The backend LDAP servers are OpenDJ 2.6.0 running as a multi-master cluster with a haproxy as a load balancer in front (different server). The LDAP servers are for the entire systems and work well for other systems (Jira and Artifactory) sharing the same instance of Tomcat and of course other servers.

The problem is authentication works fine as I can see that in the LDAP logs that I have attached. This has been a problem occurring only for the last 2 releases as I can see although I have been making massive changes to LDAP switching from dirsrv (the old netscape directory from Red Hat) across to OpenDJ in the last couple of weeks so there has been a time of migration. Issues I saw I though I may have created but I still have a consistent problem.

The issue is it all works after Jenkins first boots but after it sits for a while I can not get into Jenkins. It binds successfully, search for groups and just drops back to a login screen. First I thought it was the cache feature so I go and hack the config.xml file and restart. I have tried switching from cache to not cache with load balance SSL, single SSL server, load balanced and a single ldap server and the problem is always the same. If I restart Jenkins it works for a while. The same result on all 3 browsers and when I examine the cookie it seems to have a valid auth session cookie from Jenkins. When I examine the LDAP log file it is a successful bind with a single entry returned and then when using groups to match the DN 13 entries are returned which is accurate.

It is as though it can not read the auth cookie and just returns to login as it is clearly a successful auth.