Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-20064

Cannot use CLI or URL with API token with Active Directory as the access control security realm

    Details

    • Similar Issues:

      Description

      I'm trying to use the Jenkins CLI for a server that is set up with AD as the access control security realm. Logged in users can perform any action.

      The Jenkins server is 1.534 on Ubuntu with Active Directory plugin 1.33, configured with just the domain (no bind DN or password).

      I've provisioned an SSH public key for my user. When I attempt to run CLI against Jenkins it fails with this

      Exception in thread "main" java.io.EOFException
              at java.io.DataInputStream.readBoolean(DataInputStream.java:244)
              at hudson.cli.Connection.readBoolean(Connection.java:95)
              at hudson.cli.CLI.authenticate(CLI.java:644)
              at hudson.cli.CLI._main(CLI.java:474)
              at hudson.cli.CLI.main(CLI.java:384)
      

      and the below is logged on the server. This is similar to JENKINS-12619 though in my case the behavior is consistent and always fails.

      Oct 13, 2013 12:23:35 PM WARNING hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider retrieveUser
      
      Failed to retrieve user information for username
      javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece]; remaining name 'DC=mycompany,DC=com'
          at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3072)
          at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2978)
          at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2785)
          at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1839)
          at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1762)
          at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1779)
          at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:412)
          at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:394)
          at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:376)
          at hudson.plugins.active_directory.LDAPSearchBuilder.search(LDAPSearchBuilder.java:52)
          at hudson.plugins.active_directory.LDAPSearchBuilder.searchOne(LDAPSearchBuilder.java:42)
          at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:263)
          at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:193)
          at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:137)
          at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:30)
          at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:584)
          at hudson.model.User.impersonate(User.java:255)
          at org.jenkinsci.main.modules.cli.auth.ssh.SshCliAuthenticator.authenticate(SshCliAuthenticator.java:44)
          at hudson.cli.CliManagerImpl$2.run(CliManagerImpl.java:109)
      
      Oct 13, 2013 12:23:35 PM WARNING hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider retrieveUser
      
      Credential exception tying to authenticate against mycompany.com domain
      org.acegisecurity.BadCredentialsException: Failed to retrieve user information for username; nested exception is javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece]; remaining name 'DC=mycompany,DC=com'
          at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:309)
          at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:193)
          at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:137)
          at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:30)
          at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:584)
          at hudson.model.User.impersonate(User.java:255)
          at org.jenkinsci.main.modules.cli.auth.ssh.SshCliAuthenticator.authenticate(SshCliAuthenticator.java:44)
          at hudson.cli.CliManagerImpl$2.run(CliManagerImpl.java:109)
      Caused by: javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece]; remaining name 'DC=mycompany,DC=com'
          at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3072)
          at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2978)
          at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2785)
          at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1839)
          at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1762)
          at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1779)
          at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:412)
          at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:394)
          at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:376)
          at hudson.plugins.active_directory.LDAPSearchBuilder.search(LDAPSearchBuilder.java:52)
          at hudson.plugins.active_directory.LDAPSearchBuilder.searchOne(LDAPSearchBuilder.java:42)
          at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:263)
          ... 7 more
      

        Attachments

          Issue Links

            Activity

            david_resnick David Resnick created issue -
            david_resnick David Resnick made changes -
            Field Original Value New Value
            Summary Cannot use CLI when server using Active Directory as the access control security realm Cannot use CLI or URL with API token with Active Directory as the access control security realm
            angelosphere Angelo Schneider made changes -
            Labels active_directory, cli security LDAP active_directory, cli security
            kohsuke Kohsuke Kawaguchi made changes -
            Status Open [ 1 ] Resolved [ 5 ]
            Assignee Kohsuke Kawaguchi [ kohsuke ]
            Resolution Fixed [ 1 ]
            erichelgeson Eric Helgeson made changes -
            Link This issue is related to JENKINS-22346 [ JENKINS-22346 ]
            danielbeck Daniel Beck made changes -
            Link This issue is related to JENKINS-22409 [ JENKINS-22409 ]
            jglick Jesse Glick made changes -
            Labels LDAP active_directory, cli security LDAP cli security
            ssbarnea Sorin Sbarnea made changes -
            Resolution Fixed [ 1 ]
            Status Resolved [ 5 ] Reopened [ 4 ]
            ssbarnea Sorin Sbarnea made changes -
            Environment The Jenkins server is 1.534 on Ubuntu with Active Directory plugin 1.33, configured with just the domain (no bind DN or password). jenkins-1.534 on Ubuntu with Active Directory plugin 1.33, configured with just the domain (no bind DN or password).
            jenkins-1617 too
            jglick Jesse Glick made changes -
            Status Reopened [ 4 ] Resolved [ 5 ]
            Resolution Fixed [ 1 ]
            jglick Jesse Glick made changes -
            Link This issue depends on JENKINS-22346 [ JENKINS-22346 ]
            jglick Jesse Glick made changes -
            Link This issue is related to JENKINS-22346 [ JENKINS-22346 ]
            jglick Jesse Glick made changes -
            Link This issue is duplicated by SECURITY-197 [ SECURITY-197 ]
            rtyler R. Tyler Croy made changes -
            Workflow JNJira [ 151586 ] JNJira + In-Review [ 193992 ]
            ircbot Jenkins IRC Bot made changes -
            Component/s _unsorted [ 19622 ]
            Component/s security [ 15508 ]

              People

              • Assignee:
                kohsuke Kohsuke Kawaguchi
                Reporter:
                david_resnick David Resnick
              • Votes:
                6 Vote for this issue
                Watchers:
                16 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: