LDAP in Jenkins Fails, but ldapsearch works
950 views
Skip to first unread message
Sverre Moe
Oct 9, 2015, 3:22:19 AM10/9/15
to Jenkins Users
I have configured authentication with LDAP
There is an port opening between my Jenkins server and helios.company.com since ldapsearch is working fine
My LDAP Configuration:
Server: helios.company.com
root DN: dc=arctic,dc=company,dc=com
User search base: ou=users
User search filter: samaccountname={0}
Group membership: Parse user attribute for list of groups => memberOf
Manager DN: ldapUser@arctic.company.com
Manager password: ldapUserPassword
Display Name LDAP Attribute: displayName
Email Address LDAP Attribute: mail
There is an port opening between my Jenkins server and helios.company.com since ldapsearch is working fine
ldapsearch -D ldapUser@arctic.company.com -w ldapUserPassword -h helios.company.com -b "dc=arctic,dc=company,dc=com" "samaccountname=user"
What is missing from the configuration?
If I use the same configuration on another Jenkins running within the same subnet of my ldap server, it works. I then cannot falter the configuration, however why does ldapsearch work?
I cannot see anything wrong in the Jenkins log (it is empty). I have added logger for org.acegisecurity, hudson.security and jenkins.security with log level INFO.
Maciej Jaros
Oct 9, 2015, 7:29:46 AM10/9/15
to jenkins...@googlegroups.com
Sverre Moe (2015-10-09 09:22):
User search base: ou=users
I think it should be "CN=Users".
User search
filter: samaccountname={0}
Not sure if case matters, but we use "sAMAccountName={0}"
This is Windows AD? If so then I think you should use "domain\user" format. At least it works for me.
Regards,
Nux.
Manager DN: ldapUser@arctic.company.com
This is Windows AD? If so then I think you should use "domain\user" format. At least it works for me.
Regards,
Nux.
Sverre Moe
Oct 9, 2015, 7:47:32 AM10/9/15
to Jenkins Users, mac...@mol.com.pl
I have done nothing with the LDAP configuration, but now it works. It takes 30 seconds before I'm logged in.
The only thing I have done is to add Proxy configuration to Jenkins.
I have tried both samaccountname and sAMAccountName. I don't think ours is case sensitive.
Using DOMAIN\username does not work.
I have tried both samaccountname and sAMAccountName. I don't think ours is case sensitive.
Using DOMAIN\username does not work.
Sverre Moe
Oct 12, 2015, 3:01:25 AM10/12/15
to Jenkins Users, mac...@mol.com.pl
I spoke to soon. It worked for a short while, but now I am getting several invalid login "Invalid login information. Please try again. "
There is still nothing in the log.
What is Jenkins doing different than ldapsearch. It should communicate with the server on default port 389. I am using a Proxy, but both Jenkins and Java has been configured to use this proxy.
James Nord
Oct 13, 2015, 1:10:46 PM10/13/15
to Jenkins Users, mac...@mol.com.pl
if you are using port 389 then unless TLS upgrade is happening then this is all plaintext (including your passwords!) so I would suggest a network capture with wireshark and then compare Jenkins and ldapsearch and see if you can spot some differences that can lead you to understand why this is happening.
Adis Azizan
Oct 15, 2015, 11:17:32 PM10/15/15
to Jenkins Users
Same issues with me. Anybody actually can solve this? I try to use ldaps:// and it given me different error which is SSL Exception
Shravan naidu
Apr 20, 2016, 5:05:42 PM4/20/16
to Jenkins Users
The Jenkins LDAP plugin has a bug which fills up manager DN field with a random string and that fails the login procedure. Luckily, the manager DN field is not mandatoy to be filled and can be left blank. I would recommend to fill root DN and leave rest of the field blank and try logging in. I had the same prob.
Reply all
Reply to author
Forward
0 new messages