Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-25269

Can't initiate StartTLS against a properly configured Windows 2008 R2 Domain Controller

    Details

    • Similar Issues:

      Description

      I am attempting to use the inherent StartTLS over LDAP support in the Active Directory plugin. If I'm reading the docs correctly, it should 'just work'. I perused the code and saw that it seems to trust any cert. Here's what I see in the logs:

      Oct 23, 2014 2:53:14 AM FINE hudson.plugins.active_directory.ActiveDirectorySecurityRealm
      
      Attempting to resolve _gc._tcp.ABCDMZ._sites.my.domain to SRV record
      
      Oct 23, 2014 2:53:14 AM FINE hudson.plugins.active_directory.ActiveDirectorySecurityRealm
      
      Attempting to resolve _ldap._tcp.ABCDMZ._sites.my.domain to SRV record
      
      Oct 23, 2014 2:53:14 AM FINE hudson.plugins.active_directory.ActiveDirectorySecurityRealm
      
      SRV record found: 0 100 389 RODC07.my.domain.
      
      Oct 23, 2014 2:53:14 AM FINE hudson.plugins.active_directory.ActiveDirectorySecurityRealm
      
      _ldap._tcp.ABCDMZ._sites.my.domain resolved to [RODC07.my.domain:389]
      
      Oct 23, 2014 2:53:14 AM FINE hudson.plugins.active_directory.ActiveDirectorySecurityRealm
      
      Connecting to ldap://RODC07.my.domain:389/
      
      Oct 23, 2014 2:53:14 AM FINE hudson.plugins.active_directory.ActiveDirectorySecurityRealm
      
      Failed to start TLS. Authentication will be done via plain-text LDAP
      javax.naming.CommunicationException: java.net.SocketException: Connection reset [Root exception is javax.net.ssl.SSLException: java.net.SocketException: Connection reset]
      	at com.sun.jndi.ldap.LdapCtx.extendedOperation(LdapCtx.java:3259)
      	at hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl.bind(ActiveDirectorySecurityRealm.java:448)
      	at hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl.bind(ActiveDirectorySecurityRealm.java:392)
      	at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:239)
      	at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:196)
      	at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:140)
      	at org.acegisecurity.providers.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:122)
      	at org.acegisecurity.providers.ProviderManager.doAuthentication(ProviderManager.java:200)
      	at org.acegisecurity.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:47)
      	at org.acegisecurity.ui.webapp.AuthenticationProcessingFilter.attemptAuthentication(AuthenticationProcessingFilter.java:74)
      	at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:252)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:86)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
      	at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
      	at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
      	at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:46)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
      	at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
      	at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1474)
      	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
      	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
      	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:533)
      	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
      	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
      	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:428)
      	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
      	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
      	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
      	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
      	at org.eclipse.jetty.server.Server.handle(Server.java:370)
      	at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:489)
      	at org.eclipse.jetty.server.AbstractHttpConnection.content(AbstractHttpConnection.java:960)
      	at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:1021)
      	at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:865)
      	at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:240)
      	at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
      	at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:668)
      	at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
      	at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
      	at java.lang.Thread.run(Thread.java:724)
      Caused by: javax.net.ssl.SSLException: java.net.SocketException: Connection reset
      	at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
      	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1886)
      	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1844)
      	at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1808)
      	at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1753)
      	at sun.security.ssl.AppInputStream.read(AppInputStream.java:113)
      	at java.io.BufferedInputStream.fill(BufferedInputStream.java:235)
      	at java.io.BufferedInputStream.read1(BufferedInputStream.java:275)
      	at java.io.BufferedInputStream.read(BufferedInputStream.java:334)
      	at com.sun.jndi.ldap.Connection.run(Connection.java:849)
      	... 1 more
      Caused by: java.net.SocketException: Connection reset
      	at java.net.SocketInputStream.read(SocketInputStream.java:189)
      	at java.net.SocketInputStream.read(SocketInputStream.java:121)
      	at sun.security.ssl.InputRecord.readFully(InputRecord.java:442)
      	at sun.security.ssl.InputRecord.read(InputRecord.java:480)
      	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:927)
      	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
      	at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:882)
      	at sun.security.ssl.AppInputStream.read(AppInputStream.java:102)
      	... 5 more
      

      This DC serves up normal LDAP and LDAPS to other apps, and I can connect to it with LDAP + StartTLS using Apache Directory Studio, so I know its certificate is installed properly.

        Attachments

          Activity

          Hide
          tom_ghyselinck Tom Ghyselinck added a comment -

          Hi,

          We have the same problem.

          I added our company CA to the java keystore.
          The Active directory Plugin is still not successful in LDAP + STARTTLS.

          ldapsearch -ZZ also works fine.

          Show
          tom_ghyselinck Tom Ghyselinck added a comment - Hi, We have the same problem. I added our company CA to the java keystore. The Active directory Plugin is still not successful in LDAP + STARTTLS. ldapsearch -ZZ also works fine.
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Felix Belzunce Arcos
          Path:
          src/main/java/hudson/plugins/active_directory/ActiveDirectorySecurityRealm.java
          src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java
          http://jenkins-ci.org/commit/active-directory-plugin/f80f9555dbe17d61bd4e310e996cd95ee90fad1a
          Log:
          Merge pull request #62 from fbelzunc/JENKINS-36041-v4

          [FIXED JENKINS-36041 JENKINS-25269] Enable com.sun.jndi.ldap.connect.timeout

          Compare: https://github.com/jenkinsci/active-directory-plugin/compare/95effde74165...f80f9555dbe1

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Felix Belzunce Arcos Path: src/main/java/hudson/plugins/active_directory/ActiveDirectorySecurityRealm.java src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java http://jenkins-ci.org/commit/active-directory-plugin/f80f9555dbe17d61bd4e310e996cd95ee90fad1a Log: Merge pull request #62 from fbelzunc/ JENKINS-36041 -v4 [FIXED JENKINS-36041 JENKINS-25269] Enable com.sun.jndi.ldap.connect.timeout Compare: https://github.com/jenkinsci/active-directory-plugin/compare/95effde74165...f80f9555dbe1
          Hide
          fbelzunc Félix Belzunce Arcos added a comment -

          Will be released in version 2.1

          Show
          fbelzunc Félix Belzunce Arcos added a comment - Will be released in version 2.1

            People

            • Assignee:
              fbelzunc Félix Belzunce Arcos
              Reporter:
              di2esysadmin DI2E SysAdmin
            • Votes:
              3 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: