[JIRA] [active-directory] (JENKINS-22727) AD plugin times out for large user/group membership

[jon...@microsoft.com (JIRA)]

Jon Wiswall created JENKINS-22727 AD plugin times out for large user/group membership Issue Type: Bug Assignee: Unassigned Components: active-directory Created: 23/Apr/14 7:20 AM Description: Logs show that the plugin has correctly matched my username against the right DC and authenticated correctly. All my groups are printed along with some additional ldap content. Then there's a two minute gap in the logs around Stage 2: Apr 22, 2014 11:46:27 PM FINE hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider Stage 2: looking up via memberOf Apr 22, 2014 11:48:27 PM FINE hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider CN=Jon Wiswall,OU=<ou>,OU=<ou>,DC=<dc>,DC=<dc>,DC=<dc>,DC=<dc> is a member of cn: <group name> After the 2-minute break the log prints the first 20 or so of my ~150 group memberships. Looks like the LDAP server gives up at this point: Failed to retrieve user information for <username> javax.naming.TimeLimitExceededException: [LDAP: error code 3 - Timelimit Exceeded]; remaining name 'DC=<dc>,DC=<dc>,DC=<dc>,DC=<dc>' at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source) at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source) at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source) at com.sun.jndi.ldap.LdapNamingEnumeration.getNextBatch(Unknown Source) at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(Unknown Source) at com.sun.jndi.ldap.LdapNamingEnumeration.hasMore(Unknown Source) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.parseMembers(ActiveDirectoryUnixAuthenticationProvider.java:456) ... which then fails the Jenkins login with an authentication failed message. I'm sure this is to do with our large Active Directory deployment. Could the plugin only check the username/pw combo, and then if matrix or project-based security is enabled, check if the named groups are present? The initial auth step (which dumps all the groups anyhow) is super fast. (Note: marked bug as 'minor' but I can't really point my team at my Jenkins instance until this works.) Environment: AD plugin v1.37, Jenkins 1.56, Running as a service, Windows Server 2012 R2, Active Directory with multiple domains Project: Jenkins Priority: Minor Reporter: Jon Wiswall

This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira

--
You received this message because you are subscribed to the Google Groups "Jenkins Issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.