Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-12180

Active Directory Plugin - Adding AD Group Throws BadCredentialsException

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Labels:
      None
    • Environment:
      OS: CentOs 6 64-bit
      Hardware Platform: VMWare ESXi 5.0
    • Similar Issues:

      Description

      Adding an AD group, e.g. ciusers on Authorization type "Project-based Matrix Authorization Strategy", throws BadCredentialsException.

      Issue:
      doCheckName_() first tries finding a user and this fails and throws the BadCredentialsException. The function doCheckName_() then tries loadGroupByGroupName() which is throwing UserMayOrMayNotExistException right away. Function doCheckName_() uses SecurityRealm.loadGroupByGroupName() instead of LDAPSecurityRealm.loadGroupByGroupName().

      Snippet of loadGroupByGroupname() from the SecurityRealm class.
      public GroupDetails loadGroupByGroupname(String groupname) throws UsernameNotFoundException, DataAccessException

      { throw new UserMayOrMayNotExistException(groupname); }

      Snippet of loadGroupByGroupname() from the LDAPSecurityRealm class.
      public GroupDetails loadGroupByGroupname(String groupname) throws UsernameNotFoundException, DataAccessException {
      // TODO: obtain a DN instead so that we can obtain multiple attributes later
      String searchBase = groupSearchBase != null ? groupSearchBase : "";
      final Set<String> groups = (Set<String>)ldapTemplate.searchForSingleAttributeValues(searchBase, GROUP_SEARCH,
      new String[]

      {groupname}

      , "cn");

      if(groups.isEmpty())
      throw new UsernameNotFoundException(groupname);

      return new GroupDetails() {
      public String getName()

      { return groups.iterator().next(); }

      };
      }

      Snippet of doCheckName_():
      public FormValidation doCheckName_(String value, AccessControlled subject, Permission permission) throws IOException, ServletException {
      if(!subject.hasPermission(permission)) return FormValidation.ok(); // can't check

      final String v = value.substring(1,value.length()-1);
      SecurityRealm sr = Jenkins.getInstance().getSecurityRealm();
      String ev = Functions.escape(v);

      if(v.equals("authenticated"))
      // system reserved group
      return FormValidation.respond(Kind.OK, makeImg("user.png") +ev);

      try

      { sr.loadUserByUsername(v); return FormValidation.respond(Kind.OK, makeImg("person.png")+ev); }

      catch (UserMayOrMayNotExistException e)

      { // undecidable, meaning the user may exist return FormValidation.respond(Kind.OK, ev); }

      catch (UsernameNotFoundException e)

      { // fall through next } catch (DataAccessException e) { // fall through next }

      try

      { sr.loadGroupByGroupname(v); return FormValidation.respond(Kind.OK, makeImg("user.png") +ev); }

      catch (UserMayOrMayNotExistException e)

      { // undecidable, meaning the group may exist return FormValidation.respond(Kind.OK, ev); }

      catch (UsernameNotFoundException e)

      { // fall through next } catch (DataAccessException e) { // fall through next }

      // couldn't find it. it doesn't exist
      return FormValidation.respond(Kind.ERROR, makeImg("error.png") +ev);
      }

      Stack trace snippet:
      Failed to test the validity of the user name ciusers
      org.acegisecurity.BadCredentialsException: Authentication was successful but cannot locate the user information for ciusers
      at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:147)
      at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:105)
      at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:64)
      at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:23)
      at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:514)
      at hudson.security.GlobalMatrixAuthorizationStrategy$DescriptorImpl.doCheckName_(GlobalMatrixAuthorizationStrategy.java:303)
      at hudson.security.GlobalMatrixAuthorizationStrategy$DescriptorImpl.doCheckName(GlobalMatrixAuthorizationStrategy.java:288)

        Attachments

          Issue Links

            Activity

            Hide
            tlee Tony Lee added a comment -

            Suggestions:
            1. Split doCheckName_() into 2 methods, one for trying loadUserByUsername() and the other one for trying loadGroupByGroupname(). The UI add user/group field needs to be split as well, one for adding user and the other one for adding group.
            2. The error message for adding a group is misleading. Currently it throws BadCredentialsException("...user..."). A GroupnameNotFoundException (this exception doesn't exist) should be thrown when ldap search returns empty result.

            Show
            tlee Tony Lee added a comment - Suggestions: 1. Split doCheckName_() into 2 methods, one for trying loadUserByUsername() and the other one for trying loadGroupByGroupname(). The UI add user/group field needs to be split as well, one for adding user and the other one for adding group. 2. The error message for adding a group is misleading. Currently it throws BadCredentialsException("...user..."). A GroupnameNotFoundException (this exception doesn't exist) should be thrown when ldap search returns empty result.
            Hide
            kohsuke Kohsuke Kawaguchi added a comment -

            Fixed in 1.24.

            Show
            kohsuke Kohsuke Kawaguchi added a comment - Fixed in 1.24.
            Hide
            ahso Dan Dexter added a comment -

            This appears to still be happening, perhaps a regression or some other cause. If I only have a group specified in matrix-based security it will not allow a full login and I get a 404 error. If I have my AD user name specified then it works.


            WARNING: Credential exception tying to authenticate against . domain
            org.acegisecurity.userdetails.UsernameNotFoundException: Authentication was successful but cannot locate the user information for group


            Show
            ahso Dan Dexter added a comment - This appears to still be happening, perhaps a regression or some other cause. If I only have a group specified in matrix-based security it will not allow a full login and I get a 404 error. If I have my AD user name specified then it works. WARNING: Credential exception tying to authenticate against . domain org.acegisecurity.userdetails.UsernameNotFoundException: Authentication was successful but cannot locate the user information for group
            Hide
            ahso Dan Dexter added a comment -

            Never mind on my previous note. I figured out the issue. It looks like some parts of the plugin and/or authentication routine are case sensitive. I can enter the group name as all lower case, for example, and it will show the group icon showing it's able to look it up properly, but it will only fully authenticate if I enter the group name with the exact same case as it's entered in AD. I will close this out.

            Show
            ahso Dan Dexter added a comment - Never mind on my previous note. I figured out the issue. It looks like some parts of the plugin and/or authentication routine are case sensitive. I can enter the group name as all lower case, for example, and it will show the group icon showing it's able to look it up properly, but it will only fully authenticate if I enter the group name with the exact same case as it's entered in AD. I will close this out.
            Hide
            ahso Dan Dexter added a comment -

            See my previous note.

            Show
            ahso Dan Dexter added a comment - See my previous note.
            Hide
            johnnyprester John Prester added a comment -

            What is the status of this issue? I'm still seeing it in version 1.29 of the plugin. Will it be fixed by a code change in an upcoming release?

            Show
            johnnyprester John Prester added a comment - What is the status of this issue? I'm still seeing it in version 1.29 of the plugin. Will it be fixed by a code change in an upcoming release?
            Hide
            raspy Krzysztof Malinowski added a comment -

            Seems to be related requirement.

            Show
            raspy Krzysztof Malinowski added a comment - Seems to be related requirement.

              People

              • Assignee:
                Unassigned
                Reporter:
                tlee Tony Lee
              • Votes:
                2 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: