LDAP authentication fails

1,232 views
Skip to first unread message

Nunni

unread,
Apr 26, 2012, 12:03:34 PM4/26/12
to Jenkins Users
Hi all.

I've been asked to setup a support server for software development,
and one of the required applications is jenkins.
I installed the official packed from the linux distribution I'm using:
Ubuntu 12.04 has jenkins 1.424.6
I need to set up ldap authentication and I'm having a hard time with
it.. I tried both the LDAP and the AD plugin but both fails.
I know that the DC ldap port is reacheable because there's redmine on
the same server that does the auth there.
So.. here's the command I give:

# jenkins-cli login --username user (I tried also user@domain and
domain\user )

I then get prompted for the password and after that I get:


org.acegisecurity.BadCredentialsException: Bad credentials
at
org.acegisecurity.providers.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:
125)
at
org.acegisecurity.providers.ProviderManager.doAuthentication(ProviderManager.java:
197)
at
org.acegisecurity.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:
47)
at
hudson.security.LDAPSecurityRealm.authenticate(LDAPSecurityRealm.java:
379)
at hudson.security.AbstractPasswordBasedSecurityRealm
$1.authenticate(AbstractPasswordBasedSecurityRealm.java:81)
at hudson.cli.CLICommand.main(CLICommand.java:178)
at hudson.cli.CliManagerImpl.main(CliManagerImpl.java:82)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:
57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:
43)
at java.lang.reflect.Method.invoke(Method.java:616)
at hudson.remoting.RemoteInvocationHandler
$RPCRequest.perform(RemoteInvocationHandler.java:274)
at hudson.remoting.RemoteInvocationHandler
$RPCRequest.call(RemoteInvocationHandler.java:255)
at hudson.remoting.RemoteInvocationHandler
$RPCRequest.call(RemoteInvocationHandler.java:215)
at hudson.remoting.UserRequest.perform(UserRequest.java:118)
at hudson.remoting.UserRequest.perform(UserRequest.java:48)
at hudson.remoting.Request$2.run(Request.java:287)
at java.util.concurrent.Executors
$RunnableAdapter.call(Executors.java:471)
at java.util.concurrent.FutureTask
$Sync.innerRun(FutureTask.java:334)
at java.util.concurrent.FutureTask.run(FutureTask.java:166)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:
1110)
at java.util.concurrent.ThreadPoolExecutor
$Worker.run(ThreadPoolExecutor.java:603)
at java.lang.Thread.run(Thread.java:679)

and here's my config.xml:

<?xml version='1.0' encoding='UTF-8'?>
<hudson>
<disabledAdministrativeMonitors/>
<version>1.424.6</version>
<numExecutors>2</numExecutors>
<mode>NORMAL</mode>
<useSecurity>true</useSecurity>
<authorizationStrategy class="hudson.security.AuthorizationStrategy
$Unsecured"/>
<securityRealm class="hudson.security.LDAPSecurityRealm">
<server>my.cd.controller</server>
<rootDN>DC=dc,DC=controller</rootDN>
<inhibitInferRootDN>false</inhibitInferRootDN>
<userSearchBase>OU=myou</userSearchBase>
<userSearch>uid={0}</userSearch>
<managerDN>CN=ldapuser,CN=Users,DC=dc,DC=controller</managerDN>
<managerPassword>zaaappedaway</managerPassword>
</securityRealm>
<workspaceDir>${ITEM_ROOTDIR}/workspace</workspaceDir>
<buildsDir>${ITEM_ROOTDIR}/builds</buildsDir>
<markupFormatter class="hudson.markup.RawHtmlMarkupFormatter"/>
<jdks/>
<viewsTabBar class="hudson.views.DefaultViewsTabBar"/>
<myViewsTabBar class="hudson.views.DefaultMyViewsTabBar"/>
<clouds/>
<slaves/>
<quietPeriod>5</quietPeriod>
<scmCheckoutRetryCount>0</scmCheckoutRetryCount>
<views>
<hudson.model.AllView>
<owner class="hudson" reference="../../.."/>
<name>All</name>
<filterExecutors>false</filterExecutors>
<filterQueue>false</filterQueue>
<properties class="hudson.model.View$PropertyList"/>
</hudson.model.AllView>
</views>
<primaryView>All</primaryView>
<slaveAgentPort>0</slaveAgentPort>
<label></label>
<nodeProperties/>
<globalNodeProperties/>
</hudson>

Do anybody has an idea of what I'm doing wrong?
Thank you and best regards.

Nunni

unread,
Apr 27, 2012, 3:53:04 AM4/27/12
to Jenkins Users
Anybody on this, please?

David Weintraub

unread,
Apr 27, 2012, 4:03:31 PM4/27/12
to jenkins...@googlegroups.com
I'm having issues with the latest version of AD plugin. It takes my
login as "dweintraub", but recognizes me as user "David Weintraub". If
I put "David Weintraub" in the security based matrix table, It shows
up as an invalid user, but this seems to be the credentials I'm
reading.

Downgrade to AD plugin 1.26. I still can't get it to recognize my groups.

By the way, what are you doing with the command line? Jenkins is a
purely web-based application, and the configuration is carried out via
the webpage. You setup the authentication by going into the "Mange
Jenkins" link on the main page, then select the "Configure System"
item in the Manage Jenkins list.
--
David Weintraub
qaz...@gmail.com

Jan Seidel

unread,
Apr 30, 2012, 7:53:51 AM4/30/12
to jenkins...@googlegroups.com

Hi Nunni,

org.acegisecurity.BadCredentialsException: Bad credentials  tells you at least that something is happening and then fails. This looks more like a matter of human engineering rather the technical engineering ;)
Do you use some funny special character which may interfere with your system/shell/CLI. You will then have to escape the characters in question or evene better select a passwort less prone to error.

@David: "By the way, what are you doing with the command line? Jenkins is a purely web-based application, and the configuration is carried out via the webpage." ???
How did tell you that? The web based part is just a convenience thingy.

You can run it from command line without webfront. I do more and more rarely use the webfront and run the administrative task straight from the operating systems CLI
Further does Jenkins also provide it's own CLI (see: http://jenkins_server/cli)

Take care
Jan

Maven User

unread,
May 2, 2012, 1:27:22 AM5/2/12
to jenkins...@googlegroups.com
I'm sorta wedged at this same place now.

While I can log in, the "manage' page (among others) is NOT being displayed because there is now an error about First name, Last name having an invalid character in there.

How do I even upgrade if I can't reach the plugin pages?


Maven User

unread,
May 2, 2012, 1:44:25 AM5/2/12
to jenkins...@googlegroups.com
Meh - I ssh'd up to the server, moved the active-directory.jpi out of the way and renamed the active-directory.bak to active-directory.jpi and restarted.

All set - logged in successfully...

Roberto Nunnari

unread,
May 2, 2012, 5:11:04 AM5/2/12
to jenkins...@googlegroups.com
Hi Jan.
Sorry for not replying earlier.. I was on holiday and got back to work only this morning.

No.. no special characters that need to be escaped, nor wrong password.. I even tried copy/paste of the password, but it doesn't help..

Any more hints, please?


2012/4/30 Jan Seidel <wakk...@gmail.com>

Jan Seidel

unread,
May 2, 2012, 5:22:22 AM5/2/12
to jenkins...@googlegroups.com
Hi Nunni,

*uhm* only thing that crosses my mind is a buggy identity.key file or secret.key file. The secret.key is more likely to fail.
You can rebuild it somewhat easy. simply delete the secret.key files. They are located in the jenkins root folder and in the job folders.
They contain the encryption key to garble/ungarble the credentials you have saved in Jenkins. Only garbage will be send as response if this key file is out of sync with Jenkins.

You will have to re-enter passwords in your configuration as the will definitely become unvalid when the key file is missing.
So lucky you if the credentials for your repository and the like are stored globally in "Manage Jenkins" and not individually by job. Good time to change it if the later case just comes back on you ;)

Roberto Nunnari

unread,
May 2, 2012, 9:35:45 AM5/2/12
to jenkins...@googlegroups.com
humm.. I deleted identity.key and secret.key, restarted jenkins, and tried again: the two files have been recreated, but got the same error!

Any more hints, please?



2012/5/2 Jan Seidel <wakk...@gmail.com>

Maven User

unread,
May 2, 2012, 10:03:33 AM5/2/12
to jenkins...@googlegroups.com
What version of the AD plugin are you using?  If you have 1.27 installed, try rolling back to 1.26 (which may be a manual thing at this point).

Roberto Nunnari

unread,
May 2, 2012, 10:34:12 AM5/2/12
to jenkins...@googlegroups.com
2012/5/2 Maven User <maven....@gmail.com>

What version of the AD plugin are you using?  If you have 1.27 installed, try rolling back to 1.26 (which may be a manual thing at this point).

I'm using the LDAP thing.. I have also tried the AD plugin (1.26), but it didn't work neither..

Is there a way to make it more verbose, so that I can pin out what's wrong?

Roberto Nunnari

unread,
May 2, 2012, 10:59:08 AM5/2/12
to jenkins...@googlegroups.com
2012/5/2 Roberto Nunnari <nunn...@gmail.com>

Maybe I found what's wrong.. it seams that jenkins/acegisecurity searches for  uid=username, while in our AD, the username is mapped to cn
Is there a way to configure jenkins/acegisecurity so that it searches for cn=username instead?
Thanks.

Roberto Nunnari

unread,
May 2, 2012, 11:01:56 AM5/2/12
to jenkins...@googlegroups.com
YES! That was it! Solved. It was the 'User search filter'.
 Thank you all.

Reply all
Reply to author
Forward
0 new messages