Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Component/s: ldap-plugin
    • Labels:
      None
    • Environment:
      Jenkins ver. 2.32.1
      ldap-plugin ver. 1.14 (1.13)
      Ubuntu 12.04.5
      Java 1.7.0_79-b15
    • Similar Issues:

      Description

      I'm using an external LDAP provider with the ldap-plugin. I can authenticate against the LDAP service and I'm using a group based security matrix.

      I've never had any trouble logging in with LDAP credentials, but when I try to add jobs through the web api I get some very strange behavior.

      The first ten or so posts will return 201s (Created) and add jobs.

      Then, one of the following jobs will throw a 401 (Unauthorized) and the rest of the jobs in that run won't get created.

      LDAP keeps working. I can login and logout. I can run the job again and get the same/similar behavior.

      The only things I've been able to find in the logs look like this:

      <entry><title>SecurityContextHolder now cleared, as request processing completed</title><link type="text/html" href="https://extraction.bigstaging.rainforest.urjanet.net/log" rel="alternate"/><id>1310460365</id><published>2017-01-26T19:24:41Z</published><updated>2017-01-26T19:24:41Z</updated><content>Jan 26, 2017 2:24:41 PM org.acegisecurity.context.HttpSessionContextIntegrationFilter doFilter
      FINE: SecurityContextHolder now cleared, as request processing completed
      </content></entry><entry><title>The HttpSession is currently null, and the HttpSessionContextIntegrationFilter is prohibited from creating an HttpSession (because the allowSessionCreation property is false) - SecurityContext thus not stored for next request</title><link type="text/html" href="https://extraction.bigstaging.rainforest.urjanet.net/log" rel="alternate"/><id>1310460364</id><published>2017-01-26T19:24:41Z</published><updated>2017-01-26T19:24:41Z</updated><content>Jan 26, 2017 2:24:41 PM org.acegisecurity.context.HttpSessionContextIntegrationFilter storeSecurityContextInSession
      FINE: The HttpSession is currently null, and the HttpSessionContextIntegrationFilter is prohibited from creating an HttpSession (because the allowSessionCreation property is false) - SecurityContext thus not stored for next request
      </content></entry><entry><title>Authentication of BASIC header failed</title><link type="text/html" href="https://extraction.bigstaging.rainforest.urjanet.net/log" rel="alternate"/><id>1310460363</id><published>2017-01-26T19:24:41Z</published><updated>2017-01-26T19:24:41Z</updated><content>Jan 26, 2017 2:24:41 PM jenkins.security.BasicHeaderProcessor
      FINE: Authentication of BASIC header failed
      </content></entry><entry><title>Authentication request for user:

      {0} failed: {1}</title><link type="text/html" href="https://extraction.bigstaging.rainforest.urjanet.net/log" rel="alternate"/><id>1310460362</id><published>2017-01-26T19:24:41Z</published><updated>2017-01-26T19:24:41Z</updated><content>Jan 26, 2017 2:24:41 PM jenkins.security.BasicHeaderRealPasswordAuthenticator
      FINER: Authentication request for user: build.manager failed: org.acegisecurity.AuthenticationServiceException: Unable to connect to LDAP server; nested exception is javax.naming.CommunicationException: ldap.jumpcloud.com:636 [Root exception is java.net.SocketException: Connection reset]; nested exception is org.acegisecurity.ldap.LdapDataAccessException: Unable to connect to LDAP server; nested exception is javax.naming.CommunicationException: ldap.jumpcloud.com:636 [Root exception is java.net.SocketException: Connection reset]
      </content></entry><entry><title>Creating InitialDirContext with environment {java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.referral=follow, java.naming.security.principal=uid=ldap.binding,ou=Users,o=112211221122112211221122,dc=jumpcloud,dc=com, com.sun.jndi.ldap.connect.timeout=25000, com.sun.jndi.ldap.connect.pool=true, com.sun.jndi.ldap.read.timeout=60000, java.naming.provider.url=ldaps://ldap.jumpcloud.com/, java.naming.security.authentication=simple, java.naming.security.credentials=******}</title><link type="text/html" href="https://extraction.bigstaging.rainforest.urjanet.net/log" rel="alternate"/><id>1310460361</id><published>2017-01-26T19:24:41Z</published><updated>2017-01-26T19:24:41Z</updated><content>Jan 26, 2017 2:24:41 PM org.acegisecurity.ldap.DefaultInitialDirContextFactory connect
      FINE: Creating InitialDirContext with environment {java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.referral=follow, java.naming.security.principal=uid=ldap.binding,ou=Users,o=112211221122112211221122,dc=jumpcloud,dc=com, com.sun.jndi.ldap.connect.timeout=25000, com.sun.jndi.ldap.connect.pool=true, com.sun.jndi.ldap.read.timeout=60000, java.naming.provider.url=ldaps://ldap.jumpcloud.com/, java.naming.security.authentication=simple, java.naming.security.credentials=******}
      </content></entry><entry><title>Searching for user 'build.manager', with user search [ searchFilter: 'uid={0}

      ', searchBase: 'ou=Users,o=112211221122112211221122,dc=jumpcloud,dc=com', scope: subtreesearchTimeLimit: 0derefLinkFlag: false ]</title><link type="text/html" href="https://extraction.bigstaging.rainforest.urjanet.net/log" rel="alternate"/><id>1310460360</id><published>2017-01-26T19:24:41Z</published><updated>2017-01-26T19:24:41Z</updated><content>Jan 26, 2017 2:24:41 PM org.acegisecurity.ldap.search.FilterBasedLdapUserSearch searchForUser
      FINE: Searching for user 'build.manager', with user search [ searchFilter: 'uid=

      {0}

      ', searchBase: 'ou=Users,o=112211221122112211221122,dc=jumpcloud,dc=com', scope: subtreesearchTimeLimit: 0derefLinkFlag: false ]

      The problem goes away when I use ldap instead of ldaps. Unfortunately, that's not an acceptable solution.

