Problems in login using LDAP server

[Mauricio Fuentes Montero]

Hi everyone,

I'm trying to configure security for a new instance of jenkins using LDAP. Our LDAP server allows anonymous queries and I've set up all the needed information on jenkins. When I try to login, I enter the username and password and press the "log in", I understand that if the login went ok I should see my username on the top-right corner of the next screen, but nothing happened. I enabled the login for hudson.security.* and I saw the following log, among others:

...

21-Oct-2013 19:38:50.639 FINE [http-nio-8080-exec-6] hudson.security.AuthenticationProcessingFilter2.successfulAuthentication Authentication success: org.acegisecurity.providers.UsernamePasswordAuthenticationToken@b475870f: Username: org.acegisecurity.userdetails.ldap.LdapUserDetailsImpl@104c2b; Password: [PROTECTED]; Authenticated: true; Details: org.acegisecurity.ui.WebAuthenticationDetails@ffff6a82: RemoteIpAddress: 127.0.0.1; SessionId: 92846AB177A1833E208B166B7EFAE16E; Granted Authorities: arquitectura, authenticated, all, ROLE_ARQUITECTURA, ROLE_ALL

21-Oct-2013 19:38:50.639 FINE [http-nio-8080-exec-6] hudson.security.AuthenticationProcessingFilter2.successfulAuthentication Updated SecurityContextHolder to contain the following Authentication: 'org.acegisecurity.providers.UsernamePasswordAuthenticationToken@b475870f: Username: org.acegisecurity.userdetails.ldap.LdapUserDetailsImpl@104c2b; Password: [PROTECTED]; Authenticated: true; Details: org.acegisecurity.ui.WebAuthenticationDetails@ffff6a82: RemoteIpAddress: 127.0.0.1; SessionId: 92846AB177A1833E208B166B7EFAE16E; Granted Authorities: arquitectura, authenticated, all, ROLE_ARQUITECTURA, ROLE_ALL'

21-Oct-2013 19:38:50.640 FINE [http-nio-8080-exec-6] hudson.security.AuthenticationProcessingFilter2.successfulAuthentication Redirecting to target URL from HTTP Session (or default): /manage

...

This makes me think that everything is ok, but I'm not logged in.

Does anybody know why this happens?

Thanks in advance.

[Daniel Beck]

What's shown on /whoAmI ?

> --
> You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.

[Mauricio]

+56985101709

On Oct 22, 2013 6:08 PM, "Daniel Beck" <m...@beckweb.net> wrote:
>
> What's shown on /whoAmI ?

Are you refering to the *nix command or is that a Jenkins plugin?

> You received this message because you are subscribed to a topic in the Google Groups "Jenkins Users" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-users/aP-2C5vuS3A/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to jenkinsci-use...@googlegroups.com.

[Daniel Beck]

On 22.10.2013, at 23:21, Mauricio <fuentes...@gmail.com> wrote:

> Are you refering to the *nix command or is that a Jenkins plugin?

That's a URL path to a Jenkins page with some diagnostic information about your user account. Open http://jenkinshost/whoAmI or http://jenkinshost/jenkins/whoAmI (depending on your configuration) in your browser after logging in.

[Mauricio]

It says that I'm log as anonymous

[Mauricio]

2013/10/22 Mauricio <fuentes...@gmail.com>

On Oct 22, 2013 6:49 PM, "Daniel Beck" <m...@beckweb.net> wrote:
>
> On 22.10.2013, at 23:21, Mauricio <fuentes...@gmail.com> wrote:
>
> > Are you refering to the *nix command or is that a Jenkins plugin?
>
> That's a URL path to a Jenkins page with some diagnostic information about your user account. Open http://jenkinshost/whoAmI or http://jenkinshost/jenkins/whoAmI (depending on your configuration) in your browser after logging in.

It says that I'm log as anonymous

Do know you know any other way to debug this?

Thanks!

 

>
> --
> You received this message because you are subscribed to a topic in the Google Groups "Jenkins Users" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-users/aP-2C5vuS3A/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to jenkinsci-use...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.

--
Saludos!
Mauricio

[Stephen Connolly]

Copy and paste the following into the script console, changing the names to ones appropriate to your LDAP server

  String[] names = ["a group name","a user name","a name that does not exist"];
    for (name in names) {
      println("Checking the name '" + name + "'...")
      try {
        println("  It is an USER: " + Jenkins.instance.securityRealm.loadUserByUsername(name))
      } catch (Exception e) {
          try {
            println("  It is a GROUP: " + Jenkins.instance.securityRealm.loadGroupByGroupname(name))
            continue
          } catch (Exception e1) {
            println("  It is NOT a group, reason: " + e1.getMessage())
          }
        println("  It is NOT an user, reason: " + e.getMessage())
      }
      println("");
    }

See what output you get... I suspect that you need to tweak some of the filters and queries to get auth working...

