[JIRA] (JENKINS-52071) Issue with 'Use Jenkins Internal Database' in AD Plugin

[jon_medd@hotmail.com (JIRA)]

Jonathan Medd created an issue

Jenkins / JENKINS-52071 Issue with 'Use Jenkins Internal Database' in AD Plugin Issue Type: Bug Assignee: Félix Belzunce Arcos Attachments: ADPlugin.png Components: active-directory-plugin Created: 2018-06-20 13:30 Environment: Jenkins ver. 2.121.1 Active Directory plugin ver. 2.6 Priority: Minor Reporter: Jonathan Medd Within the configuration of the AD plugin, we are attempting to use the feature 'Use Jenkins Internal Database' as a failback should AD not be available. The Help information for what should be configured is a little unclear though - it appears to suggest setting an AD account, which will become synchronised locally. We have tested configuring it with an AD account with Jenkins admin permissions, then making AD unavailable. We should then be still able to login with that account, but it fails with the below error in the logs. Jun 12, 2018 8:02:08 PM WARNING hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl bind All attempts to login failed for user CN=Administrator,CN=Users,DC=test,DC=testdomain,DC=co,DC=uk Jun 12, 2018 8:02:19 PM FINE hudson.plugins.active_directory.ActiveDirectorySecurityRealm Connecting to ldap://test-ad1.test.testdomain.co.uk:3268/ Jun 12, 2018 8:02:39 PM WARNING hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl bind Failed to bind to test-ad1.test.testdomain.co.uk:3268 java.net.UnknownHostException: test-ad1.test.testdomain.co.uk at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:184) at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) at java.net.Socket.connect(Socket.java:589) at sun.reflect.GeneratedMethodAccessor320.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at com.sun.jndi.ldap.Connection.createSocket(Connection.java:350) at com.sun.jndi.ldap.Connection.<init>(Connection.java:203) Caused: javax.naming.CommunicationException: test-ad1.test.testdomain.co.uk:3268 [Root exception is java.net.UnknownHostException: test-ad1.test.testdomain.co.uk] at com.sun.jndi.ldap.Connection.<init>(Connection.java:216) at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137) at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1615) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749) at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:151) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl.bind(ActiveDirectorySecurityRealm.java:643) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl.bind(ActiveDirectorySecurityRealm.java:628) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl.bind(ActiveDirectorySecurityRealm.java:575) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider$1.call(ActiveDirectoryUnixAuthenticationProvider.java:358) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider$1.call(ActiveDirectoryUnixAuthenticationProvider.java:341) at com.google.common.cache.LocalCache$LocalManualCache$1.load(LocalCache.java:4767) at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3568) at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2350) at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2313) at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2228) at com.google.common.cache.LocalCache.get(LocalCache.java:3965) at com.google.common.cache.LocalCache$LocalManualCache.get(LocalCache.java:4764) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:341) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:304) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:226) at org.acegisecurity.providers.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:122) at org.acegisecurity.providers.ProviderManager.doAuthentication(ProviderManager.java:200) at org.acegisecurity.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:47) at org.acegisecurity.ui.webapp.AuthenticationProcessingFilter.attemptAuthentication(AuthenticationProcessingFilter.java:74) at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:252) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249) at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90) at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:524) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:190) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:188) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1253) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:168) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:166) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1155) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.Server.handle(Server.java:530) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:347) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:256) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:279) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:102) at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:124) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:247) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.produce(EatWhatYouKill.java:140) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:131) at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:382) at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Jun 12, 2018 8:02:39 PM WARNING hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl bind All attempts to login failed for user CN=Administrator,CN=Users,DC=test,DC=testdomain,DC=co,DC=uk   We have also tested configuring this field with a local admin user from the Jenkins Internal Database with similar results when AD is made unavailable. There is one scenario where it does appear to initially work. If the 'Enable cache' feature is turned on, it is possible to login with the AD account for the time period of the 'Cache TTL' setting, however as soon as that period has expired it is no longer possible to login with that account. Could anyone confirm if they have this feature working or if they are seeing a similar issue during testing of AD unavailability? We are also wondering if anyone has tested it with the 'Cache TTL' setting turned on and consequently generated a false positive during testing without realising it?     Add Comment

This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e)

[milkiwaysabe@gmail.com (JIRA)]

jang hyemi started work on JENKINS-52071

Change By: jang hyemi Status: Open In Progress

Add Comment

[milkiwaysabe@gmail.com (JIRA)]

jang hyemi updated JENKINS-52071

Jenkins / JENKINS-52071 Issue with 'Use Jenkins Internal Database' in AD Plugin

Change By: jang hyemi Status: In Progress Review

Add Comment

[b.michael@gmx.de (JIRA)]

Björn Michael commented on JENKINS-52071

Re: Issue with 'Use Jenkins Internal Database' in AD Plugin I am unable to login with specified internal user too. In log file appears a javax.naming.CommunicationException caused by java.net.UnknownHostException or an java.net.SocketTimeoutException and results in a WARNING: All attempts to login failed for user x...@yyy.domain.name I try your workaround with enabling cache to overcome AD downtimes.

Add Comment

This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

[maxx.yurchenko@gmail.com (JIRA)]

Max yurchenko commented on JENKINS-52071

Re: Issue with 'Use Jenkins Internal Database' in AD Plugin

I have a similar issue, also I'm unable to set permission for that "internal" user in Matrix-based security

Add Comment

[arni.12@mail.ru (JIRA)]

Владислав Ненашев updated an issue

Jenkins / JENKINS-52071

Issue with 'Use Jenkins Internal Database' in AD Plugin

Change By: Владислав Ненашев Attachment: image-2019-04-12-14-07-22-673.png

Add Comment

[arni.12@mail.ru (JIRA)]

Владислав Ненашев commented on JENKINS-52071

Re: Issue with 'Use Jenkins Internal Database' in AD Plugin I have this problem for user sbt-devops-jenkins WARNING: Failed to bind to 10.119.22.1:389javax.naming.CommunicationException: 10.119.22.1:389 [Root exception is java.net.SocketTimeoutException: connect timed out]        at com.sun.jndi.ldap.Connection.<init>(Connection.java:228)        at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137)        at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1615)        at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749)        at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)        at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:151)        at hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl.bind(ActiveDirectorySecurityRealm.java:668)        at hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl.bind(ActiveDirectorySecurityRealm.java:599)        at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider$1.call(ActiveDirectoryUnixAuthenticationProvider.java:357)        at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider$1.call(ActiveDirectoryUnixAuthenticationProvider.java:340)        at com.google.common.cache.LocalCache$LocalManualCache$1.load(LocalCache.java:4767)        at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3568)        at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2350)        at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2313)        at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2228)        at com.google.common.cache.LocalCache.get(LocalCache.java:3965)        at com.google.common.cache.LocalCache$LocalManualCache.get(LocalCache.java:4764)        at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:340)        at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:303)        at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:225)        at org.acegisecurity.providers.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:122)        at org.acegisecurity.providers.ProviderManager.doAuthentication(ProviderManager.java:200)        at org.acegisecurity.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:47)        at org.acegisecurity.ui.webapp.AuthenticationProcessingFilter.attemptAuthentication(AuthenticationProcessingFilter.java:74)        at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:252)        at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)        at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93)        at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)        at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)        at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)        at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)        at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90)        at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171)        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)        at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49)        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)        at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82)        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)        at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)        at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533)        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146)        at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:524)        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)        at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257)        at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595)        at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)        at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1340)        at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203)        at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473)        at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564)        at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201)        at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1242)        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)        at org.eclipse.jetty.server.Server.handle(Server.java:503)        at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:364)        at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260)        at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305)        at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)        at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118)        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765)        at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683)        at java.lang.Thread.run(Thread.java:748)Caused by: java.net.SocketTimeoutException: connect timed out        at java.net.PlainSocketImpl.socketConnect(Native Method)        at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)        at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)        at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)        at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)        at java.net.Socket.connect(Socket.java:589)        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)        at java.lang.reflect.Method.invoke(Method.java:498)        at com.sun.jndi.ldap.Connection.createSocket(Connection.java:362)        at com.sun.jndi.ldap.Connection.<init>(Connection.java:215)        ... 64 more

Add Comment