Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-53189

Exception during Test LDAP settings in group search filter

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Minor
    • Resolution: Unresolved
    • Component/s: ldap-plugin
    • Labels:
      None
    • Environment:
      Jenkins 2.121.3, ldap-plugin 1.20
    • Similar Issues:

      Description

      As I configure LDAP and press Test LDAP settings, then fill my user ID and password, the following exception appears.

      I understand that "/" must be excaped in LDAP queries as \27.

      The Group search filter is (&(objectclass=group)(cn={0})) .

      Some other user IDs are not causing exceptions as they are not member in those fancy groups. Our productive use with simple named groups is not affected.

      Removing the search filter also gets rid of the exception, but then groups cannot be used for authorization at all. (active directory)

       

      javax.naming.InvalidNameException: Invalid name: "CN=BU1/XDEP,OU=Departments,OU=Bu00,OU=Distributionlists,OU=Cng4,DC=EU",DC=example,DC=com
      at javax.naming.ldap.Rfc2253Parser.parseAttrType(Rfc2253Parser.java:155)
      at javax.naming.ldap.Rfc2253Parser.doParse(Rfc2253Parser.java:108)
      at javax.naming.ldap.Rfc2253Parser.parseDn(Rfc2253Parser.java:70)
      at javax.naming.ldap.LdapName.parse(LdapName.java:785)
      at javax.naming.ldap.LdapName.<init>(LdapName.java:123)
      at hudson.security.LDAPSecurityRealm$GroupDetailsMapper.mapAttributes(LDAPSecurityRealm.java:972)
      at hudson.security.LDAPSecurityRealm$GroupDetailsMapper.mapAttributes(LDAPSecurityRealm.java:969)
      at jenkins.security.plugins.ldap.LDAPExtendedTemplate$SearchResultEnumeration.next(LDAPExtendedTemplate.java:163)
      at jenkins.security.plugins.ldap.LDAPExtendedTemplate.searchForFirstEntry(LDAPExtendedTemplate.java:74)
      Caused: org.acegisecurity.ldap.LdapDataAccessException: Unable to get first element; nested exception is javax.naming.InvalidNameException: Invalid name: "CN=BU1/XDEP,OU=Departments,OU=Bu00,OU=Distributionlists,OU=Cng4,DC=EU",DC=example,DC=com
      at jenkins.security.plugins.ldap.LDAPExtendedTemplate.searchForFirstEntry(LDAPExtendedTemplate.java:76)
      at hudson.security.LDAPSecurityRealm.searchForGroupName(LDAPSecurityRealm.java:895)
      at hudson.security.LDAPSecurityRealm.loadGroupByGroupname(LDAPSecurityRealm.java:876)
      at hudson.security.LDAPSecurityRealm.loadGroupByGroupname(LDAPSecurityRealm.java:848)
      at hudson.security.LDAPSecurityRealm$DescriptorImpl.validate(LDAPSecurityRealm.java:1903)
      at hudson.security.LDAPSecurityRealm$DescriptorImpl.doValidate(LDAPSecurityRealm.java:1595)
      at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627)
      at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:343)
      at org.kohsuke.stapler.interceptor.RequirePOST$Processor.invoke(RequirePOST.java:77)
      at org.kohsuke.stapler.PreInvokeInterceptedFunction.invoke(PreInvokeInterceptedFunction.java:26)
      at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:184)
      at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:117)
      at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:129)
      at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
      at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:734)
      Caused: javax.servlet.ServletException
      at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:784)
      at org.kohsuke.stapler.Stapler.invoke(Stapler.java:864)
      at org.kohsuke.stapler.MetaClass$5.doDispatch(MetaClass.java:248)

      ...

        Attachments

          Activity

          Hide
          esmat Esmat Hassan added a comment -

          I face the same issue, is there a solution for it?

          Show
          esmat Esmat Hassan added a comment - I face the same issue, is there a solution for it?
          Hide
          bcjenkins Belinda Cowey added a comment -

          I get a similar issue, with

          group search base: cn=jenkins-admins,ou=Groups
          group search filter: (&(objectclass=groupOfNames)(cn={0}))   (or blank)
          javax.naming.InvalidNameException: Invalid name: ,cn=jenkins-admins,ou=Groups,dc=xxx,dc=xxx

          If I use

          group search base: cn=jenkins-admins,ou=Groups
          group search filter: (&(objectclass=group)(cn={0}))
          Lookup
          User lookup: successful
          User groups consistent (login and lookup)
            LDAP Group lookup: failed for 1 group:jenkins-admins
          Does the Manager Dn have permissions to perform group lookup?
          Are the group search base and group search filter settings correct?
          Show
          bcjenkins Belinda Cowey added a comment - I get a similar issue, with group search base: cn=jenkins-admins,ou=Groups group search filter: (&(objectclass=groupOfNames)(cn={0})) (or blank) javax.naming.InvalidNameException: Invalid name: ,cn=jenkins-admins,ou=Groups,dc=xxx,dc=xxx If I use group search base: cn=jenkins-admins,ou=Groups group search filter: (&(objectclass=group)(cn={0})) Lookup User lookup: successful User groups consistent (login and lookup) LDAP Group lookup: failed for 1 group:jenkins-admins Does the Manager Dn have permissions to perform group lookup? Are the group search base and group search filter settings correct?
          Hide
          chrop Christian Opitz added a comment -

          Same issue here. Any workaround known?

          Show
          chrop Christian Opitz added a comment - Same issue here. Any workaround known?
          Hide
          chrop Christian Opitz added a comment -

          It seems that if you add quotation marks it is working. Not nice, but might be a helpful workaround:

          (&(objectclass=group)(cn="{0}"))

          Show
          chrop Christian Opitz added a comment - It seems that if you add quotation marks it is working. Not nice, but might be a helpful workaround: (&(objectclass=group)(cn="{0}"))

            People

            • Assignee:
              Unassigned
              Reporter:
              pvohmann Peter Vohmann
            • Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated: