Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-42465

LDAP lockout when using Gerrit HTTP password

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Component/s: sonar-gerrit-plugin
    • Labels:
      None
    • Environment:
      Jenkins 2.32.1
      Sonar Gerrit Plugin 1.0.7.6
      Gerrit 2.12.2
    • Similar Issues:

      Description

      We have a Gerrit server configured to authenticate users against LDAP. However, we have configured Gerrit integration processes to use an LDAP service account and configured the Jenkins Gerrit integratoin to authenticate with a Gerrit HTTP password when accessing the REST API. This causes our service account to become locked out due to invalid authentication attempts.

      This is happening because the underlying java library being used by the sonar-gerrit-plugin (com.urswolfer.gerrit.client.rest:gerrit-rest-java-client:0.8.5) attempts to authenticate all requests against the Gerrit /login page in order to obtain a session cookie. This does not work when using Gerrit HTTP passwords against a server which is configured to authenticate against LDAP. The java client will attempt to pass the Gerrit HTTP password to the /login page for authentication, which Gerrit then attempts to validate against LDAP, causing a failed authentication attempt. After multiple client calls, the account becomes locked out in LDAP and cannot be used by other processes which might also be using the same credentials to authenticate against LDAP.

        Attachments

          Activity

          Hide
          shawnstafford Shawn Stafford added a comment -

          Here is a description of the underlying gerrit-rest-java-client defect:
          https://github.com/uwolfer/gerrit-rest-java-client/issues/46

          A fix for this issue is available in the 0.8.11 release of the client. I then submitted the following pull request to upgrade the sonar-gerrit-plugin to use the latest version (0.8.11) of this client and to invoke the new GerritAuthData constructor with an additional argument which will allow the client to bypass the /login page when a Gerrit HTTP password is being used:
          https://github.com/jenkinsci/sonar-gerrit-plugin/pull/17

          Please review the pull request and release a new version of the sonar-gerrit-plugin when possible. This will help us to prevent the LDAP lock-out issue that we are currently experiencing.

          Show
          shawnstafford Shawn Stafford added a comment - Here is a description of the underlying gerrit-rest-java-client defect: https://github.com/uwolfer/gerrit-rest-java-client/issues/46 A fix for this issue is available in the 0.8.11 release of the client. I then submitted the following pull request to upgrade the sonar-gerrit-plugin to use the latest version (0.8.11) of this client and to invoke the new GerritAuthData constructor with an additional argument which will allow the client to bypass the /login page when a Gerrit HTTP password is being used: https://github.com/jenkinsci/sonar-gerrit-plugin/pull/17 Please review the pull request and release a new version of the sonar-gerrit-plugin when possible. This will help us to prevent the LDAP lock-out issue that we are currently experiencing.
          Hide
          aquarellian Tatiana Didik added a comment -

          Fixed 1.0.8

          Show
          aquarellian Tatiana Didik added a comment - Fixed 1.0.8

            People

            • Assignee:
              aquarellian Tatiana Didik
              Reporter:
              shawnstafford Shawn Stafford
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: