractPasswordBasedSecurityRealm.loadUserByUsername2(AbstractPasswordBasedSecurityRealm.java:118) at jenkins.security.ImpersonatingUserDetailsService2.loadUserByUsername(ImpersonatingUserDetailsService2.java:29) at org.acegisecurity.userdetails.UserDetailsService.lambda$fromSpring$0(UserDetailsService.java:42) at hudson.plugins.active_directory.ActiveDirectoryMailAddressResolverImpl.findMailAddressFor(ActiveDirectoryMailAddressResolverImpl.java:55) at hudson.tasks.MailAddressResolver.resolve(MailAddressResolver.java:122) at hudson.tasks.Mailer$UserProperty.getAddress(Mailer.java:748) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.logUserAuthentication(AuthenticatedUsersAuditor.java:85) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.authenticated(AuthenticatedUsersAuditor.java:47) at jenkins.security.SecurityListener.authenticated2(SecurityListener.java:55) at jenkins.security.SecurityListener.fireAuthenticated2(SecurityListener.java:117) at jenkins.security.SecurityListener.fireAuthenticated(SecurityListener.java:127) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:225) at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:47) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:900) at hudson.security.AbstractPasswordBasedSecurityRealm.loadUserByUsername2(AbstractPasswordBasedSecurityRealm.java:118) at jenkins.security.ImpersonatingUserDetailsService2.loadUserByUsername(ImpersonatingUserDetailsService2.java:29) at org.acegisecurity.userdetails.UserDetailsService.lambda$fromSpring$0(UserDetailsService.java:42) at hudson.plugins.active_directory.ActiveDirectoryMailAddressResolverImpl.findMailAddressFor(ActiveDirectoryMailAddressResolverImpl.java:55) at hudson.tasks.MailAddressResolver.resolve(MailAddressResolver.java:122) at hudson.tasks.Mailer$UserProperty.getAddress(Mailer.java:748) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.logUserAuthentication(AuthenticatedUsersAuditor.java:85) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.authenticated(AuthenticatedUsersAuditor.java:47) at jenkins.security.SecurityListener.authenticated2(SecurityListener.java:55) at jenkins.security.SecurityListener.fireAuthenticated2(SecurityListener.java:117) at jenkins.security.SecurityListener.fireAuthenticated(SecurityListener.java:127) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:225) at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:47) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:900) at hudson.security.AbstractPasswordBasedSecurityRealm.loadUserByUsername2(AbstractPasswordBasedSecurityRealm.java:118) at jenkins.security.ImpersonatingUserDetailsService2.loadUserByUsername(ImpersonatingUserDetailsService2.java:29) at org.acegisecurity.userdetails.UserDetailsService.lambda$fromSpring$0(UserDetailsService.java:42) at hudson.plugins.active_directory.ActiveDirectoryMailAddressResolverImpl.findMailAddressFor(ActiveDirectoryMailAddressResolverImpl.java:55) at hudson.tasks.MailAddressResolver.resolve(MailAddressResolver.java:122) at hudson.tasks.Mailer$UserProperty.getAddress(Mailer.java:748) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.logUserAuthentication(AuthenticatedUsersAuditor.java:85) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.authenticated(AuthenticatedUsersAuditor.java:47) at jenkins.security.SecurityListener.authenticated2(SecurityListener.java:55) at jenkins.security.SecurityListener.fireAuthenticated2(SecurityListener.java:117) at jenkins.security.SecurityListener.fireAuthenticated(SecurityListener.java:127) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:225) at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:47) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:900) at hudson.security.AbstractPasswordBasedSecurityRealm.loadUserByUsername2(AbstractPasswordBasedSecurityRealm.java:118) at jenkins.security.ImpersonatingUserDetailsService2.loadUserByUsername(ImpersonatingUserDetailsService2.java:29) at org.acegisecurity.userdetails.UserDetailsService.lambda$fromSpring$0(UserDetailsService.java:42) at hudson.plugins.active_directory.ActiveDirectoryMailAddressResolverImpl.findMailAddressFor(ActiveDirectoryMailAddressResolverImpl.java:55) at hudson.tasks.MailAddressResolver.resolve(MailAddressResolver.java:122) at hudson.tasks.Mailer$UserProperty.getAddress(Mailer.java:748) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.logUserAuthentication(AuthenticatedUsersAuditor.java:85) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.authenticated(AuthenticatedUsersAuditor.java:47) at jenkins.security.SecurityListener.authenticated2(SecurityListener.java:55) at jenkins.security.SecurityListener.fireAuthenticated2(SecurityListener.java:117) at jenkins.security.SecurityListener.fireAuthenticated(SecurityListener.java:127) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:225) at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:47) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:900) at hudson.security.AbstractPasswordBasedSecurityRealm.loadUserByUsername2(AbstractPasswordBasedSecurityRealm.java:118) at jenkins.security.ImpersonatingUserDetailsService2.loadUserByUsername(ImpersonatingUserDetailsService2.java:29) at org.acegisecurity.userdetails.UserDetailsService.lambda$fromSpring$0(UserDetailsService.java:42) at hudson.plugins.active_directory.ActiveDirectoryMailAddressResolverImpl.findMailAddressFor(ActiveDirectoryMailAddressResolverImpl.java:55) at hudson.tasks.MailAddressResolver.resolve(MailAddressResolver.java:122) at hudson.tasks.Mailer$UserProperty.getAddress(Mailer.java:748) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.logUserAuthentication(AuthenticatedUsersAuditor.java:85) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.authenticated(AuthenticatedUsersAuditor.java:47) at jenkins.security.SecurityListener.authenticated2(SecurityListener.java:55) at jenkins.security.SecurityListener.fireAuthenticated2(SecurityListener.java:117) at jenkins.security.SecurityListener.fireAuthenticated(SecurityListener.java:127) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:225) at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:47) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:900) at hudson.security.AbstractPasswordBasedSecurityRealm.loadUserByUsername2(AbstractPasswordBasedSecurityRealm.java:118) at jenkins.security.ImpersonatingUserDetailsService2.loadUserByUsername(ImpersonatingUserDetailsService2.java:29) at org.acegisecurity.userdetails.UserDetailsService.lambda$fromSpring$0(UserDetailsService.java:42) at hudson.plugins.active_directory.ActiveDirectoryMailAddressResolverImpl.findMailAddressFor(ActiveDirectoryMailAddressResolverImpl.java:55) at hudson.tasks.MailAddressResolver.resolve(MailAddressResolver.java:122) [...] at hudson.tasks.Mailer$UserProperty.getAddress(Mailer.java:748) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.logUserAuthentication(AuthenticatedUsersAuditor.java:85) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.authenticated(AuthenticatedUsersAuditor.java:47) at jenkins.security.SecurityListener.authenticated2(SecurityListener.java:55) at jenkins.security.SecurityListener.fireAuthenticated2(SecurityListener.java:117) at jenkins.security.SecurityListener.fireAuthenticated(SecurityListener.java:127) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:225) at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:47) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:900) at hudson.security.AbstractPasswordBasedSecurityRealm.loadUserByUsername2(AbstractPasswordBasedSecurityRealm.java:118) at jenkins.security.ImpersonatingUserDetailsService2.loadUserByUsername(ImpersonatingUserDetailsService2.java:29) at org.acegisecurity.userdetails.UserDetailsService.lambda$fromSpring$0(UserDetailsService.java:42)
For the groupLookupStrategy we use RECURSIVE, which souldn't cause the issue IMHO.
Strangely enough the error does not seem to appear on our similarly setup test server which is running Jenkins 2.361.4 with Active Directory plugin 2.29.
I see the problem now. The thing is that each time there is a log-in, ActiveDirectoryUnixAuthenticationProvider.retrieveUser is called ,and it triggers SecurityListener.fireAuthenticated. This listener triggers in the user-activity plugin another process in which ActiveDirectoryUnixAuthenticationProvider.retrieveUser is called again, thus the java.lang.StackOverflowError happens over time.
teilo From my point of view the fix is about changing this line of code https://github.com/jenkinsci/active-directory-plugin/blob/active-directory-2.29/src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java#L225
SecurityListener.fireAuthenticated(userDetails);
for
if (authentication!= null) SecurityListener.fireAuthenticated(userDetails);
so that we only trigger the fireAuthenticated when there is something injecting the password. I think this should avoid this recursive loop. WDYT?
fbelzunc: Shouldn't this be causing the same issue for all users and not just some?
Stack overflow is something else, possibly related however the original report was not an overflow but a failure to follow a referal so that the details are not fully populated and that is not handled. Please create a new ticket with logs etc for the stack overflow.
degelma Also `org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor` in your stack trace is from a commercial plugin. Please contact your vendor about this - it will get prioritized much better than trying to get help in an OSS jira tracker.