        Attachments

          Activity

          Hide
          b8sell Keith Baitsell added a comment -

          I've also got a wireshark capture I could share, but it's kinda hard to read since the problem only manifests itself with the encrypted protocol.

          Show
          b8sell Keith Baitsell added a comment - I've also got a wireshark capture I could share, but it's kinda hard to read since the problem only manifests itself with the encrypted protocol.
          Hide
          b8sell Keith Baitsell added a comment -

          Also tried this with Java 8 (jdk1.8.0_45) and got the same behavior.

          Show
          b8sell Keith Baitsell added a comment - Also tried this with Java 8 (jdk1.8.0_45) and got the same behavior.
          Hide
          b8sell Keith Baitsell added a comment -

          I spun up a bare jenkins install in vagrant and pointed authentication at my LDAP provider.

          I created a small job that just echoes "hello world" and call it via curl using basic auth and ldap credentials.

          If I add one job, it gets added, worked, and exits nicely.

          When I put that curl in a for loop and try to do them one after the other, it will add the first few but eventually stops working with the following error:

          "Error 401 Invalid password/token for user: b8sell"

          I have enabled caching in the LDAP plugin and get the same behavior.

          Is this not working from a lack of caching?

           

           

          Show
          b8sell Keith Baitsell added a comment - I spun up a bare jenkins install in vagrant and pointed authentication at my LDAP provider. I created a small job that just echoes "hello world" and call it via curl using basic auth and ldap credentials. If I add one job, it gets added, worked, and exits nicely. When I put that curl in a for loop and try to do them one after the other, it will add the first few but eventually stops working with the following error: "Error 401 Invalid password/token for user: b8sell" I have enabled caching in the LDAP plugin and get the same behavior. Is this not working from a lack of caching?    
          Hide
          b8sell Keith Baitsell added a comment - - edited

          Here's the logs:

          Mar 28, 2017 5:05:04 PM FINE org.acegisecurity.ldap.DefaultInitialDirContextFactory connect
          Creating InitialDirContext with environment {java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.referral=follow, java.naming.security.principal=uid=ldap.binding,ou=Users,o=1212121212,dc=jumpcloud,dc=com, com.sun.jndi.ldap.connect.timeout=60000, com.sun.jndi.ldap.connect.pool=true, com.sun.jndi.ldap.read.timeout=60000, java.naming.provider.url=ldaps://ldap.jumpcloud.com/, java.naming.security.authentication=simple, java.naming.security.credentials=******}
          Mar 28, 2017 5:05:04 PM FINER jenkins.security.BasicHeaderRealPasswordAuthenticator
          Authentication request for user: build.manager failed: org.acegisecurity.AuthenticationServiceException: Unable to connect to LDAP server; nested exception is javax.naming.CommunicationException: ldap.jumpcloud.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake]; nested exception is org.acegisecurity.ldap.LdapDataAccessException: Unable to connect to LDAP server; nested exception is javax.naming.CommunicationException: ldap.jumpcloud.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake]
          Mar 28, 2017 5:05:04 PM FINE jenkins.security.BasicHeaderProcessor
          Authentication of BASIC header failed

          Show
          b8sell Keith Baitsell added a comment - - edited Here's the logs: Mar 28, 2017 5:05:04 PM FINE org.acegisecurity.ldap.DefaultInitialDirContextFactory connect Creating InitialDirContext with environment {java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.referral=follow, java.naming.security.principal=uid=ldap.binding,ou=Users,o=1212121212,dc=jumpcloud,dc=com, com.sun.jndi.ldap.connect.timeout=60000, com.sun.jndi.ldap.connect.pool=true, com.sun.jndi.ldap.read.timeout=60000, java.naming.provider.url=ldaps://ldap.jumpcloud.com/, java.naming.security.authentication=simple, java.naming.security.credentials=******} Mar 28, 2017 5:05:04 PM FINER jenkins.security.BasicHeaderRealPasswordAuthenticator Authentication request for user: build.manager failed: org.acegisecurity.AuthenticationServiceException: Unable to connect to LDAP server; nested exception is javax.naming.CommunicationException: ldap.jumpcloud.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake] ; nested exception is org.acegisecurity.ldap.LdapDataAccessException: Unable to connect to LDAP server; nested exception is javax.naming.CommunicationException: ldap.jumpcloud.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake] Mar 28, 2017 5:05:04 PM FINE jenkins.security.BasicHeaderProcessor Authentication of BASIC header failed
          Hide
          b8sell Keith Baitsell added a comment -

          Does the LDAP plugin cache login credentials?  For a user to login to jenkins, does the login have to call the LDAP server or will it use locally cached credentials?

          Show
          b8sell Keith Baitsell added a comment - Does the LDAP plugin cache login credentials?  For a user to login to jenkins, does the login have to call the LDAP server or will it use locally cached credentials?
          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          In order to set proper expectation, I have unassigned Kohsuke from this tickets.
          Currently there is no Default assignee in the LDAP plugin, any contributions will be appreciated.

          Show
          oleg_nenashev Oleg Nenashev added a comment - In order to set proper expectation, I have unassigned Kohsuke from this tickets. Currently there is no Default assignee in the LDAP plugin, any contributions will be appreciated.

            People

            • Assignee:
              Unassigned
              Reporter:
              b8sell Keith Baitsell
            • Votes:
              3 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated: