Problems in login using LDAP server

512 views
Skip to first unread message

Mauricio Fuentes Montero

unread,
Oct 22, 2013, 5:01:15 PM10/22/13
to jenkins...@googlegroups.com
Hi everyone,

I'm trying to configure security for a new instance of jenkins using LDAP. Our LDAP server allows anonymous queries and I've set up all the needed information on jenkins. When I try to login, I enter the username and password and press the "log in", I understand that if the login went ok I should see my username on the top-right corner of the next screen, but nothing happened. I enabled the login for hudson.security.* and I saw the following log, among others:
...

21-Oct-2013 19:38:50.639 FINE [http-nio-8080-exec-6] hudson.security.AuthenticationProcessingFilter2.successfulAuthentication Authentication success: org.acegisecurity.providers.UsernamePasswordAuthenticationToken@b475870f: Username: org.acegisecurity.userdetails.ldap.LdapUserDetailsImpl@104c2b; Password: [PROTECTED]; Authenticated: true; Details: org.acegisecurity.ui.WebAuthenticationDetails@ffff6a82: RemoteIpAddress: 127.0.0.1; SessionId: 92846AB177A1833E208B166B7EFAE16E; Granted Authorities: arquitectura, authenticated, all, ROLE_ARQUITECTURA, ROLE_ALL
21-Oct-2013 19:38:50.639 FINE [http-nio-8080-exec-6] hudson.security.AuthenticationProcessingFilter2.successfulAuthentication Updated SecurityContextHolder to contain the following Authentication: 'org.acegisecurity.providers.UsernamePasswordAuthenticationToken@b475870f: Username: org.acegisecurity.userdetails.ldap.LdapUserDetailsImpl@104c2b; Password: [PROTECTED]; Authenticated: true; Details: org.acegisecurity.ui.WebAuthenticationDetails@ffff6a82: RemoteIpAddress: 127.0.0.1; SessionId: 92846AB177A1833E208B166B7EFAE16E; Granted Authorities: arquitectura, authenticated, all, ROLE_ARQUITECTURA, ROLE_ALL'
21-Oct-2013 19:38:50.640 FINE [http-nio-8080-exec-6] hudson.security.AuthenticationProcessingFilter2.successfulAuthentication Redirecting to target URL from HTTP Session (or default): /manage
...

This makes me think that everything is ok, but I'm not logged in.

Does anybody know why this happens?

Thanks in advance.

Daniel Beck

unread,
Oct 22, 2013, 5:08:12 PM10/22/13
to jenkins...@googlegroups.com
What's shown on /whoAmI ?
> --
> You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.

Mauricio

unread,
Oct 22, 2013, 5:21:56 PM10/22/13
to jenkins...@googlegroups.com


+56985101709


On Oct 22, 2013 6:08 PM, "Daniel Beck" <m...@beckweb.net> wrote:
>
> What's shown on /whoAmI ?

Are you refering to the *nix command or is that a Jenkins plugin?

> You received this message because you are subscribed to a topic in the Google Groups "Jenkins Users" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-users/aP-2C5vuS3A/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to jenkinsci-use...@googlegroups.com.

Daniel Beck

unread,
Oct 22, 2013, 5:48:58 PM10/22/13
to jenkins...@googlegroups.com
On 22.10.2013, at 23:21, Mauricio <fuentes...@gmail.com> wrote:

> Are you refering to the *nix command or is that a Jenkins plugin?

That's a URL path to a Jenkins page with some diagnostic information about your user account. Open http://jenkinshost/whoAmI or http://jenkinshost/jenkins/whoAmI (depending on your configuration) in your browser after logging in.

Mauricio

unread,
Oct 22, 2013, 6:01:58 PM10/22/13
to jenkins...@googlegroups.com

It says that I'm log as anonymous

Mauricio

unread,
Oct 23, 2013, 9:43:05 AM10/23/13
to jenkins...@googlegroups.com



2013/10/22 Mauricio <fuentes...@gmail.com>


On Oct 22, 2013 6:49 PM, "Daniel Beck" <m...@beckweb.net> wrote:
>
> On 22.10.2013, at 23:21, Mauricio <fuentes...@gmail.com> wrote:
>
> > Are you refering to the *nix command or is that a Jenkins plugin?
>
> That's a URL path to a Jenkins page with some diagnostic information about your user account. Open http://jenkinshost/whoAmI or http://jenkinshost/jenkins/whoAmI (depending on your configuration) in your browser after logging in.

It says that I'm log as anonymous



Do know you know any other way to debug this?

Thanks!

 
>
> --
> You received this message because you are subscribed to a topic in the Google Groups "Jenkins Users" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-users/aP-2C5vuS3A/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to jenkinsci-use...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.




--
Saludos!
Mauricio

Stephen Connolly

unread,
Oct 24, 2013, 10:54:17 AM10/24/13
to jenkins...@googlegroups.com
Copy and paste the following into the script console, changing the names to ones appropriate to your LDAP server

  String[] names = ["a group name","a user name","a name that does not exist"];
    for (name in names) {
      println("Checking the name '" + name + "'...")
      try {
        println("  It is an USER: " + Jenkins.instance.securityRealm.loadUserByUsername(name))
      } catch (Exception e) {
          try {
            println("  It is a GROUP: " + Jenkins.instance.securityRealm.loadGroupByGroupname(name))
            continue
          } catch (Exception e1) {
            println("  It is NOT a group, reason: " + e1.getMessage())
          }
        println("  It is NOT an user, reason: " + e.getMessage())
      }
      println("");
    }


See what output you get... I suspect that you need to tweak some of the filters and queries to get auth working...

Also 

IS YOUR LDAP SERVER CALLED ACTIVE DIRECTORY?

If it is, please try the "Active Directory" plugin as it should "just work"... the LDAP one is really for real LDAP servers not that fake LDAP server known as Active Directory

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.

Mauricio

unread,
Oct 24, 2013, 1:35:16 PM10/24/13
to jenkins...@googlegroups.com

Hi Stephen,

Thanks of answering...

2013/10/24 Stephen Connolly <stephen.al...@gmail.com>


>
> Copy and paste the following into the script console, changing the names to ones appropriate to your LDAP server
>
>   String[] names = ["a group name","a user name","a name that does not exist"];
>     for (name in names) {
>       println("Checking the name '" + name + "'...")
>       try {
>         println("  It is an USER: " + Jenkins.instance.securityRealm.loadUserByUsername(name))
>       } catch (Exception e) {
>           try {
>             println("  It is a GROUP: " + Jenkins.instance.securityRealm.loadGroupByGroupname(name))
>             continue
>           } catch (Exception e1) {
>             println("  It is NOT a group, reason: " + e1.getMessage())
>           }
>         println("  It is NOT an user, reason: " + e.getMessage())
>       }
>       println("");
>     }
>
>
>
> See what output you get... I suspect that you need to tweak some of the filters and queries to get auth working...
>

I got the following output

<RESULT>
Checking the name 'exisinggroup'...
  It is a GROUP: hudson.security.LDAPSecurityRealm$1@17c5050
Checking the name 'existinguser'...
  It is an USER: org.acegisecurity.userdetails.ldap.LdapUserDetailsImpl@2d7c9e

Checking the name 'nonexistinguser'...
  It is NOT a group, reason: nonexistinguser
  It is NOT an user, reason: User nonexistinguser not found in directory.
</RESULT>


 
>
> Also 
>
> IS YOUR LDAP SERVER CALLED ACTIVE DIRECTORY?

No

Stephen Connolly

unread,
Oct 24, 2013, 3:19:00 PM10/24/13
to jenkins...@googlegroups.com
Well we have reached the limit of my LDAP foo... Kohsuke?
Sent from my phone

Daniel Beck

unread,
Oct 24, 2013, 3:25:44 PM10/24/13
to jenkins...@googlegroups.com

On 22.10.2013, at 23:01, Mauricio Fuentes Montero <fuentes...@gmail.com> wrote:

> RemoteIpAddress: 127.0.0.1;

Is Jenkins behind a reverse proxy? What happens when you try to access it directly? When you go to 'Manage Jenkins', does an error about your reverse proxy setup appear? Did you configure the URL to Jenkins in the global configuration?

Mauricio

unread,
Oct 24, 2013, 3:44:31 PM10/24/13
to jenkins...@googlegroups.com



2013/10/24 Daniel Beck <m...@beckweb.net>


On 22.10.2013, at 23:01, Mauricio Fuentes Montero <fuentes...@gmail.com> wrote:

>  RemoteIpAddress: 127.0.0.1;

Is Jenkins behind a reverse proxy?

Yes and using SSL.
 
What happens when you try to access it directly?

The application is running on the port 8080, I can't access it directly. I just can access it through the port 80.
 
When you go to 'Manage Jenkins', does an error about your reverse proxy setup appear?

No, no message there.
 
Did you configure the URL to Jenkins in the global configuration?

Yes, I've configured the HTTPS URL on the global configuration page.

Thanks of answer!


--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-users/aP-2C5vuS3A/unsubscribe.
To unsubscribe from this group and all its topics, send an email to jenkinsci-use...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.



--
Saludos!
Mauricio

Mauricio Fuentes Montero

unread,
Nov 12, 2013, 9:08:24 AM11/12/13
to jenkins...@googlegroups.com


On Thursday, October 24, 2013 4:44:31 PM UTC-3, Mauricio Fuentes Montero wrote:



2013/10/24 Daniel Beck <m...@beckweb.net>

On 22.10.2013, at 23:01, Mauricio Fuentes Montero <fuentes...@gmail.com> wrote:

>  RemoteIpAddress: 127.0.0.1;

Is Jenkins behind a reverse proxy?

Yes and using SSL.
 
What happens when you try to access it directly?

The application is running on the port 8080, I can't access it directly. I just can access it through the port 80.
 
When you go to 'Manage Jenkins', does an error about your reverse proxy setup appear?

No, no message there.
 
Did you configure the URL to Jenkins in the global configuration?

Yes, I've configured the HTTPS URL on the global configuration page.



Besides all this I realized that after posting the login form I'm been redirected to a wrong URL. Say jenkins is running https://jenkins.example.com/jenkins/, then after posting the login form I end up on  https://jenkins.example.com//jenkins/. Does this has anything to do with the login problem?

Thanks in advance!
 
Thanks of answer!


 


--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-users/aP-2C5vuS3A/unsubscribe.
To unsubscribe from this group and all its topics, send an email to jenkinsci-users+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/groups/opt_out.



--
Saludos!
Mauricio
Reply all
Reply to author
Forward
0 new messages