> the stack overflow looks like something else
the AD plugin did not populate the email details (or otherwise save them), leading to a call to get the details in the authentication listener - which calls the retreiveUsers method which fires an authentication which....
the loading of details to retrieve an email is definitely not an authentication event :slightly_smiling_face:
I'm thinking that it should be Jenkins that fires the authentication event(s) not a plugin🤔
The java.lang.StackOverflowError is being addressed in https://issues.jenkins.io/browse/JENKINS-70492 / https://github.com/jenkinsci/active-directory-plugin/pull/162
and it was already released in version 2.30
fbelzunc it may well be that the referal code when the property is set is incorrect.
https://github.com/jenkinsci/active-directory-plugin/blob/2df43d8ca862c1abc2a87493c8e75297de6c016f/src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java#L792-L808 with the current approach as soon as you hit a referal that is it - however we only want to skip the processing for referrals not anything else.
for the correct approach see https://docs.oracle.com/javase/jndi/tutorial/ldap/referral/throw.html which allows the code to throw a specific exception yet allows acallers to continue processing the enumeration.
Still not entirely clear why this prevents some users from logging in, perhaps they are missing some groups that would be enumerated later - really need an exception that correlates to the login failure (see the logging id in the UI to correlate)
One thing that might be relevant is that we have set
hudson.plugins.active_directory.referral.ignore=true
in order not to have it query all the AD referral trees too, which is very slow.
We than have it print in the log everytime somebody logs in:
JENKINS-42687Might be more members for user CN=*REMOVED*javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name '*REMOVED*'
at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3022) at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2996) at java.naming/com.sun.jndi.ldap.AbstractLdapNamingEnumeration.getNextBatch(AbstractLdapNamingEnumeration.java:148) at java.naming/com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreImpl(AbstractLdapNamingEnumeration.java:217) at java.naming/com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMore(AbstractLdapNamingEnumeration.java:189) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.parseMembers(ActiveDirectoryUnixAuthenticationProvider.java:794) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.resolveGroups(ActiveDirectoryUnixAuthenticationProvider.java:660) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.lambda$retrieveUser$0(ActiveDirectoryUnixAuthenticationProvider.java:422) at com.github.benmanes.caffeine.cache.BoundedLocalCache.lambda$doComputeIfAbsent$14(BoundedLocalCache.java:2406) at java.base/java.util.concurrent.ConcurrentHashMap.compute(ConcurrentHashMap.java:1908) at com.github.benmanes.caffeine.cache.BoundedLocalCache.doComputeIfAbsent(BoundedLocalCache.java:2404) at com.github.benmanes.caffeine.cache.BoundedLocalCache.computeIfAbsent(BoundedLocalCache.java:2387) at com.github.benmanes.caffeine.cache.LocalCache.computeIfAbsent(LocalCache.java:108) at com.github.benmanes.caffeine.cache.LocalManualCache.get(LocalManualCache.java:62) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:454) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:297) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:223) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.authenticate(ActiveDirectorySecurityRealm.java:905) at hudson.security.AbstractPasswordBasedSecurityRealm.authenticate2(AbstractPasswordBasedSecurityRealm.java:74) at hudson.security.AbstractPasswordBasedSecurityRealm.doAuthenticate(AbstractPasswordBasedSecurityRealm.java:97) at hudson.security.AbstractPasswordBasedSecurityRealm$Authenticator.retrieveUser(AbstractPasswordBasedSecurityRealm.java:183) at org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:133) at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:182) at org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:85) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:227) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:217) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99) at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:97) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:112) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:82) at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:63) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99) at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:111) at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:172) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635) at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:53) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635) at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:86) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635) at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635) at jenkins.security.SuspiciousRequestFilter.doFilter(SuspiciousRequestFilter.java:38) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:527) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:131) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:549) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:223) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1571) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:221) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1378) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:176) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:484) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1544) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:174) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1300) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:129) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122) at org.eclipse.jetty.server.Server.handle(Server.java:562) at org.eclipse.jetty.server.HttpChannel.lambda$handle$0(HttpChannel.java:505) at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:762) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:497) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:282) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:319) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100) at org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:412) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:381) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:268) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.lambda$new$0(AdaptiveExecutionStrategy.java:138) at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:407) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:894) at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1038) at java.base/java.lang.Thread.run(Thread.java:829)