Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-75237

Saving the security configuration form changes the Active Directory password in config.xml

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • None
    • Jenkins Version 2.479.3 running on Debian Bookworm.

      When saving the security configuration, the already encrypted Active Directory password of the Jenkins config.xml was re-encrypted. As a result, the account could no longer connect to the domain and all users no longer had access to the Jenkins Server. In addition, a port was added to the address.
      We had to import a backup to be able to use Jenkins again.

          [JENKINS-75237] Saving the security configuration form changes the Active Directory password in config.xml

          Daniel Beck added a comment -

          When saving a configuration form, not just actual changes, but everything is saved. Based on the description, this looks like a problem in the unspecified security realm configuration form. Without more details, it's impossible to help you; it's however very unlikely that matrix-auth is the culprit, it's just what motivated you saving the configuration.

          Given https://en.wikipedia.org/wiki/Bronco_(disambiguation) reveals no useful technology-related terms: Please note that you're reporting this issue to the Jenkins project. This is not an issue tracker internal to your organization.

          Daniel Beck added a comment - When saving a configuration form, not just actual changes, but everything is saved. Based on the description, this looks like a problem in the unspecified security realm configuration form. Without more details, it's impossible to help you; it's however very unlikely that matrix-auth is the culprit, it's just what motivated you saving the configuration. Given https://en.wikipedia.org/wiki/Bronco_(disambiguation) reveals no useful technology-related terms: Please note that you're reporting this issue to the Jenkins project. This is not an issue tracker internal to your organization.

          Daniel Beck added a comment -

          While there may be a bug here, it's extremely unlikely to be in matrix-auth, so closing this issue.

          Daniel Beck added a comment - While there may be a bug here, it's extremely unlikely to be in matrix-auth , so closing this issue.

          Steffen added a comment -

          Bronco is the name of our Jenkins server, I changed it in the text shortly after it was created.
          Where should we put the bug if not on matrix-auth?

          Steffen added a comment - Bronco is the name of our Jenkins server, I changed it in the text shortly after it was created. Where should we put the bug if not on matrix-auth?

          Daniel Beck added a comment -

           Where should we put the bug if not on matrix-auth?

          I don't know, you haven't provided enough information yet. As I mentioned in my first comment, it's not even clear what your security realm is. The screenshot indicates there's a problem with the current configuration already before you submit the form.

          I suggest you find someone to assist you with narrowing down the cause of this problem if you don't know how to do that yourself. The forum at community.jenkins.io or Gitter/Matrix chat might be good locations to get started.

          Daniel Beck added a comment -  Where should we put the bug if not on matrix-auth? I don't know, you haven't provided enough information yet. As I mentioned in my first comment, it's not even clear what your security realm is. The screenshot indicates there's a problem with the current configuration already before you submit the form. I suggest you find someone to assist you with narrowing down the cause of this problem if you don't know how to do that yourself. The forum at community.jenkins.io or Gitter/Matrix chat might be good locations to get started.

          Steffen added a comment -

          It's as simple as it sounds, as soon as I add a group to the matrix, all groups lose their access.
          By saving and reloading this page, you can see the error in the image. 
          Before adding a new group there was of course no error.
          If you then log out, you cannot log in again. Neither can any other user.

          Reason for this:
          In the Jenkins config.xml not only the added group is added, but also the encrypted password, which establishes the communication with the domain, is changed. As a result, access is lost for all user groups.

          Workaround for us:
          Add groups manually in config.xml. Do not use the matrix-auth.

          Steffen added a comment - It's as simple as it sounds, as soon as I add a group to the matrix, all groups lose their access. By saving and reloading this page, you can see the error in the image.  Before adding a new group there was of course no error. If you then log out, you cannot log in again. Neither can any other user. Reason for this: In the Jenkins config.xml not only the added group is added, but also the encrypted password, which establishes the communication with the domain, is changed. As a result, access is lost for all user groups. Workaround for us: Add groups manually in config.xml. Do not use the matrix-auth.

          Daniel Beck added a comment -

          It's as simple as it sounds, as soon as I add a group to the matrix, all groups lose their access.
          By saving and reloading this page, you can see the error in the image. 
          Before adding a new group there was of course no error.
          If you then log out, you cannot log in again. Neither can any other user.

          Could you confirm that the same problem does not occur when you don't change groups, but still save/submit the configuration form?

          What is the config.xml content

          • before submission
          • after submission (no changes)
          • after submission (add a group)

          ?

          Daniel Beck added a comment - It's as simple as it sounds, as soon as I add a group to the matrix, all groups lose their access. By saving and reloading this page, you can see the error in the image.  Before adding a new group there was of course no error. If you then log out, you cannot log in again. Neither can any other user. Could you confirm that the same problem does not occur when you don't change groups, but still save/submit the configuration form? What is the config.xml content before submission after submission (no changes) after submission (add a group) ?

          Steffen added a comment -

          We have just tried it, the problem also occurs if you change and save any other thing under ‘Manage Security’. (Without change for groups)

          I will add the changes in config.xml to the attachments. (Slightly adapted for reasons of confidentiality)

          • config.xml.orginal, before any change
          • config.xml.save_change_in_group after changing a group and saving
          • config.xml.save_no_change_in_group after another change (not a group) and a saving

          In the meantime we updated to Jenkins Version 2.492.1, this didn't change the behaviour.

          Could you send the bug to the right place?

          Steffen added a comment - We have just tried it, the problem also occurs if you change and save any other thing under ‘Manage Security’. (Without change for groups) I will add the changes in config.xml to the attachments. (Slightly adapted for reasons of confidentiality) config.xml.orginal, before any change config.xml.save_change_in_group after changing a group and saving config.xml.save_no_change_in_group after another change (not a group) and a saving In the meantime we updated to Jenkins Version 2.492.1, this didn't change the behaviour. Could you send the bug to the right place?

          Daniel Beck added a comment -

          Could you send the bug to the right place?

          The right place is kinda unknown. Best guess is something's wrong with Active Directory, so rewrote this issue accordingly.

          Daniel Beck added a comment - Could you send the bug to the right place? The right place is kinda unknown. Best guess is something's wrong with Active Directory, so rewrote this issue accordingly.

            fbelzunc Félix Belzunce Arcos
            tea_steffen Steffen
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: