Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-50391

Log warnings based on simple sanity check of ldap UserDn's

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Open (View Workflow)
    • Priority: Minor
    • Resolution: Unresolved
    • Component/s: ldap-plugin
    • Labels:
      None
    • Similar Issues:

      Description

      I just spend way too many hours debugging an issue with a user who could not log in.

      The Jenkins log showed this:

      Mar 23, 2018 8:41:39 PM FINE org.acegisecurity.providers.ldap.authenticator.BindAuthenticator2
      Failed to bind to LDAP: userDn"CN=LASTNAME\,FISRTNAME [LOCATION/DEVISION],OU=Foo,OU=Bar",DC=FooBar,DC=org  username=FIRSTNAME.LASTNAME
      javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580]

       

      The return data 52e can be looked up here: http://ldapwiki.com/wiki/Common%20Active%20Directory%20Bind%20Errors

      And it turns out to be returned when username is valid but password/credential is invalid.

       

      The users password/credential worked flawless on Windows, in JIRA and several other places, just not in Jenkins. And it was clear from the error that the AD did not like the password/credentials provided. We tried making it as simple as possible, but no matter what, it was simply impossible for this user to log in.

       

      Only after a very long time, did I realize that square brackets are illegal in the CN of an AD record.

      So as soon as CN=LASTNAME\,FISRTNAME [LOCATION/DEVISION] was changed into CN=LASTNAME\,FISRTNAME, the user was finally able to log in.

       

      It would have been nice if there were some sort of warning in the log when the LDAP plugin encounters invalid characters in a UserDn - especially since this leads AD into sending the wrong error code.

        Attachments

          Activity

          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          In order to set proper expectation, I have unassigned Kohsuke from this tickets.
          Currently there is no Default assignee in the LDAP plugin, any contributions will be appreciated.

          Show
          oleg_nenashev Oleg Nenashev added a comment - In order to set proper expectation, I have unassigned Kohsuke from this tickets. Currently there is no Default assignee in the LDAP plugin, any contributions will be appreciated.

            People

            • Assignee:
              Unassigned
              Reporter:
              fsteff Flemming Steffensen
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: