Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-22727

AD plugin times out for large user/group membership


    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Minor
    • Resolution: Unresolved
    • Labels:
    • Environment:
      AD plugin v1.37, Jenkins 1.56, Running as a service, Windows Server 2012 R2, Active Directory with multiple domains
    • Similar Issues:


      Logs show that the plugin has correctly matched my username against the right DC and authenticated correctly. All my groups are printed along with some additional ldap content. Then there's a two minute gap in the logs around Stage 2:

      Apr 22, 2014 11:46:27 PM FINE hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider
      Stage 2: looking up via memberOf
      Apr 22, 2014 11:48:27 PM FINE hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider
      CN=Jon Wiswall,OU=<ou>,OU=<ou>,DC=<dc>,DC=<dc>,DC=<dc>,DC=<dc> is a member of cn: <group name>

      After the 2-minute break the log prints the first 20 or so of my ~150 group memberships.

      Looks like the LDAP server gives up at this point:

      Failed to retrieve user information for <username>
      javax.naming.TimeLimitExceededException: [LDAP: error code 3 - Timelimit Exceeded]; remaining name 'DC=<dc>,DC=<dc>,DC=<dc>,DC=<dc>'
      	at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
      	at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
      	at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
      	at com.sun.jndi.ldap.LdapNamingEnumeration.getNextBatch(Unknown Source)
      	at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(Unknown Source)
      	at com.sun.jndi.ldap.LdapNamingEnumeration.hasMore(Unknown Source)
      	at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.parseMembers(ActiveDirectoryUnixAuthenticationProvider.java:456)

      ... which then fails the Jenkins login with an authentication failed message.

      I'm sure this is to do with our large Active Directory deployment.

      Could the plugin only check the username/pw combo, and then if matrix or project-based security is enabled, check if the named groups are present? The initial auth step (which dumps all the groups anyhow) is super fast.

      (Note: marked bug as 'minor' but I can't really point my team at my Jenkins instance until this works.)




            • Assignee:
              jdwiswall Jon Wiswall
            • Votes:
              4 Vote for this issue
              8 Start watching this issue


              • Created: