LDAP authentication
Jeff Payne
I'm trying to get LDAP authentication working. I've gotten it working
on Subversion, so I have some confidence in the configuration strings
I'm using but no matter how I tweak them, I am not able to log in.
What is especially interesting is that it looks like Jenkins is indeed
talking to our LDAP server. If enter an invalid username or password,
I get the following:
Nov 27, 2011 4:35:48 PM
hudson.security.AuthenticationProcessingFilter2
onUnsuccessfulAuthentication
INFO: Login attempt failed
org.acegisecurity.BadCredentialsException: Bad credentials
(etc)
However, if I enter my valid login informatoin, I get this exception
instead:
Nov 27, 2011 4:34:26 PM
hudson.security.AuthenticationProcessingFilter2
onUnsuccessfulAuthentication
INFO: Login attempt failed
org.acegisecurity.AuthenticationServiceException: LdapCallback;[LDAP:
error code 32 - 0000208D: NameErr: DSID-03100198, problem 2001
(NO_OBJECT), data 0, best match of:
''
]; nested exception is javax.naming.NameNotFoundException: [LDAP:
error code 32 - 0000208D: NameErr: DSID-03100198, problem 2001
(NO_OBJECT), data 0, best match of:
''
]; remaining name ''; nested exception is
org.acegisecurity.ldap.LdapDataAccessException: LdapCallback;[LDAP:
error code 32 - 0000208D: NameErr: DSID-03100198, problem 2001
(NO_OBJECT), data 0, best match of:
''
]; nested exception is javax.naming.NameNotFoundException: [LDAP:
error code 32 - 0000208D: NameErr: DSID-03100198, problem 2001
(NO_OBJECT), data 0, best match of:
''
]; remaining name ''
at
org.acegisecurity.providers.ldap.LdapAuthenticationProvider.retrieveUser(LdapAuthenticationProvider.java:
238)
(etc)
Any thoughts?
Jeff
Dalen, van William
In line with Jeff Payne (see e-mail underneath) i've got the same question (However, i don't have the configuration strings yet). I also am trying to get OpenDJ\OpenDS (LDAP) working with Jenkins on a Ubuntu cli server, but i am not able to log in either.
Please is there anyone who will be able to help me/us?
With regards, William
-----Oorspronkelijk bericht-----
Van: jenkins...@googlegroups.com [mailto:jenkins...@googlegroups.com] Namens Jeff Payne
Verzonden: zondag 27 november 2011 22:39
Aan: Jenkins Users
Onderwerp: LDAP authentication
Darin McGrew
Jeff Payne
I seem to have wheedled out the problem by randomly reconfiguring the LDAP interface - the magic combination seemed to be:
Do specify a root DN:
OU=Example,DC=domain-ex,DC=tld-ex
Specify the User and Group search bases without fully qualifying (without the above)
OU=Users
OU=Groups
Our user search filter is based on sAMAccountName:
sAMAccountName={0}
And the Manager DN was not specified as a DN - just provide the login ID & password.
Other variations of the above (providing the full or different subsets of the DN for different fields above, providing the full DN for the Manager DN, etc) either resulted in what I reported before, or getting the word "ERROR" (not an icon) in the authorization matrix. Not sure what aspect of this fixed the problem, just passing along what worked for me.
Now it seems to be working for users & groups, but my groups show up in the authorization matrix with the error icon instead of the group icon (users are fine). Still permissions do seem to be handled properly based on these groups. Anyone else see this issue?
Jeff
Ferenc Kovacs
Read the exception, your ldap user needs a password change.
Darin McGrew
> Looks like in your case the user has an expired password. Might want to
> check that first.
Thanks. I should have mentioned that Jenkins was the only system that
was giving this error. Other systems were authenticating the users
just fine. Also, it was two users, who had recently changed their
passwords (multiple times).
Anyway, it did turn out to be an LDAP issue. Once we we got the
accounts updated correctly, Jenkins was just as happy as the other
systems.
--
Darin McGrew
McGrew's Miscellanea - http://www.rahul.net/mcgrew/
HTML Help - http://www.htmlhelp.com/
Gimmick Car Rallyes - http://www.therallyeclub.org/