Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-22830

Slow login w/ Active directory plugin

    Details

    • Similar Issues:

      Description

      Logging in on version 1.37 of the Active Directory plugin takes too long and I think it is causing occasional proxy timeouts. At first I had blamed it on having too many groups in Active Directory. Then I took a look at the release notes and saw that version 1.37 add some extra group specific logic. I decided to try downgrading the plugin and sure enough I was able to log in almost immediately. Which made me very very happy!

      Version 1.37 (I've seen this take up to a minute)

      Apr 30, 2014 7:38:17 PM FINE hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider
      Stage 2: looking up via memberOf
      Apr 30, 2014 7:38:44 PM FINE hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider

      Version 1.36

      Apr 30, 2014 7:53:34 PM FINE hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider
      Stage 2: looking up via memberOf
      Apr 30, 2014 7:53:34 PM FINER hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider

        Attachments

          Issue Links

            Activity

            Hide
            russ519 Russ Frisch added a comment -

            Daniel,

            Thanks for the response. I looked at the commit and was able to determine that the value is stored in the config file as <groupLookupStrategy> and updated my config.xml to include <groupLookupStrategy>Recursive</groupLookupStrategy> which fixes my slow login issue.

            Is there a technical reason why displaying this option in the Jenkins Global Security configuration will not work if Jenkins is running on Windows? Curious why the other advance settings for the AD plugin work but not this one?

            Show
            russ519 Russ Frisch added a comment - Daniel, Thanks for the response. I looked at the commit and was able to determine that the value is stored in the config file as <groupLookupStrategy> and updated my config.xml to include <groupLookupStrategy>Recursive</groupLookupStrategy> which fixes my slow login issue. Is there a technical reason why displaying this option in the Jenkins Global Security configuration will not work if Jenkins is running on Windows? Curious why the other advance settings for the AD plugin work but not this one?
            Hide
            dennys Dennys Hsieh added a comment - - edited

            I use 1.38 and I got this error "AD chain lookup is taking too long (41ms). Falling back to recursive lookup". But I input the domain name in the configuration, I'm not sure will it impact the performance. But in 1.36 it only takes < 1 second.

            Show
            dennys Dennys Hsieh added a comment - - edited I use 1.38 and I got this error "AD chain lookup is taking too long (41ms). Falling back to recursive lookup". But I input the domain name in the configuration, I'm not sure will it impact the performance. But in 1.36 it only takes < 1 second.
            Hide
            podskalsky podskalsky added a comment -

            the workaround "<groupLookupStrategy>Recursive</groupLookupStrategy>" is ok for me

            Show
            podskalsky podskalsky added a comment - the workaround "<groupLookupStrategy>Recursive</groupLookupStrategy>" is ok for me
            Hide
            nkjensen Niels Kristian Jensen added a comment -

            The problem has been fixed at least since 2.4 of the plugin.

            Show
            nkjensen Niels Kristian Jensen added a comment - The problem has been fixed at least since 2.4 of the plugin.
            Hide
            wilfredh Wilfred Hughes added a comment -

            I'm experiencing slow lookups with version 2.6:

            Aug 09, 2017 1:48:23 PM hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider resolveGroups
            WARNING: Group lookup via Active Directorys LDAP_MATCHING_RULE_IN_CHAIN extension matched users groups but took 24 seconds to run. Switching to recursive lookup for future group lookup queries

            I was configuring Active Directory as follows:

            import jenkins.model.*
            import hudson.security.*
            import hudson.plugins.active_directory.*
               
            String domain = 'ad.example.com'
            String site = 'FOO'
            String server = 'bar.ad.example.com'
            String bindName = 'service-jenkins@ad.example.com'
            String bindPassword = 'password'
            
            // Set the security realm to AD, so users can log in with their windows credentials.
            realm = new ActiveDirectorySecurityRealm(domain, site, bindName, bindPassword, server)
            def instance = Jenkins.getInstance()
            instance.setSecurityRealm(realm)
            

            I worked around this by setting Token Groups as my lookup strategy:

            import jenkins.model.*
            import hudson.security.*
            import hudson.plugins.active_directory.*
               
            String domain = 'ad.example.com'
            String site = 'FOO'
            String server = 'bar.ad.example.com'
            String bindName = 'service-jenkins@ad.example.com'
            String bindPassword = 'password'
            
            // AD lookups can be little slow due to looking up groups. Use Token
            // Groups, which is the fastest way of looking groups, although it
            // returns fewer groups.
            def lookupStrategy = GroupLookupStrategy.TOKENGROUPS
            
            // Set the security realm to AD, so users can log in with their windows credentials.
            realm = new ActiveDirectorySecurityRealm(domain, site, bindName, bindPassword, server, lookupStrategy)
            def instance = Jenkins.getInstance()
            instance.setSecurityRealm(realm)
            
            Show
            wilfredh Wilfred Hughes added a comment - I'm experiencing slow lookups with version 2.6: Aug 09, 2017 1:48:23 PM hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider resolveGroups WARNING: Group lookup via Active Directorys LDAP_MATCHING_RULE_IN_CHAIN extension matched users groups but took 24 seconds to run. Switching to recursive lookup for future group lookup queries I was configuring Active Directory as follows: import jenkins.model.* import hudson.security.* import hudson.plugins.active_directory.*     String domain = 'ad.example.com' String site = 'FOO' String server = 'bar.ad.example.com' String bindName = 'service-jenkins@ad.example.com' String bindPassword = 'password' // Set the security realm to AD, so users can log in with their windows credentials. realm = new ActiveDirectorySecurityRealm(domain, site, bindName, bindPassword, server) def instance = Jenkins.getInstance() instance.setSecurityRealm(realm) I worked around this by setting Token Groups as my lookup strategy: import jenkins.model.* import hudson.security.* import hudson.plugins.active_directory.*     String domain = 'ad.example.com' String site = 'FOO' String server = 'bar.ad.example.com' String bindName = 'service-jenkins@ad.example.com' String bindPassword = 'password' // AD lookups can be little slow due to looking up groups. Use Token // Groups, which is the fastest way of looking groups, although it // returns fewer groups. def lookupStrategy = GroupLookupStrategy.TOKENGROUPS // Set the security realm to AD, so users can log in with their windows credentials. realm = new ActiveDirectorySecurityRealm(domain, site, bindName, bindPassword, server, lookupStrategy) def instance = Jenkins.getInstance() instance.setSecurityRealm(realm)

              People

              • Assignee:
                Unassigned
                Reporter:
                mrose Michael Rose
              • Votes:
                5 Vote for this issue
                Watchers:
                15 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: