[JIRA] (JENKINS-53189) Exception during Test LDAP settings in group search filter

172 views
Skip to first unread message

peter.vohmann@de.bosch.com (JIRA)

unread,
Aug 22, 2018, 11:37:02 AM8/22/18
to jenkinsc...@googlegroups.com
Peter Vohmann created an issue
 
Jenkins / Bug JENKINS-53189
Exception during Test LDAP settings in group search filter
Issue Type: Bug Bug
Assignee: Unassigned
Components: ldap-plugin
Created: 2018-08-22 15:36
Environment: Jenkins 2.121.3, ldap-plugin 1.20
Priority: Minor Minor
Reporter: Peter Vohmann

As I configure LDAP and press Test LDAP settings, the following exception appears.

I understand that "/" must be excaped in LDAP queries as \27.

The Group search filter is (&(objectclass=group)(cn={0})) .

Removing the search filter get rids of the exception, but then groups cannot be used for authorization at all anymore.

 

javax.naming.InvalidNameException: Invalid name: "CN=BU1/XDEP,OU=Departments,OU=Bu00,OU=Distributionlists,OU=Cng4,DC=EU",DC=example,DC=com
at javax.naming.ldap.Rfc2253Parser.parseAttrType(Rfc2253Parser.java:155)
at javax.naming.ldap.Rfc2253Parser.doParse(Rfc2253Parser.java:108)
at javax.naming.ldap.Rfc2253Parser.parseDn(Rfc2253Parser.java:70)
at javax.naming.ldap.LdapName.parse(LdapName.java:785)
at javax.naming.ldap.LdapName.<init>(LdapName.java:123)
at hudson.security.LDAPSecurityRealm$GroupDetailsMapper.mapAttributes(LDAPSecurityRealm.java:972)
at hudson.security.LDAPSecurityRealm$GroupDetailsMapper.mapAttributes(LDAPSecurityRealm.java:969)
at jenkins.security.plugins.ldap.LDAPExtendedTemplate$SearchResultEnumeration.next(LDAPExtendedTemplate.java:163)
at jenkins.security.plugins.ldap.LDAPExtendedTemplate.searchForFirstEntry(LDAPExtendedTemplate.java:74)
Caused: org.acegisecurity.ldap.LdapDataAccessException: Unable to get first element; nested exception is javax.naming.InvalidNameException: Invalid name: "CN=BU1/XDEP,OU=Departments,OU=Bu00,OU=Distributionlists,OU=Cng4,DC=EU",DC=example,DC=com
at jenkins.security.plugins.ldap.LDAPExtendedTemplate.searchForFirstEntry(LDAPExtendedTemplate.java:76)
at hudson.security.LDAPSecurityRealm.searchForGroupName(LDAPSecurityRealm.java:895)
at hudson.security.LDAPSecurityRealm.loadGroupByGroupname(LDAPSecurityRealm.java:876)
at hudson.security.LDAPSecurityRealm.loadGroupByGroupname(LDAPSecurityRealm.java:848)
at hudson.security.LDAPSecurityRealm$DescriptorImpl.validate(LDAPSecurityRealm.java:1903)
at hudson.security.LDAPSecurityRealm$DescriptorImpl.doValidate(LDAPSecurityRealm.java:1595)
at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627)
at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:343)
at org.kohsuke.stapler.interceptor.RequirePOST$Processor.invoke(RequirePOST.java:77)
at org.kohsuke.stapler.PreInvokeInterceptedFunction.invoke(PreInvokeInterceptedFunction.java:26)
at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:184)
at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:117)
at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:129)
at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:734)
Caused: javax.servlet.ServletException
at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:784)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:864)
at org.kohsuke.stapler.MetaClass$5.doDispatch(MetaClass.java:248)

...
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v7.10.1#710002-sha1:6efc396)

peter.vohmann@de.bosch.com (JIRA)

unread,
Aug 22, 2018, 11:43:04 AM8/22/18
to jenkinsc...@googlegroups.com
Peter Vohmann updated an issue
Change By: Peter Vohmann
As I configure LDAP and press Test LDAP settings, then fill my user ID and password, the following exception appears.


I understand that "/" must be excaped in LDAP queries as \27.

The Group search filter is (&(objectclass=group)(cn=\{0})) .

Some other user IDs are not causing exceptions as they are not member in those fancy groups. Our productive use with simple named groups is not affected.

 Removing the search filter get rids also gets rid of the exception, but then groups cannot be used for authorization at all anymore . (active directory)

esmat.ramadan@gmail.com (JIRA)

unread,
Nov 26, 2018, 9:04:04 AM11/26/18
to jenkinsc...@googlegroups.com
Esmat Hassan commented on Bug JENKINS-53189
 
Re: Exception during Test LDAP settings in group search filter

I face the same issue, is there a solution for it?
This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

belindada@hotmail.co.uk (JIRA)

unread,
Jan 24, 2019, 7:33:01 AM1/24/19
to jenkinsc...@googlegroups.com

I get a similar issue, with

group search base: cn=jenkins-admins,ou=Groups
group search filter: (&(objectclass=groupOfNames)(cn={0}))   (or blank)
javax.naming.InvalidNameException: Invalid name: ,cn=jenkins-admins,ou=Groups,dc=xxx,dc=xxx

If I use

group search base: cn=jenkins-admins,ou=Groups
group search filter: (&(objectclass=group)(cn={0}))
Lookup
User lookup: successful
User groups consistent (login and lookup)
  LDAP Group lookup: failed for 1 group:jenkins-admins
Does the Manager Dn have permissions to perform group lookup?
Are the group search base and group search filter settings correct?

Christian.Opitz@de.bosch.com (JIRA)

unread,
Mar 1, 2019, 11:32:02 AM3/1/19
to jenkinsc...@googlegroups.com

Same issue here. Any workaround known?

Christian.Opitz@de.bosch.com (JIRA)

unread,
May 8, 2019, 12:43:02 PM5/8/19
to jenkinsc...@googlegroups.com

It seems that if you add quotation marks it is working. Not nice, but might be a helpful workaround:

(&(objectclass=group)(cn="{0}"))
Reply all
Reply to author
Forward
0 new messages