Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-13595

Active Directory authentication when making configuration changes locks out the user operating system IDs of any people identified in the security matrix for that project.

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Labels:
      None
    • Environment:
      Running Jenkins as a windows service on a win 2003 server using a master-slave setup.

      Description

      Making changes to configuration of projects triggers an Active Directory validation of the users on that project's security matrix which result in AD locks of users windows IDs. Our AD system is set up to lock any ID that attempts to validate and fails to do so 3 times in a row. Users have to contact help desk to unlock IDs after that.

      I suspect that there might be an issue with Jenkins keeping older passwords internally and this causes locking when authentication attempts occur with the incorrect password. Our system forces password changes every 90 days. Unable to perform any kind of configuration changes for fear of locking out users.

      Rolled back from version 1.26 to 1.24 whch ws previously there and the problem stopped occuring.

        Activity

        alexlombardi alexlombardi created issue -
        alexlombardi alexlombardi made changes -
        Field Original Value New Value
        Description Making changes to configuration of projects triggers an Active Directory validation of the users on that project's security matrix which result in AD locks of users windows IDs. Our AD system is set up to lock any ID that attempts to validate and fails to do so 3 times in a row. Users have to contact help desk to unlock IDs after that.

        I suspect that there might be an issue with Jenkins keeping older passwords internally and this causes locking when authentication attempts occur with the incorrect password. Our system forces password changes every 90 days. Unable t perform any kind of configuration changes for fear of locking ut users.
        Making changes to configuration of projects triggers an Active Directory validation of the users on that project's security matrix which result in AD locks of users windows IDs. Our AD system is set up to lock any ID that attempts to validate and fails to do so 3 times in a row. Users have to contact help desk to unlock IDs after that.

        I suspect that there might be an issue with Jenkins keeping older passwords internally and this causes locking when authentication attempts occur with the incorrect password. Our system forces password changes every 90 days. Unable to perform any kind of configuration changes for fear of locking out users.

        Rolled back from version 1.26 to 1.24 whch ws previously there and the problem stopped occuring.
        Hide
        kohsuke Kohsuke Kawaguchi added a comment -

        Are you running this on 32bit JVM or 64bit JVM? I assume you were using the per-project security matrix?

        Show
        kohsuke Kohsuke Kawaguchi added a comment - Are you running this on 32bit JVM or 64bit JVM? I assume you were using the per-project security matrix?
        Hide
        alexlombardi alexlombardi added a comment -

        Our Jenkins installation runs on a 32 bit JVMs. And yes, each project has its own security matrix.

        Show
        alexlombardi alexlombardi added a comment - Our Jenkins installation runs on a 32 bit JVMs. And yes, each project has its own security matrix.
        Hide
        scm_issue_link SCM/JIRA link daemon added a comment -

        Code changed in jenkins
        User: Kohsuke Kawaguchi
        Path:
        src/main/java/hudson/plugins/active_directory/ActiveDirectorySecurityRealm.java
        http://jenkins-ci.org/commit/active-directory-plugin/1c4d2ee8b341426490db97fb5a72541ffdb1eec7
        Log:
        [FIXED JENKINS-13595] when attempting anonymous bind, don't specify the user name.

        If AD is configured not to allow anonymous bind, it'll be recorded as a failed login attempt, and depending on the security policy in question, it can lock the user out.

        Show
        scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: src/main/java/hudson/plugins/active_directory/ActiveDirectorySecurityRealm.java http://jenkins-ci.org/commit/active-directory-plugin/1c4d2ee8b341426490db97fb5a72541ffdb1eec7 Log: [FIXED JENKINS-13595] when attempting anonymous bind, don't specify the user name. If AD is configured not to allow anonymous bind, it'll be recorded as a failed login attempt, and depending on the security policy in question, it can lock the user out.
        scm_issue_link SCM/JIRA link daemon made changes -
        Status Open [ 1 ] Resolved [ 5 ]
        Resolution Fixed [ 1 ]
        Hide
        kohsuke Kohsuke Kawaguchi added a comment -

        Hmm, I still suspect you are using "64bit code path", which uses ActiveDirectoryUnixAuthenticationProvider instead of ActiveDirectoryAuthenticationProvider.

        Perhaps you specify a custom domain name? Does any stack trace report ActiveDirectoryUnixAuthenticationProvider?

        Show
        kohsuke Kohsuke Kawaguchi added a comment - Hmm, I still suspect you are using "64bit code path", which uses ActiveDirectoryUnixAuthenticationProvider instead of ActiveDirectoryAuthenticationProvider . Perhaps you specify a custom domain name? Does any stack trace report ActiveDirectoryUnixAuthenticationProvider ?
        Hide
        dogfood dogfood added a comment -

        Integrated in plugins_active-directory #60
        [FIXED JENKINS-13595] when attempting anonymous bind, don't specify the user name. (Revision 1c4d2ee8b341426490db97fb5a72541ffdb1eec7)

        Result = SUCCESS
        Kohsuke Kawaguchi :
        Files :

        • src/main/java/hudson/plugins/active_directory/ActiveDirectorySecurityRealm.java
        Show
        dogfood dogfood added a comment - Integrated in plugins_active-directory #60 [FIXED JENKINS-13595] when attempting anonymous bind, don't specify the user name. (Revision 1c4d2ee8b341426490db97fb5a72541ffdb1eec7) Result = SUCCESS Kohsuke Kawaguchi : Files : src/main/java/hudson/plugins/active_directory/ActiveDirectorySecurityRealm.java

          People

          • Assignee:
            Unassigned
            Reporter:
            alexlombardi alexlombardi
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: