-
Bug
-
Resolution: Unresolved
-
Blocker
-
None
-
Powered by SuggestiMate
We are using Jenkins docker image in our CI.
On 23/08/2023 ( LTS 2.414.1 ), the image is updated from Debian 11 to Debian 12.
In this update, libpam-runtime move from 1.4.0 to 1.5.0 and the plugin PAM is the same
Since this date, LDAP Authentication Failed.
We suspect an incompatibility with the new libpam-runtime.
[JENKINS-71972] Authentication Failed with Docker image Jenkins LTS (2.414.1)
Hi Bruno,
I share some logs (issue-logs.txt), tks you for investigation.
The tests you make are LDAP test connexions ?
Thanks for the logs, abderrazakabidallah .
The tests are the standard ones within the plugin itself, so I guess this is not the kind of test you're looking for.
Is there any way for you to test this new plugin build (i.e. install locally in your instance)?
Hi
When I test your hpi (PAM Authentication pluginVersion1.11-SNAPSHOT) , the authentication still failed.
When I try to test directly the lib in my server context, i use testOne test of the InteractiveTester.java (after renaming to InteractiveTest.java to make command mvn test passing on)
In my server contexte PAM configuration is linked to an LDAP.
Thank you for investigations
Hello, mcdvoice
After updating the Jenkins LTS Docker image to version 2.414.1 with Debian 12, an LDAP authentication issue emerged. This problem is suspected to be linked to an incompatibility with the newer version of libpam-runtime (1.5.0) compared to the previous version (1.4.0). Despite no changes to the PAM plugin, the authentication process may be affected by differences in how libpam-runtime interacts with LDAP. Investigating and addressing this compatibility issue is crucial to ensure LDAP authentication functions properly in the updated Jenkins image. It may require configuration adjustments or plugin updates to align with the new libpam-runtime version.
Thank you gilbertboyer .
I've updated everything I could in the plugin and created a pull request for it.
However, it seems that it wasn't sufficient, as mentioned by Abderrazak.
Hi Bruno,
Let me know please if the way to test this new plugin build I explain help you for reproduce.
Thks
this does not fully surprise me - the container may well be missing some libraries required to do PAM authentication as this is not that normal, esp if you are mounting pam conf from the host.
generally I would not expect the API of pam to change in a breaking way (it would break many applications). As such I am thinking this is not an issue with the pam plugin but more something else.
1. what does the pam auth log say - this may well have some clues.
2. have you tried running Jenkins without docker on a host to see if you can reproduce / debug this outside of docker?
libpam-ldapd is not installed in either 2.401.3 or 2.414.1 which would IIUC be a prerequisite for this to even work?!
❯ docker run --user=root jenkins/jenkins:2.401.3 dpkg -l libpam-ldapd dpkg-query: no packages found matching libpam-ldapd ❯ docker run --user=root jenkins/jenkins:2.414.1 dpkg -l libpam-ldapd dpkg-query: no packages found matching libpam-ldapd
teilo ,
from the Jenkins image we install libpam-ldap, libnss-ldap and libpam-pwdfile before using it.
[root@build-controller ~]# docker exec -it jenkins-controller dpkg -l libpam-ldap
||/ Name Version Architecture Description
+++-=================-============-============-========================================
ii libpam-ldap:amd64 186-4+b1 amd64 Pluggable Authentication Module for LDAP
It's not an issue on the plugin, but an issue on the libpam4j used bye the plugin.
We do 2 issues one on the library libpam4j and one on the plugin wich use this lib.
poddingue Propose us a PR on the libpam4j project, but our test reveal that this update was not resolve the issue.
The issue is linked by the Jenkins Docker Image on Debian 12 and more specifically the 1.5.0 versionof libpam-runtime. I think the libpam4j had to be reviewd because when we come back to the version before the issue disapared.
Think you very much for investigations
the error in the log
Sep 07, 2023 2:28:31 PM FINE org.jvnet.libpam.PAM pam_conv num_msg=1 Sep 07, 2023 2:28:31 PM FINE org.jvnet.libpam.PAM 1:Password: Sep 07, 2023 2:28:33 PM FINEST org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter unsuccessfulAuthentication Failed to process authentication request org.jvnet.libpam.PAMException: pam_authenticate failed : Authentication failure
is AFAICT
#define PAM_OPEN_ERR 1 /* dlopen() failure when dynamically */ /* loading a service module */
Which would point not at Jenkins and the pam plugin but at the configuration of PAM.
Have you checked your pam config for compatibility? have you validated the exact same configuration with the same container base (ubuntu and version) using just a local login or ssh access?
The issue is linked by the Jenkins Docker Image on Debian 12 and more specifically the 1.5.0 version of libpam-runtime. I think the libpam4j had to be reviewd because when we come back to the version before the issue disapared.
by version before are you referring to the container or the plugin or all of it? `pam-auth 1.10.0` was released in August 2022
Hi teilo ,
IIUC :
The PAM_OPEN_ERR code error is not Throwed.
The error we have on the logs is "pam_authenticate failed" , throwed in this line :
org.jvnet.libpam.PAMException: pam_authenticate failed : Authentication failure
the preceding log entry in the attached issue-logs.txt that says what libpam was doing is
1:Password:
1 should be the returned error code of the function.
AFAICT that is `PAM_OPEN_ERR` - at any rate there is a non zero return code back from libpam and I have no way to reproduce this.
there should be logs from your PAM system (not Jenkins) that you can enable to get it to tell you why it is failing.
Hi teilo ,
I am looking for getting PAM system logs.
Regarding to the code the "1" refers to "pm.msg_style" its not a error code there AFAICT
I attach the Jenkins log PAM on a successful connexion :
Hello abderrazakabidallah ,
would you please have any logs to share?
It's been more than a year since the last update of the plugin, which may explain why.
Just in case, I have proposed a PR to update the dependencies of libpam4j.
I have also rebuilt the plugin on my bookworm machine (with the snapshotted libpam4j) without a problem (tests passed).
I have attached my build to this issue if you want to try it in your instance.