-
Improvement
-
Resolution: Unresolved
-
Minor
-
None
I just spend way too many hours debugging an issue with a user who could not log in.
The Jenkins log showed this:
| Mar 23, 2018 8:41:39 PM FINE org.acegisecurity.providers.ldap.authenticator.BindAuthenticator2 |
| Failed to bind to LDAP: userDn"CN=LASTNAME\,FISRTNAME [LOCATION/DEVISION],OU=Foo,OU=Bar",DC=FooBar,DC=org username=FIRSTNAME.LASTNAME javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580] |
The return data 52e can be looked up here: http://ldapwiki.com/wiki/Common%20Active%20Directory%20Bind%20Errors
And it turns out to be returned when username is valid but password/credential is invalid.
The users password/credential worked flawless on Windows, in JIRA and several other places, just not in Jenkins. And it was clear from the error that the AD did not like the password/credentials provided. We tried making it as simple as possible, but no matter what, it was simply impossible for this user to log in.
Only after a very long time, did I realize that square brackets are illegal in the CN of an AD record.
So as soon as CN=LASTNAME\,FISRTNAME [LOCATION/DEVISION] was changed into CN=LASTNAME\,FISRTNAME, the user was finally able to log in.
It would have been nice if there were some sort of warning in the log when the LDAP plugin encounters invalid characters in a UserDn - especially since this leads AD into sending the wrong error code.