Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-19909

LDAP authentication works ONLY with anonymous LDAP server

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Major Major
    • _unsorted, ldap-plugin
    • None
    • OS: Centos 6.4, Jenkins ver. 1.533, ldap plugin v1.6

      I configured LDAP access control like that:

      <authorizationStrategy class="hudson.security.AuthorizationStrategy$Unsecured"/>
  <securityRealm class="hudson.security.LDAPSecurityRealm" plugin="ldap@1.6">
    <server>ldap01.mydomain.com</server>
    <rootDN>dc=mydomain,dc=com</rootDN>
    <inhibitInferRootDN>false</inhibitInferRootDN>
    <userSearchBase>ou=Users</userSearchBase>
    <userSearch>uid={0}</userSearch>
    <managerDN>cn=lowUser,ou=Users,dc=mydomain,dc=com</managerDN>
    <managerPassword>eWayUcssDldsFSVCoDXNo</managerPassword>
    <disableMailAddressResolver>false</disableMailAddressResolver>
  </securityRealm>

      If on LDAP server anonymous access allowed, I logged without any problems and in jenkins.log no any error. But when I disabled anonymous access on LDAP server, by adding these fields in file olcDatabase=

      {2}

      bdb.ldif:

      olcAccess: {0}to attrs=userPassword by dn="cn=admin,dc=mydomain,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to * by dn="cn=admin,ou=Users,dc=mydomain,dc=com" write by dn="cn=lowUser,ou=Users,dc=mydomain,dc=com" read by anonymous auth by * none

      I can't access to Jenkins. In log file jenkins.log I see these errors:

      Oct 6, 2013 5:56:43 AM hudson.security.AuthenticationProcessingFilter2 onUnsuccessfulAuthentication
INFO: Login attempt failed
org.acegisecurity.AuthenticationServiceException: LdapCallback;[LDAP: error code 32 - No Such Object]; nested exception is javax.naming.NameNotFoundException: [LDAP: error code 32
 - No Such Object]; remaining name 'uid=user-jenkins,ou=Users'; nested exception is org.acegisecurity.ldap.LdapDataAccessException: LdapCallback;[LDAP: error code 32 - No Such Obj
ect]; nested exception is javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object]; remaining name 'uid=user-jenkins,ou=Users'
        at org.acegisecurity.providers.ldap.LdapAuthenticationProvider.retrieveUser(LdapAuthenticationProvider.java:238)
        at org.acegisecurity.providers.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:122)
        at org.acegisecurity.providers.ProviderManager.doAuthentication(ProviderManager.java:200)
        at org.acegisecurity.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:47)
        at org.acegisecurity.ui.webapp.AuthenticationProcessingFilter.attemptAuthentication(AuthenticationProcessingFilter.java:74)
        at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:252)
        at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
        at org.acegisecurity.ui.basicauth.BasicProcessingFilter.doFilter(BasicProcessingFilter.java:174)
        at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
        at jenkins.security.ApiTokenFilter.doFilter(ApiTokenFilter.java:64)
        at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
        at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
        at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
        at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
        at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
        at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164)
        at winstone.FilterConfiguration.execute(FilterConfiguration.java:194)
        at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:366)
        at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:46)
        at winstone.FilterConfiguration.execute(FilterConfiguration.java:194)
        at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:366)
        at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81)
        at winstone.FilterConfiguration.execute(FilterConfiguration.java:194)
        at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:366)
        at winstone.RequestDispatcher.forward(RequestDispatcher.java:331)
        at winstone.RequestHandlerThread.processRequest(RequestHandlerThread.java:227)
        at winstone.RequestHandlerThread.run(RequestHandlerThread.java:150)
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
        at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)
        at java.util.concurrent.FutureTask.run(FutureTask.java:166)
        at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1146)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at java.lang.Thread.run(Thread.java:679)
Caused by: org.acegisecurity.ldap.LdapDataAccessException: LdapCallback;[LDAP: error code 32 - No Such Object]; nested exception is javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object]; remaining name 'uid=user-jenkins,ou=Users'
        at org.acegisecurity.ldap.LdapTemplate$LdapExceptionTranslator.translate(LdapTemplate.java:295)
        at org.acegisecurity.ldap.LdapTemplate.execute(LdapTemplate.java:128)
        at org.acegisecurity.ldap.LdapTemplate.retrieveEntry(LdapTemplate.java:165)
        at org.acegisecurity.providers.ldap.authenticator.BindAuthenticator.bindWithDn(BindAuthenticator.java:87)
        at org.acegisecurity.providers.ldap.authenticator.BindAuthenticator.authenticate(BindAuthenticator.java:72)
        at org.acegisecurity.providers.ldap.authenticator.BindAuthenticator2.authenticate(BindAuthenticator2.java:49)
        at org.acegisecurity.providers.ldap.LdapAuthenticationProvider.retrieveUser(LdapAuthenticationProvider.java:233)
        ... 33 more
Caused by: javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object]; remaining name 'uid=user-jenkins,ou=Users'
        at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3057)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2978)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2785)
        at com.sun.jndi.ldap.LdapCtx.c_getAttributes(LdapCtx.java:1322)
        at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(ComponentDirContext.java:231)
        at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:139)
        at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:127)
        at javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:140)
        at org.acegisecurity.ldap.LdapTemplate$2.doInDirContext(LdapTemplate.java:168)
        at org.acegisecurity.ldap.LdapTemplate.execute(LdapTemplate.java:126)
        ... 38 more

      But in same time (when anonymous access on LDAP server is disabled) I can, without problems, authenticate on other services and products (where configured LDAP authentication), like Zabbix, Jira, Confluence, etc.

      Please help solve this problem. If need any more information from my side, please tell me.

      Thank you.

            kohsuke Kohsuke Kawaguchi
            knyaz Oleg Galitskiy
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: