• Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • Red Hat Enterprise Linux Server release 7.9 (Maipo)
      Jenkins 2.375.1
      Active Directory Plugin 2.29

      I has try config ldaps for jenkins but not working. i confused with this tutorial document. 

      Anyone tell me that with step 4 i need add this config to where? I did try add it to /usr/lib/systemd/system/jenkins.service

      Environment="JAVA_ARGS=-Djava.awt.headless=true -Djavax.net.ssl.trustStore=$JENKINS_HOME/.keystore/cacerts -Djavax.net.ssl.trustStorePassword=changeit"

      As the picture below, i did success connect to AD with TLS enable and JDK TrustStore set

       

      But when i change port 3268 to 3269 (LDAPS) it show me an error.

      Dec 14 00:40:15 srv-jenkins jenkins: 2022-12-13 17:40:15.756+0000 [id=16]#011WARNING#011h.p.a.ActiveDirectorySecurityRealm$DescriptorImpl#bind: Failed to bind to srv-dc.testvn.local:3269
      Dec 14 00:40:15 srv-jenkins jenkins: javax.naming.NamingException: LDAP connection has been closed
      Dec 14 00:40:15 srv-jenkins jenkins: at java.naming/com.sun.jndi.ldap.LdapRequest.getReplyBer(LdapRequest.java:133)
      Dec 14 00:40:15 srv-jenkins jenkins: at java.naming/com.sun.jndi.ldap.Connection.readReply(Connection.java:443)
      Dec 14 00:40:15 srv-jenkins jenkins: at java.naming/com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:365)
      Dec 14 00:40:15 srv-jenkins jenkins: at java.naming/com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
      Dec 14 00:40:15 srv-jenkins jenkins: at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2895)
      Dec 14 00:40:15 srv-jenkins jenkins: at java.naming/com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2797)
      Dec 14 00:40:15 srv-jenkins jenkins: at java.naming/com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2770)
      Dec 14 00:40:15 srv-jenkins jenkins: at java.naming/com.sun.jndi.ldap.LdapCtx.reconnect(LdapCtx.java:2699)
      Dec 14 00:40:15 srv-jenkins jenkins: at java.naming/javax.naming.ldap.InitialLdapContext.reconnect(InitialLdapContext.java:193)
      Dec 14 00:40:15 srv-jenkins jenkins: at hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl.bind(ActiveDirectorySecurityRealm.java:724)
      Dec 14 00:40:15 srv-jenkins jenkins: at hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl.bind(ActiveDirectorySecurityRealm.java:601)
      Dec 14 00:40:15 srv-jenkins jenkins: at hudson.plugins.active_directory.ActiveDirectoryDomain$DescriptorImpl.doValidateTest(ActiveDirectoryDomain.java:337)
      Dec 14 00:40:15 srv-jenkins jenkins: at java.base/java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:710)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:397)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:409)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.kohsuke.stapler.interceptor.RequirePOST$Processor.invoke(RequirePOST.java:78)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.kohsuke.stapler.PreInvokeInterceptedFunction.invoke(PreInvokeInterceptedFunction.java:26)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:207)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:140)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.kohsuke.stapler.MetaClass$11.doDispatch(MetaClass.java:558)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:59)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:762)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.kohsuke.stapler.Stapler.invoke(Stapler.java:894)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.kohsuke.stapler.MetaClass$4.doDispatch(MetaClass.java:289)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:59)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:762)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.kohsuke.stapler.Stapler.invoke(Stapler.java:894)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:830)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.kohsuke.stapler.Stapler.invoke(Stapler.java:894)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.kohsuke.stapler.MetaClass$9.dispatch(MetaClass.java:475)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:762)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.kohsuke.stapler.Stapler.invoke(Stapler.java:894)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.kohsuke.stapler.Stapler.invoke(Stapler.java:690)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.kohsuke.stapler.Stapler.service(Stapler.java:240)
      Dec 14 00:40:15 srv-jenkins jenkins: at javax.servlet.http.HttpServlet.service(HttpServlet.java:590)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:764)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1665)
      Dec 14 00:40:15 srv-jenkins jenkins: at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:157)
      Dec 14 00:40:15 srv-jenkins jenkins: at jenkins.security.ResourceDomainFilter.doFilter(ResourceDomainFilter.java:81)
      Dec 14 00:40:15 srv-jenkins jenkins: at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
      Dec 14 00:40:15 srv-jenkins jenkins: at jenkins.telemetry.impl.UserLanguages$AcceptLanguageFilter.doFilter(UserLanguages.java:129)
      Dec 14 00:40:15 srv-jenkins jenkins: at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
      Dec 14 00:40:15 srv-jenkins jenkins: at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:160)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
      Dec 14 00:40:15 srv-jenkins jenkins: at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:154)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
      Dec 14 00:40:15 srv-jenkins jenkins: at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:94)
      Dec 14 00:40:15 srv-jenkins jenkins: at jenkins.security.AcegiSecurityExceptionFilter.doFilter(AcegiSecurityExceptionFilter.java:52)
      Dec 14 00:40:15 srv-jenkins jenkins: at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
      Dec 14 00:40:15 srv-jenkins jenkins: at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:54)
      Dec 14 00:40:15 srv-jenkins jenkins: at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:122)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:116)
      Dec 14 00:40:15 srv-jenkins jenkins: at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:109)
      Dec 14 00:40:15 srv-jenkins jenkins: at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:141)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:97)
      Dec 14 00:40:15 srv-jenkins jenkins: at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:223)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:217)
      Dec 14 00:40:15 srv-jenkins jenkins: at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
      Dec 14 00:40:15 srv-jenkins jenkins: at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:97)
      Dec 14 00:40:15 srv-jenkins jenkins: at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:112)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:82)
      Dec 14 00:40:15 srv-jenkins jenkins: at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:63)
      Dec 14 00:40:15 srv-jenkins jenkins: at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
      Dec 14 00:40:15 srv-jenkins jenkins: at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:111)
      Dec 14 00:40:15 srv-jenkins jenkins: at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:172)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:53)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
      Dec 14 00:40:15 srv-jenkins jenkins: at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:86)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
      Dec 14 00:40:15 srv-jenkins jenkins: at jenkins.security.SuspiciousRequestFilter.doFilter(SuspiciousRequestFilter.java:38)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:527)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:131)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:549)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:223)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1571)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:221)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1383)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:176)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:484)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1544)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:174)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1305)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:129)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.eclipse.jetty.server.Server.handle(Server.java:563)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.eclipse.jetty.server.HttpChannel.lambda$handle$0(HttpChannel.java:505)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:762)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:497)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:282)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:314)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:421)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:390)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:277)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.lambda$new$0(AdaptiveExecutionStrategy.java:139)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:411)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:933)
      Dec 14 00:40:15 srv-jenkins jenkins: at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1077)
      Dec 14 00:40:15 srv-jenkins jenkins: at java.base/java.lang.Thread.run(Thread.java:829)
      Dec 14 00:40:15 srv-jenkins jenkins: 2022-12-13 17:40:15.757+0000 [id=16]#011WARNING#011h.p.a.ActiveDirectorySecurityRealm$DescriptorImpl#bind: All attempts to login failed for user testvn\ldap.jenkins

