Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-7545

Login to hudson fails in an https and openLDAP environment

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • ldap-plugin
    • None

      Hi!

      I'm trying to secure a hudson installation.
      Tested this since Hudson version 1.376 don't work with openLDAP login autentication.

      Found a link to this Spring Security build
      I get the following Exception when trying to log in to a running hudson instance.

      Hudson ver. 1.350-SNAPSHOT (private-03/08/2010 07:19-mindless)

      Error when I try to log in.
      -----------------------
      Status Code: 500
      Exception:
      Stacktrace:

      java.lang.ClassCastException: com.sun.jndi.ldap.LdapCtx cannot be cast to org.springframework.ldap.core.DirContextAdapter
      at org.springframework.security.ldap.SpringSecurityLdapTemplate$2.mapFromContext(SpringSecurityLdapTemplate.java:154)
      at org.springframework.ldap.core.ContextMapperCallbackHandler.getObjectFromNameClassPair(ContextMapperCallbackHandler.java:67)
      at org.springframework.ldap.core.CollectingNameClassPairCallbackHandler.handleNameClassPair(CollectingNameClassPairCallbackHandler.java:50)
      at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:297)
      at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:259)
      at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:606)
      at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:524)
      at org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleAttributeValues(SpringSecurityLdapTemplate.java:170)
      at org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator.getGroupMembershipRoles(DefaultLdapAuthoritiesPopulator.java:206)
      at org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator.getGrantedAuthorities(DefaultLdapAuthoritiesPopulator.java:179)
      at org.springframework.security.providers.ldap.LdapAuthenticationProvider.loadUserAuthorities(LdapAuthenticationProvider.java:243)
      at org.springframework.security.providers.ldap.LdapAuthenticationProvider.authenticate(LdapAuthenticationProvider.java:231)
      at org.springframework.security.providers.ProviderManager.doAuthentication(ProviderManager.java:188)
      at org.springframework.security.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:46)
      at org.springframework.security.ui.webapp.AuthenticationProcessingFilter.attemptAuthentication(AuthenticationProcessingFilter.java:82)
      at org.springframework.security.ui.AbstractProcessingFilter.doFilterHttp(AbstractProcessingFilter.java:259)
      at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
      at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      at org.springframework.security.ui.basicauth.BasicProcessingFilter.doFilterHttp(BasicProcessingFilter.java:174)
      at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
      at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      at org.springframework.security.context.HttpSessionContextIntegrationFilter.doFilterHttp(HttpSessionContextIntegrationFilter.java:235)
      at hudson.security.HttpSessionContextIntegrationFilter2.doFilterHttp(HttpSessionContextIntegrationFilter2.java:68)
      at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
      at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
      at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164)
      at winstone.FilterConfiguration.execute(FilterConfiguration.java:195)
      at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:368)
      at winstone.RequestDispatcher.forward(RequestDispatcher.java:333)
      at winstone.RequestHandlerThread.processRequest(RequestHandlerThread.java:244)
      at winstone.RequestHandlerThread.run(RequestHandlerThread.java:150)
      at java.lang.Thread.run(Thread.java:636)

      Generated by Winstone Servlet Engine v0.9.10 at Wed Sep 22 17:29:23 CEST 2010

      ------------------------------------------

      Any ideas?

      /kolv

          [JENKINS-7545] Login to hudson fails in an https and openLDAP environment

          kolv99 added a comment - - edited

          Hi!

          I made some more tests and google research! The error handling could certainly be improved! The LDAP search base for users and groups have to be correct. The dc entries should only specified once in the Root DN field.

          In our setup LDAP authentication and Hudson login works OK in hudson 1.378 (https and No apache frontend )

          Hudson LDAP config

          Server: ldapx.xxxx.yyyy.se
          Root DN: dc=xxxx,dc=yyyy,dc=se
          User Search Base: ou=users
          User Search Filter: uid=

          {0}


          Group Search Base: ou=groups
          Manager DN: <empty field>
          Manager Password: <empty field>

          I used the following ldapsearch command to test LDAP auth from CLI/OS level

          ldapsearch -x -W -D uid=myuser,ou=users,dc=xxxx,dc=yyyy,dc=se -h ldapx.xxxx.yyyy.se -b ou=users,dc=xxxx,dc=yyyy,dc=se uid=anotheruser

          One suggestion except error handling would be a LDAP test button and some additional guidelines

          Best regards / Kolv

          kolv99 added a comment - - edited Hi! I made some more tests and google research! The error handling could certainly be improved! The LDAP search base for users and groups have to be correct. The dc entries should only specified once in the Root DN field. In our setup LDAP authentication and Hudson login works OK in hudson 1.378 (https and No apache frontend ) Hudson LDAP config Server: ldapx.xxxx.yyyy.se Root DN: dc=xxxx,dc=yyyy,dc=se User Search Base: ou=users User Search Filter: uid= {0} Group Search Base: ou=groups Manager DN: <empty field> Manager Password: <empty field> I used the following ldapsearch command to test LDAP auth from CLI/OS level ldapsearch -x -W -D uid=myuser,ou=users,dc=xxxx,dc=yyyy,dc=se -h ldapx.xxxx.yyyy.se -b ou=users,dc=xxxx,dc=yyyy,dc=se uid=anotheruser One suggestion except error handling would be a LDAP test button and some additional guidelines Best regards / Kolv

            Unassigned Unassigned
            kolv99 kolv99
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: