Urgent Help Required On Jenkins LDAP Plugin

[Mukul Garg]

Hi Team,

We had a requirement for upgrading our security to LDAP Authentication in Jenkins. We made all the necessary changes of installing the self signed certificates on our Jenkins CLI server as per below blog after installing LDAP Plugin on Jenkins GUI.

https://anandparthasarathy.wordpress.com/2014/01/14/connect-jenkins-to-internal-self-signed-certificate-servers-and-configure-ssl/

However, on the 5th step as per this blog we couldn't find the file as /etc/sysconfig/Jenkins where we were supposed to make below changes. Hence, we made these changes from Jenkins UI in Manage Jenkins > Configure System. Even after making these changes we were unable to connect to LDAP Server. So, we installed skip certificate check plugin on our Jenkins and after that the SSL Handshake error that we were getting while connecting to LDAP server was gone and LDAP server is able to let us establish our connection with it.

Our last hurdle is that we are unable to login to Jenkins with our LDAP credentials. We tried all the available options that were available on google. However, no luck. We are using Project Based Matrix Authorization Strategy. Kindly Help. The error that we are getting now is: "LDAP: error code 32 - 0000208D: NameErr: DSID-0310020A, Problem 2001 (NO_OBJECT), data 0, best match of: OU=AppUsers,DC=COMPANY,DC=COM". We verified with our LDAP Team and they suggested all the settings are correct and we are receiving the connection properly from your system.

All your help is much appreciated.

Step 5: Make the following changes to /etc/sysconfig/jenkins file. You need to have sudo access to do so.

• Change the JENKINS_PORT value to “-1” – You need to do this to ensure your CI server is no longer accessed through http.
• Change the JENKINS_HTTPS_PORT value to “443” or any other port which is not taken.
• Change the JENKINS_ARGS value to “–httpsKeyStore=$JENKINS_HOME/.ssl/.keystore –httpsKeyStorePassword=same-as-provided-during-cert-generation”.

Regards,

Mukul Garg

[Christoph Nenning]

Hi,

> However, on the 5th step as per this blog we couldn't find the file
> as /etc/sysconfig/Jenkins

Whether that file is present depends on your linux disto and on how you installed jenkins. It is present under RedHat like distros and when you installed jenkins from rpm.

Under debian like distros it is located under /etc/default/jenkins (when istalled from deb).

If you are running jenkins just from it's war file you can add those parameters to your custom startup script.


Regards,
Christoph

> --
> You received this message because you are subscribed to the Google
> Groups "Jenkins Users" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to jenkinsci-use...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/
> d/msgid/jenkinsci-users/f822587b-b694-4dc2-a618-d4aaa7dd9cd6%
> 40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

This Email was scanned by Sophos Anti Virus

[Mukul Garg]

Hi All,

The error that we were getting at the starting of this thread got resolved after setting the User Search Filter to sAMAccountName and we were successfully able to authenticate our LDAP users from Jenkins CLI using a Java program provided by http://celoxis.atlassian.net/wiki/display/DOC90/Testing+your+LDAP+setup

However, we are still not able to Jenkins through Jenkins UI and getting below error.

Failed to search LDAP for username=muk_newyork
org.acegisecurity.ldap.LdapDataAccessException: Missing 'equals'; nested exception is Javax.naming.directory.InvalidSearchFikterException: Missing 'equals'; remaining name 'OU=Users,dc=mycompany,dc=com'

[Audrey Azra]

Hey there,.,,, you should validate the manager DN value. Seems this may be wrong.  You can do that using the ldapsearch command...example:

ldapsearch -vvv -LLL -H ldaps:<domain_controller>:3269 -x -D "<your_username>@<domain>" -W -b "dc=company,dc=com" "CN=<functional_id >"

Extract dn information from output from above command.

Hope this helps

[Mukul Garg]

Since ldap-utils was not present on our Jenkins CLI Server we took a Java Program with which we are successfully able to authenticate LDAP users from CLI. However, when we put same configuration on Jenkins it is giving this new error this time. Earlier, when I started this thread we were unable to authenticate from CLI as well. However, CLI works fine now and Jenkins gives this error.

Failed to search LDAP for username=muk_newyork
org.acegisecurity.ldap.LdapDataAccessException: Missing 'equals'; nested exception is Javax.naming.directory.InvalidSearchFikterException: Missing 'equals'; remaining name 'OU=Users,dc=mycompany,dc=com'

Earlier user search filter was set to sAMAccountName={0}
However, we were getting the error as given in the initial mail thread.
Once we made it just sAMAccountName based on the suggestion of our LDAP team I was able to get myself authenticated from the Java program and this new error came in Jenkins System Logs.

[Mukul Garg]

Below are the configured values.

Server: Our LDAP sever URL

root DN: <my company>, dc=com

User search base: <my company>, dc=com

User search filter: sAMACCOUNTNAME

Group search base: not applicable

Group search filter: not applicable

Group membership: not applicable

Manager dn: cn=<Generic User>,ou=<AppUsers>,dc=<my company>,dc=com

Manager password: password of Generic user

Display Name LDAP attribute: displayname