Also 

IS YOUR LDAP SERVER CALLED ACTIVE DIRECTORY?

If it is, please try the "Active Directory" plugin as it should "just work"... the LDAP one is really for real LDAP servers not that fake LDAP server known as Active Directory

--

You received this message because you are subscribed to the Google Groups "Jenkins Users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.

[Mauricio]

Hi Stephen,

Thanks of answering...

2013/10/24 Stephen Connolly <stephen.al...@gmail.com>

>
> Copy and paste the following into the script console, changing the names to ones appropriate to your LDAP server
>
>   String[] names = ["a group name","a user name","a name that does not exist"];
>     for (name in names) {
>       println("Checking the name '" + name + "'...")
>       try {
>         println("  It is an USER: " + Jenkins.instance.securityRealm.loadUserByUsername(name))
>       } catch (Exception e) {
>           try {
>             println("  It is a GROUP: " + Jenkins.instance.securityRealm.loadGroupByGroupname(name))
>             continue
>           } catch (Exception e1) {
>             println("  It is NOT a group, reason: " + e1.getMessage())
>           }
>         println("  It is NOT an user, reason: " + e.getMessage())
>       }
>       println("");
>     }
>
>
>
> See what output you get... I suspect that you need to tweak some of the filters and queries to get auth working...
>

I got the following output

<RESULT>
Checking the name 'exisinggroup'...
  It is a GROUP: hudson.security.LDAPSecurityRealm$1@17c5050
Checking the name 'existinguser'...
  It is an USER: org.acegisecurity.userdetails.ldap.LdapUserDetailsImpl@2d7c9e

Checking the name 'nonexistinguser'...
  It is NOT a group, reason: nonexistinguser
  It is NOT an user, reason: User nonexistinguser not found in directory.
</RESULT>

 
>
> Also 
>
> IS YOUR LDAP SERVER CALLED ACTIVE DIRECTORY?

No

[Stephen Connolly]

Well we have reached the limit of my LDAP foo... Kohsuke?

Sent from my phone

[Daniel Beck]

On 22.10.2013, at 23:01, Mauricio Fuentes Montero <fuentes...@gmail.com> wrote:

> RemoteIpAddress: 127.0.0.1;

Is Jenkins behind a reverse proxy? What happens when you try to access it directly? When you go to 'Manage Jenkins', does an error about your reverse proxy setup appear? Did you configure the URL to Jenkins in the global configuration?

[Mauricio]

2013/10/24 Daniel Beck <m...@beckweb.net>

On 22.10.2013, at 23:01, Mauricio Fuentes Montero <fuentes...@gmail.com> wrote:

>  RemoteIpAddress: 127.0.0.1;

Is Jenkins behind a reverse proxy?

Yes and using SSL.

 

What happens when you try to access it directly?

The application is running on the port 8080, I can't access it directly. I just can access it through the port 80.

 

When you go to 'Manage Jenkins', does an error about your reverse proxy setup appear?

No, no message there.

 

Did you configure the URL to Jenkins in the global configuration?

Yes, I've configured the HTTPS URL on the global configuration page.

Thanks of answer!

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-users/aP-2C5vuS3A/unsubscribe.
To unsubscribe from this group and all its topics, send an email to jenkinsci-use...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
Saludos!
Mauricio

[Mauricio Fuentes Montero]

On Thursday, October 24, 2013 4:44:31 PM UTC-3, Mauricio Fuentes Montero wrote:

2013/10/24 Daniel Beck <m...@beckweb.net>

On 22.10.2013, at 23:01, Mauricio Fuentes Montero <fuentes...@gmail.com> wrote:

>  RemoteIpAddress: 127.0.0.1;

Is Jenkins behind a reverse proxy?

Yes and using SSL.

 

What happens when you try to access it directly?

The application is running on the port 8080, I can't access it directly. I just can access it through the port 80.

 

When you go to 'Manage Jenkins', does an error about your reverse proxy setup appear?

No, no message there.

 

Did you configure the URL to Jenkins in the global configuration?

Yes, I've configured the HTTPS URL on the global configuration page.

Besides all this I realized that after posting the login form I'm been redirected to a wrong URL. Say jenkins is running https://jenkins.example.com/jenkins/, then after posting the login form I end up on  https://jenkins.example.com//jenkins/. Does this has anything to do with the login problem?

Thanks in advance!

 

Thanks of answer!

 

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-users/aP-2C5vuS3A/unsubscribe.

To unsubscribe from this group and all its topics, send an email to jenkinsci-users+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/groups/opt_out.

--
Saludos!
Mauricio