[
https://issues.jenkins-ci.org/browse/JENKINS-12907?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=162108#comment-162108
]
SCM/JIRA link daemon commented on JENKINS-12907:
------------------------------------------------
Code changed in jenkins
User: Kohsuke Kawaguchi
Path:
src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java
http://jenkins-ci.org/commit/active-directory-plugin/d7e074905585af53eb553a1fa05726853273c338
Log:
[FIXED JENKINS-12907] treat names as names to get escaping right, not as
string
> Active Directory/LDAP group with special characters causes
> authentication/retrieveUser to fail
> ----------------------------------------------------------------------------------------------
>
> Key: JENKINS-12907
> URL: https://issues.jenkins-ci.org/browse/JENKINS-12907
> Project: Jenkins
> Issue Type: Bug
> Components: active-directory
> Affects Versions: current
> Environment: Linux example-host 2.6.38-13-server #55-Ubuntu SMP Tue
> Jan 24 15:52:18 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
> java version "1.6.0_24"
> Java(TM) SE Runtime Environment (build 1.6.0_24-b07)
> Java HotSpot(TM) 64-Bit Server VM (build 19.1-b02, mixed mode)
> Apache Tomcat/7.0.12
> Jenkins ver. 1.451
> Authenticating against Active Directory running on Windows Server 2008
> Reporter: Jarrett Taylor
> Priority: Minor
> Labels: active_directory,
>
> It appears that Active Directory (and presumably LDAP) authentication fails
> if the user is a member of a group with special characters in the name.
> Realistically, retrieveUser fails which makes it look like an authentication
> issue. To resolve this, the DN of the group needs to be properly escaped
> before calling context.getAttributes(dn). This is probably related to the
> incomplete fix applied in JENKINS-3249
> (https://issues.jenkins-ci.org/browse/JENKINS-3249).
> The group that is failing is one we use to test our own LDAP code. It is
> named:
> test,+"\<>;=/role
> Here is the log information related to the authentication failure (with
> identifying data replaced):
> Feb 27, 2012 11:43:13 AM
> hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider
> retrieveUser
> WARNING: Exhausted all configured domains and could not authenticat against
> any.
> Feb 27, 2012 11:43:13 AM
> hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider
> retrieveUser
> WARNING: Credential exception tying to authenticate against EXAMPLE.COM domain
> org.acegisecurity.BadCredentialsException: Failed to retrieve user
> information for example.user; nested exception is
> javax.naming.InvalidNameException:
> "CN=test\,\+\"\\\<\>\;\=/role,OU=Groups,DC=Example,DC=com": [LDAP: error code
> 34 - 0000208F: LdapErr: DSID-0C090709, comment: Error processing name, data
> 0, v1db0]; remaining name
> '"CN=test\,\+\"\\\<\>\;\=/role,OU=Groups,DC=Example,DC=com"'
> at
> hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:180)
> at
> hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:116)
> at
> hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:83)
> at
> org.acegisecurity.providers.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:119)
> at
> org.acegisecurity.providers.ProviderManager.doAuthentication(ProviderManager.java:195)
> at
> org.acegisecurity.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:45)
> at
> org.acegisecurity.ui.webapp.AuthenticationProcessingFilter.attemptAuthentication(AuthenticationProcessingFilter.java:71)
> at
> org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:252)
> at
> hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
> at
> org.acegisecurity.ui.basicauth.BasicProcessingFilter.doFilter(BasicProcessingFilter.java:173)
> at
> hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
> at jenkins.security.ApiTokenFilter.doFilter(ApiTokenFilter.java:61)
> at
> hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
> at
> org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
> at
> hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:66)
> at
> hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
> at
> hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
> at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
> at
> hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:240)
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:164)
> at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:462)
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164)
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
> at
> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:562)
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:395)
> at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:301)
> at
> org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:183)
> at
> org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:169)
> at
> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:302)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
> at java.lang.Thread.run(Thread.java:662)
> Caused by: javax.naming.InvalidNameException:
> "CN=test\,\+\"\\\<\>\;\=/role,OU=Groups,DC=Example,DC=com": [LDAP: error code
> 34 - 0000208F: LdapErr: DSID-0C090709, comment: Error processing name, data
> 0, v1db0]; remaining name
> '"CN=test\,\+\"\\\<\>\;\=/role,OU=Groups,DC=Example,DC=com"'
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2979)
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2794)
> at com.sun.jndi.ldap.LdapCtx.c_getAttributes(LdapCtx.java:1309)
> at
> com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(ComponentDirContext.java:213)
> at
> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:121)
> at
> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:109)
> at
> hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.resolveGroups(ActiveDirectoryUnixAuthenticationProvider.java:223)
> at
> hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:172)
> ... 37 more
> Feb 27, 2012 11:43:13 AM
> hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider
> retrieveUser
> WARNING: Failed to retrieve user information for example.user
> javax.naming.InvalidNameException:
> "CN=test\,\+\"\\\<\>\;\=/role,OU=Groups,DC=Example,DC=com": [LDAP: error code
> 34 - 0000208F: LdapErr: DSID-0C090709, comment: Error processing name, data
> 0, v1db0]; remaining name
> '"CN=test\,\+\"\\\<\>\;\=/role,OU=Groups,DC=Example,DC=com"'
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2979)
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2794)
> at com.sun.jndi.ldap.LdapCtx.c_getAttributes(LdapCtx.java:1309)
> at
> com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(ComponentDirContext.java:213)
> at
> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:121)
> at
> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:109)
> at
> hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.resolveGroups(ActiveDirectoryUnixAuthenticationProvider.java:223)
> at
> hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:172)
> at
> hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:116)
> at
> hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:83)
> at
> org.acegisecurity.providers.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:119)
> at
> org.acegisecurity.providers.ProviderManager.doAuthentication(ProviderManager.java:195)
> at
> org.acegisecurity.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:45)
> at
> org.acegisecurity.ui.webapp.AuthenticationProcessingFilter.attemptAuthentication(AuthenticationProcessingFilter.java:71)
> at
> org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:252)
> at
> hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
> at
> org.acegisecurity.ui.basicauth.BasicProcessingFilter.doFilter(BasicProcessingFilter.java:173)
> at
> hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
> at jenkins.security.ApiTokenFilter.doFilter(ApiTokenFilter.java:61)
> at
> hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
> at
> org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
> at
> hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:66)
> at
> hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
> at
> hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
> at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
> at
> hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:240)
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:164)
> at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:462)
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164)
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
> at
> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:562)
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:395)
> at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:301)
> at
> org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:183)
> at
> org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:169)
> at
> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:302)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
> at java.lang.Thread.run(Thread.java:662)
> Feb 27, 2012 11:43:13 AM
> hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider
> resolveGroups
> FINE: Example User is a member of
> CN=test\,\+\"\\\<\>\;\=/role,OU=Groups,DC=Example,DC=com
> Feb 27, 2012 11:43:13 AM
> hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider
> resolveGroups
> FINE: Example User is a member of CN=Working
> Example,OU=Groups,DC=Example,DC=com
> Feb 27, 2012 11:43:13 AM
> hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider
> retrieveUser
> FINE: Failed to find example.user in userPrincipalName. Trying sAMAccountName
> Feb 27, 2012 11:43:13 AM
> hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DesciprotrImpl
> bind
> FINE: Bound to b-ad-01.example.com:3269
> Feb 27, 2012 11:43:13 AM
> hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DesciprotrImpl
> bind
> WARNING: Failed to bind to 10.10.10.10:389
> javax.naming.CommunicationException: simple bind failed: 10.10.10.10:389
> [Root exception is java.net.SocketException: Connection reset]
> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:197)
> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2694)
> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293)
> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
> at
> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:134)
> at
> hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DesciprotrImpl.bind(ActiveDirectorySecurityRealm.java:293)
> at
> hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:142)
> at
> hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:116)
> at
> hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:83)
> at
> org.acegisecurity.providers.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:119)
> at
> org.acegisecurity.providers.ProviderManager.doAuthentication(ProviderManager.java:195)
> at
> org.acegisecurity.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:45)
> at
> org.acegisecurity.ui.webapp.AuthenticationProcessingFilter.attemptAuthentication(AuthenticationProcessingFilter.java:71)
> at
> org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:252)
> at
> hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
> at
> org.acegisecurity.ui.basicauth.BasicProcessingFilter.doFilter(BasicProcessingFilter.java:173)
> at
> hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
> at jenkins.security.ApiTokenFilter.doFilter(ApiTokenFilter.java:61)
> at
> hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
> at
> org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
> at
> hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:66)
> at
> hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
> at
> hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
> at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
> at
> hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:240)
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:164)
> at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:462)
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164)
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
> at
> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:562)
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:395)
> at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:301)
> at
> org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:183)
> at
> org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:169)
> at
> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:302)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
> at java.lang.Thread.run(Thread.java:662)
> Caused by: java.net.SocketException: Connection reset
> at java.net.SocketInputStream.read(SocketInputStream.java:168)
> at
> com.sun.net.ssl.internal.ssl.InputRecord.readFully(InputRecord.java:293)
> at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:331)
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:798)
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1138)
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:632)
> at
> com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
> at
> java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
> at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:396)
> at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:334)
> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:192)
> ... 43 more
> Feb 27, 2012 11:43:13 AM
> hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DesciprotrImpl
> obtainLDAPServer
> FINE: _gc._tcp.EXAMPLE.COM resolved to [b-ad-01.example.com:3269,
> b-ad-01.example.com:3269, c-ad-01.example.com:3269, v-ad-01.example.com:3269,
> j-ad-01.example.com:3269, s-ms-ad-01.example.com:3269,
> b-ms-ad-01.example.com:3269]
> Feb 27, 2012 11:43:13 AM
> hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DesciprotrImpl
> obtainLDAPServer
> FINE: Attempting to resolve _gc._tcp.EXAMPLE.COM to SRV record
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jenkins-ci.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
