Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-28857

"Automatic" group lookup strategy is not so automatic

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      com.sun.jndi.ldap.Connection.readReply() apparently times out after 15secs with an error like this:

      Caused by: javax.naming.NamingException: LDAP response read timed out, timeout used:-1ms.; remaining name 'DC=example,DC=com'
          at com.sun.jndi.ldap.Connection.readReply(Unknown Source)
          at com.sun.jndi.ldap.LdapClient.getSearchReply(Unknown Source)
          at com.sun.jndi.ldap.LdapClient.search(Unknown Source)
          at com.sun.jndi.ldap.LdapCtx.doSearch(Unknown Source)
          at com.sun.jndi.ldap.LdapCtx.searchAux(Unknown Source)
          at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source)
          at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source)
          at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(Unknown Source)
          at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown Source)
          at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown Source)
          at hudson.plugins.active_directory.LDAPSearchBuilder.search(LDAPSearchBuilder.java:97)
          at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.chainGroupLookup(ActiveDirectoryUnixAuthenticationProvider.java:469)
          at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.resolveGroups(ActiveDirectoryUnixAuthenticationProvider.java:453)
          at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:318)
          ... 44 more
      

      Note that the source code (or that of JDK7) doesn't explain why one would ever get this error message. if readTimeout<0, then waited shall never be true.

      But this is reported as JDK-8062947, and another person sees it too.

      The automatic mode should catch NamingException, check time out, and should fall back to the recursive lookup.

        Attachments

          Issue Links

            Activity

            Hide
            karthik_durairajan Karthik Durairajan added a comment -

            Hey guys,

            Just stumbled across this page by chance. I've been trying to resolve this issue but with no luck so far. As frustrating as it is, the issue is intermittent and there doesn't appear to be a pattern (at least not that I know of). Would be of great help if you could please get someone on it and look into. Thanks.

            Karthik

            Show
            karthik_durairajan Karthik Durairajan added a comment - Hey guys, Just stumbled across this page by chance. I've been trying to resolve this issue but with no luck so far. As frustrating as it is, the issue is intermittent and there doesn't appear to be a pattern (at least not that I know of). Would be of great help if you could please get someone on it and look into. Thanks. Karthik
            Hide
            fbelzunc Félix Belzunce Arcos added a comment - - edited

            The workaround for this issue is change the strategy.

            <groupLookupStrategy>AUTO</groupLookupStrategy>
            

            per:

            <groupLookupStrategy>RECURSIVE</groupLookupStrategy>
            
            Show
            fbelzunc Félix Belzunce Arcos added a comment - - edited The workaround for this issue is change the strategy. <groupLookupStrategy> AUTO </groupLookupStrategy> per: <groupLookupStrategy> RECURSIVE </groupLookupStrategy>
            Hide
            fbelzunc Félix Belzunce Arcos added a comment -

            The right solution looks to me to catch the exception and ensure that more than 15 seconds happened before pass to recursive. O maybe, even better, being able to set-up the timeout.

            Show
            fbelzunc Félix Belzunce Arcos added a comment - The right solution looks to me to catch the exception and ensure that more than 15 seconds happened before pass to recursive. O maybe, even better, being able to set-up the timeout. https://bugs.openjdk.java.net/browse/JDK-8062947 http://www.docjar.com/html/api/com/sun/jndi/ldap/Connection.java.html https://docs.oracle.com/javase/tutorial/jndi/newstuff/readtimeout.html
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Felix Belzunce Arcos
            Path:
            src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java
            http://jenkins-ci.org/commit/active-directory-plugin/0c908ff2aba57e2098916598ff03aef5f9b047aa
            Log:
            Merge pull request #20 from fbelzunc/JENKINS-28857

            [FIXED JENKINS-28857] Catch the case in which LDAP times out after some seconds

            Compare: https://github.com/jenkinsci/active-directory-plugin/compare/8ed46fc74b3f...0c908ff2aba5

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Felix Belzunce Arcos Path: src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java http://jenkins-ci.org/commit/active-directory-plugin/0c908ff2aba57e2098916598ff03aef5f9b047aa Log: Merge pull request #20 from fbelzunc/ JENKINS-28857 [FIXED JENKINS-28857] Catch the case in which LDAP times out after some seconds Compare: https://github.com/jenkinsci/active-directory-plugin/compare/8ed46fc74b3f...0c908ff2aba5

              People

              • Assignee:
                fbelzunc Félix Belzunce Arcos
                Reporter:
                kohsuke Kohsuke Kawaguchi
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: