Authentication Issues with Jenkins
1,396 views
Skip to first unread message
David Weintraub
Apr 27, 2012, 3:58:39 PM4/27/12
to Jenkins Users
Using version 1.461.
We have our security using Active Directory, but it's the same issue I
have with LDAP setup.
We are using basic Matrix security. The idea is that everyone in the
"MFX-CM" group is an administrator, and everyone who can log in is
authenticated. I am a member of the mfx-cm group.
I have my Active Directory setup like this:
Domain Name: MFXServices.intr
Domain controller: (blank)
Site: (blank)
Bind DN: CN=MFXCM SubVersion,OU=Users,OU=Roanoke,OU=Accounts,
DC=mfxservices,DC=intr
Bind Password: ******************************
Jenkins accepts this.
When I fill in the matrix based security table, I see the "double
person" icon when I put in Authenticated and when I put in "mfx-cm". I
see a "single person" icon when I put in "dweintraub".
As long as I have "authenticated" setup as an administrator, I can do
administration. Setting user "dweintraub" and group "mfx-cm" as
administrators will not work. As soon as I uncheck the administrator
box in "authenticated" and save, I can log in, but not change the
configuration.
I then noticed that if I click on my name I get the URL
http://builds/jenkins/user/David%20Weintraub/? and not "dweintraub". I
enter the user "David Weintraub" into the matrix based security and
that shows the red circle with the "X" through it icon as if "David
Weintraub" is an invalid user. However, if I give this invalid user
administrator privileges, I can once again act as an administrator
without authenticated having administrator permissions too.
To Summarize:
* Jenkins takes "dweintraub" as my login.
* User "dweintraub" shows up as a valid group in the matrix based security box
* I'm a member of the mfx-cm group
* Both "dweintraub" and "mfx-cm" are administrators in the matrix
based security scheme.
* I login with "dweintraub" and not "David Weintraub"
* I lose all administrator privileges unless "David Weintraub" in the
matrix based security table is also entered.
* User "David Weintraub" shows an invalid user icon when entered into
the Matrix Based Security table.
Somehow, Jenkins is reading our AD or LDAP to know that my login
"dweintraub" is good, but then thinks I'm user "David Weintraub". Yet,
in the matrix based security table, user "David Weintraub" isn't a
valid user.
I downgraded to the Active Directory 1.26 plugin, and that solved the
"dweintraub" vs. "David Weintraub". The 1.26 version understands I'm
user "dweintraub" when I log in as "dweintraub". However, it still
can't figure out I'm in the mfx-cm group.
And, I notice I get the following error when I go into the
configuration page (http://jenkins/jenkins/configure):
Apr 27, 2012 3:47:04 PM
hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider
retrieveUser
WARNING: Credential exception tying to authenticate against
MFXServices.intr domain
org.acegisecurity.userdetails.UsernameNotFoundException:
Authentication was successful but cannot locate the user information
for mfx-cm
at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:198)
at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:130)
at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:95)
at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:27)
at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:551)
at hudson.security.GlobalMatrixAuthorizationStrategy$DescriptorImpl.doCheckName_(GlobalMatrixAuthorizationStrategy.java:304)
at hudson.security.GlobalMatrixAuthorizationStrategy$DescriptorImpl.doCheckName(GlobalMatrixAuthorizationStrategy.java:288)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
Note that this is complaining about the USER mfx-cm, but this is an
active directory group and not a user. Also notice that this group
shows up correctly (i.e. it shows the group icon) when I'm looking in
the security matrix table.
While I am at it, I also noticed this error when I go into the
configuration. Anyone have any idea what's causing it?
Apr 27, 2012 3:47:01 PM hudson.ExpressionFactory2$JexlExpression evaluate
WARNING: Caught exception evaluating:
descriptor.getPropertyType(instance,field).itemTypeDescriptorOrDie.
Reason: java.lang.reflect.InvocationTargetException
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:616)
at org.apache.commons.jexl.util.PropertyExecutor.execute(PropertyExecutor.java:125)
at org.apache.commons.jexl.util.introspection.UberspectImpl$VelGetterImpl.invoke(UberspectImpl.java:314)
at org.apache.commons.jexl.parser.ASTArrayAccess.evaluateExpr(ASTArrayAccess.java:185)
--
David Weintraub
qaz...@gmail.com
We have our security using Active Directory, but it's the same issue I
have with LDAP setup.
We are using basic Matrix security. The idea is that everyone in the
"MFX-CM" group is an administrator, and everyone who can log in is
authenticated. I am a member of the mfx-cm group.
I have my Active Directory setup like this:
Domain Name: MFXServices.intr
Domain controller: (blank)
Site: (blank)
Bind DN: CN=MFXCM SubVersion,OU=Users,OU=Roanoke,OU=Accounts,
DC=mfxservices,DC=intr
Bind Password: ******************************
Jenkins accepts this.
When I fill in the matrix based security table, I see the "double
person" icon when I put in Authenticated and when I put in "mfx-cm". I
see a "single person" icon when I put in "dweintraub".
As long as I have "authenticated" setup as an administrator, I can do
administration. Setting user "dweintraub" and group "mfx-cm" as
administrators will not work. As soon as I uncheck the administrator
box in "authenticated" and save, I can log in, but not change the
configuration.
I then noticed that if I click on my name I get the URL
http://builds/jenkins/user/David%20Weintraub/? and not "dweintraub". I
enter the user "David Weintraub" into the matrix based security and
that shows the red circle with the "X" through it icon as if "David
Weintraub" is an invalid user. However, if I give this invalid user
administrator privileges, I can once again act as an administrator
without authenticated having administrator permissions too.
To Summarize:
* Jenkins takes "dweintraub" as my login.
* User "dweintraub" shows up as a valid group in the matrix based security box
* I'm a member of the mfx-cm group
* Both "dweintraub" and "mfx-cm" are administrators in the matrix
based security scheme.
* I login with "dweintraub" and not "David Weintraub"
* I lose all administrator privileges unless "David Weintraub" in the
matrix based security table is also entered.
* User "David Weintraub" shows an invalid user icon when entered into
the Matrix Based Security table.
Somehow, Jenkins is reading our AD or LDAP to know that my login
"dweintraub" is good, but then thinks I'm user "David Weintraub". Yet,
in the matrix based security table, user "David Weintraub" isn't a
valid user.
I downgraded to the Active Directory 1.26 plugin, and that solved the
"dweintraub" vs. "David Weintraub". The 1.26 version understands I'm
user "dweintraub" when I log in as "dweintraub". However, it still
can't figure out I'm in the mfx-cm group.
And, I notice I get the following error when I go into the
configuration page (http://jenkins/jenkins/configure):
Apr 27, 2012 3:47:04 PM
hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider
retrieveUser
WARNING: Credential exception tying to authenticate against
MFXServices.intr domain
org.acegisecurity.userdetails.UsernameNotFoundException:
Authentication was successful but cannot locate the user information
for mfx-cm
at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:198)
at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:130)
at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:95)
at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:27)
at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:551)
at hudson.security.GlobalMatrixAuthorizationStrategy$DescriptorImpl.doCheckName_(GlobalMatrixAuthorizationStrategy.java:304)
at hudson.security.GlobalMatrixAuthorizationStrategy$DescriptorImpl.doCheckName(GlobalMatrixAuthorizationStrategy.java:288)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
Note that this is complaining about the USER mfx-cm, but this is an
active directory group and not a user. Also notice that this group
shows up correctly (i.e. it shows the group icon) when I'm looking in
the security matrix table.
While I am at it, I also noticed this error when I go into the
configuration. Anyone have any idea what's causing it?
Apr 27, 2012 3:47:01 PM hudson.ExpressionFactory2$JexlExpression evaluate
WARNING: Caught exception evaluating:
descriptor.getPropertyType(instance,field).itemTypeDescriptorOrDie.
Reason: java.lang.reflect.InvocationTargetException
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:616)
at org.apache.commons.jexl.util.PropertyExecutor.execute(PropertyExecutor.java:125)
at org.apache.commons.jexl.util.introspection.UberspectImpl$VelGetterImpl.invoke(UberspectImpl.java:314)
at org.apache.commons.jexl.parser.ASTArrayAccess.evaluateExpr(ASTArrayAccess.java:185)
--
David Weintraub
qaz...@gmail.com
Jan Seidel
Apr 30, 2012, 7:39:57 AM4/30/12
to jenkins...@googlegroups.com
Hi David,
prove me wrong but I do actually read the expection as follows.
The user INFORMATION for mfx-cm is not readable.
The authentication of your user ID is successfully done but the assignment of your security privileges aint working.
Maybe I am running wild right now but I will try to find an explanation here ;)
I am a bit blown that you can run LDAP authentication on Jenkins without assigning a DC. How can that work properly?
Another thing that jumps me:
You tell about a group called MFX-CM but I see only "MFXCM SubVersion" in the DN bind. Do you have groups beneath that level?
* Jenkins takes "dweintraub" as my login.
- that's your AD account. So far so good
* User "dweintraub" shows up as a valid group in the matrix based security box
- the user shows up as group? how that?
* I'm a member of the mfx-cm group
- That is still irritating me. Either does that group come from some where else as the LDAP or you should review the setting of the group and check the members
* Both "dweintraub" and "mfx-cm" are administrators in the matrix based security scheme.
- I would remove the user and just list the security groups themselves. If it ain't working your groups are either not read or not set up properly. The latter could be LDAP setup or security group configuration. Just because Jenkins accepts a DN bind does it not equalize to the correct setting. This indicates simply the something was found there in the right context.
* I login with "dweintraub" and not "David Weintraub"
- This should be fine with LDAP as your account is "dweintraub" which refers to your alias "David Weintraub"
* I lose all administrator privileges unless "David Weintraub" in the matrix based security table is also entered.
- Looks like the rule "The most restrictive privileges overpower other privileges with less restriction" is taking action here. So my assumption here is that the group "mfx-cm" cannot be read which gives you a security privilege of NULL and locks down your account to guest/authenticated no matter what your account has assigned as privilege. I'm not sure why "David Weintraub" can override this behaviour but I would guess that a user of this name exists in Jenkins. Check if that name appears in the jenkins user management or is present in the jenkins folder. I think deleting the user/folder and rereading the configuration in Jenkins will then also invalidate "David Weintraub" as username. http://builds/jenkins/user/David%20Weintraub/? is also an indicator that the user "David Weintraub" is located in Jenkins and interferes here.
* the user "David Weintraub" into the matrix based security and that shows the red circle with the "X" through it icon as if "David Weintraub" is an invalid user.
- another indicator of the comment in the previous topic
* User "David Weintraub" shows an invalid user icon when entered into the Matrix Based Security table.
- see comment in previous topic
* Somehow, Jenkins is reading our AD or LDAP to know that my login "dweintraub" is good, but then thinks I'm user "David Weintraub". Yet, in the matrix based security table, user "David Weintraub" isn't a valid user.
- see comment in previous topic
The exception you get is actually telling you all you need to know here to run a counterproof.
Remove the group in the security matrix and simply put "dweintraub" as admin there. You should then have administrative privileges and no exception anymore. If so recheck the proper path reference to your OU and the security groups setup.
If not come back with the details your research will give ;)
Regarding your other exception: To put this into a danish saying: "How do you eat an elephant? Bite by bite..." So try to solve one issue before you bark at the next one ;)
my 10 cents
Jan
prove me wrong but I do actually read the expection as follows.
The user INFORMATION for mfx-cm is not readable.
The authentication of your user ID is successfully done but the assignment of your security privileges aint working.
Maybe I am running wild right now but I will try to find an explanation here ;)
I am a bit blown that you can run LDAP authentication on Jenkins without assigning a DC. How can that work properly?
Another thing that jumps me:
You tell about a group called MFX-CM but I see only "MFXCM SubVersion" in the DN bind. Do you have groups beneath that level?
* Jenkins takes "dweintraub" as my login.
* User "dweintraub" shows up as a valid group in the matrix based security box
* I'm a member of the mfx-cm group
* Both "dweintraub" and "mfx-cm" are administrators in the matrix based security scheme.
* I login with "dweintraub" and not "David Weintraub"
* I lose all administrator privileges unless "David Weintraub" in the matrix based security table is also entered.
* the user "David Weintraub" into the matrix based security and that shows the red circle with the "X" through it icon as if "David Weintraub" is an invalid user.
- another indicator of the comment in the previous topic
* User "David Weintraub" shows an invalid user icon when entered into the Matrix Based Security table.
* Somehow, Jenkins is reading our AD or LDAP to know that my login "dweintraub" is good, but then thinks I'm user "David Weintraub". Yet, in the matrix based security table, user "David Weintraub" isn't a valid user.
- see comment in previous topic
The exception you get is actually telling you all you need to know here to run a counterproof.
Remove the group in the security matrix and simply put "dweintraub" as admin there. You should then have administrative privileges and no exception anymore. If so recheck the proper path reference to your OU and the security groups setup.
If not come back with the details your research will give ;)
Regarding your other exception: To put this into a danish saying: "How do you eat an elephant? Bite by bite..." So try to solve one issue before you bark at the next one ;)
my 10 cents
Jan
David Weintraub
May 1, 2012, 4:05:58 PM5/1/12
to jenkins...@googlegroups.com
> I am a bit blown that you can run LDAP authentication on Jenkins without
> assigning a DC. How can that work properly?
I'm not using LDAP, but Active Directory. A lot of Active Directory is
> assigning a DC. How can that work properly?
built upon LDAP, but one of Active Directory's features is that I
don't have to specify a domain controller. Instead, the machine using
Active Directory sends out a general request, and one of the domain
controllers will respond.
MFX-CM is a group, and it appears that Jenkins picks this up as a
group. When I put mfx-cm in as a user, the "group" icon shows up.
However, it doesn't appear to recognize me being a member of the
group. Under Active Directory, there's a "MemberOf" collection field
that contains all the groups in the Active Directory LDAP tree I'm a
member of.
> Another thing that jumps me:
> You tell about a group called MFX-CM but I see only "MFXCM SubVersion" in
> the DN bind. Do you have groups beneath that level?
on. "MFXCM SubVersion" is a special user that has Subversion read only
access and not much else. However, MFXCM SubVersion has a right to
look at the Active Directory tree, so we use that to log into our
active directory.
> * User "dweintraub" shows up as a valid group in the matrix based security
> box
> - the user shows up as group? how that?
> * I login with "dweintraub" and not "David Weintraub"
> - This should be fine with LDAP as your account is "dweintraub" which
> refers to your alias "David Weintraub"
>
>
> * I lose all administrator privileges unless "David Weintraub" in the matrix
> based security table is also entered.
versions of the plugin consider my user "dweintraub" and not user
"David Weintraub". Going back to the earlier version helped.
> * Both "dweintraub" and "mfx-cm" are administrators in the matrix based
> security scheme.
> - I would remove the user and just list the security groups themselves.
> If it ain't working your groups are either not read or not set up properly.
> The latter could be LDAP setup or security group configuration. Just because
> Jenkins accepts a DN bind does it not equalize to the correct setting. This
> indicates simply the something was found there in the right context.
don't work. The AD plugin worked before, and it now seems not to be
working.
David Weintraub
qaz...@gmail.com
Reply all
Reply to author
Forward
0 new messages