       

       

          [JENKINS-70272] LDAPS with Active Directory not working

          Bob added a comment - - edited

          AD 2.29 with LTS 2.361.1, 2.346.1 using Require TLS and Global Catalog port 3269 gets the same LDAP connection has been closed when testing domain.  If I turn off Require TLS and use port 3268 it tests Success but the Active Directory Health Status never returns any data using 2.29.

          Either settings still allows users to auth against AD.

          Using an older version of the AD plugin works OK.

          Bob added a comment - - edited AD 2.29 with LTS 2.361.1, 2.346.1 using Require TLS and Global Catalog port 3269 gets the same LDAP connection has been closed when testing domain.  If I turn off Require TLS and use port 3268 it tests Success but the Active Directory Health Status never returns any data using 2.29. Either settings still allows users to auth against AD. Using an older version of the AD plugin works OK.

          David Sainty added a comment - - edited

          On the network this bug leads to the bind password being sent in the clear, so there's a security exposure to this bug too.  Present in the latest AD 2.30 release too.

          This issue is NOT present in 2.27 or 2.28.

          David Sainty added a comment - - edited On the network this bug leads to the bind password being sent in the clear, so there's a security exposure to this bug too.  Present in the latest AD 2.30 release too. This issue is NOT present in 2.27 or 2.28.

          David Sainty added a comment - - edited

          Some detail that is missing   The problem seems to be that the "Test" button now completely ignores requireTLS.  So it tests with an unencrypted connection, hence the bind credentials end up in plaintext on the network.  But actual logins DO observe requireTLS.  So it's the Test button behaviour that is broken, and makes it look like the AD setup is broken when it is not.

          I'm sure this is linked to the changes in 2.29 (JENKINS-69683) - though the 2.29 changes almost describe trying to fix this exact problem, but strangely the reverse seems true, 2.29 has created the problem it appears.

          David Sainty added a comment - - edited Some detail that is missing   The problem seems to be that the "Test" button now completely ignores requireTLS.  So it tests with an unencrypted connection, hence the bind credentials end up in plaintext on the network.  But actual logins DO observe requireTLS.  So it's the Test button behaviour that is broken, and makes it look like the AD setup is broken when it is not. I'm sure this is linked to the changes in 2.29 ( JENKINS-69683 ) - though the 2.29 changes almost describe trying to fix this exact problem, but strangely the reverse seems true, 2.29 has created the problem it appears.

          Félix Belzunce Arcos added a comment - - edited

          dsainty You are totally right. The problem is that I tested my change without TLS... and my PR does not work because I am trying to use a parameter which is in a different descriptor. For the moment, I don't find an easy way to fix the issue. I will investigate more, and if I can't find I will just revert that change that I did -as at the end most of the users should be using TLS for their tests.

          Félix Belzunce Arcos added a comment - - edited dsainty You are totally right. The problem is that I tested my change without TLS... and my PR does not work because I am trying to use a parameter which is in a different descriptor. For the moment, I don't find an easy way to fix the issue. I will investigate more, and if I can't find I will just revert that change that I did -as at the end most of the users should be using TLS for their tests.

          David Sainty added a comment -

          Hi fbelzunc , just a grateful reminder that it'd be awesome if this was fixed soon

          David Sainty added a comment - Hi fbelzunc  , just a grateful reminder that it'd be awesome if this was fixed soon

            fbelzunc Félix Belzunce Arcos
            hoanbc Hoan
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated: