"no route to host" using LDAP and Active Directory

[Terry Lacy]

I'm having intermittent issues authenticating with Jenkins.  I use LDAP with Active Directory.  My Jenkins server is on Ubuntu 12.04 Server, and AD is running on Windows 2008 R2.

When authentication fails, I see this in my logs:

Apr 01, 2014 2:15:04 PM hudson.security.AuthenticationProcessingFilter2 onUnsuccessfulAuthentication
INFO: Login attempt failed
org.acegisecurity.AuthenticationServiceException: LdapCallback;null; nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: mysubdomain.mydomain.org:389 [Root exception is java.net.NoRouteToHostException: No route to host]]; nested exception is org.acegisecurity.ldap.LdapDataAccessException: LdapCallback;null; nested exception is javax.naming
.PartialResultException [Root exception is javax.naming.CommunicationException: mysubdomain.mydomain.org:389 [Root exception is java.net.NoRouteToHostException: No route to host]]
        at org.acegisecurity.providers.ldap.LdapAuthenticationProvider.retrieveUser(LdapAuthenticationProvider.java:238)
        at org.acegisecurity.providers.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:122)

Notice that it says "mysubdomain.mydomain.org:389" (I changed this from my real domain/subdomain).  mysubdomain.mydomain.org doesn't exist, and that's not actually the address of my AD server.  I actually have my LDAP server configured using an IP address.  In fact, I can't find "mysubdomain.mydomain.org" when I grep my configuration, so I have no idea where it's coming from, other than I suppose you could cobble it together from the root search names.

Am I mistaken in believing that it's trying to show the server name it's trying to connect to in the exception?

Any ideas?

Terry

[Richard Bywater]

Perhaps checkout the Override Domain Controllers section on this page https://wiki.jenkins-ci.org/display/JENKINS/Active+Directory+plugin

Richard.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Terry Lacy]

I'm not using the Active Directory plugin.  I'm using LDAP.

Terry

[Jeff]

FWIW, I could never get the LDAP plugin to work against ActiveDirectory, but the ActiveDirectory plugin works like a charm.

--

Jeff Vincent
See my LinkedIn profile at:
http://www.linkedin.com/in/rjeffreyvincent

[Terry Lacy]

Unfortunately, I'm on Linux, so I don't think the Active Directory plugin is an option.  From what I've read, you can use it on Linux, but it just falls back to LDAP authentication.

FWIW, after updating to Jenkins 1.557, and also updating the LDAP plugin, login no longer fails.  I still occasionally get long delays when logging in, and I still see the "No route to host" exception in the logs, but it doesn't prevent me from logging in.

Terry

[Gatis Indriksons]

We just recently fixed such issue.

LDAP service on Windows AD server is integrated with DNS service and dependent. If you are running LDAP query from Linux machine using java against Active Directory server, for the parsing of LDAP response AD DNS is involved. If there is malfunctioning or misconfigured DNS (or even client) in AD controller, you may get the error "No route to host" during parsing of LDAP response however the response itself comes out from LDAP succesfully. In our case there was wrong information in DNS server (running on same host as LDAP/AD server) configuration - IP address of non-existing server was remaining in DNS server list resulting in "no route to host" e.g. DNS server while AD LDAP is using "DomainDnsZones.mysubdomain.mydomain.org" for detecting the DNS server using round-robin principle.

Fixing the DNS server list in DC/LDAP server resolved the issue.

Regards,

Gatis
=========================