Problem with LDAP authentication, username=

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Problem with LDAP authentication, username=

Leslie Giles
New installation of Jenkins 1.418.  I've set it up to use LDAP, but I can't get authentication to work.  In particular when I enter a name into the project-based matrix authorization table, I get this in the log file....

Jun 30, 2011 3:15:44 PM hudson.security.LDAPSecurityRealm$LDAPUserDetailsService loadUserByUsername
WARNING: Failed to search LDAP for username=bgp863
org.acegisecurity.ldap.LdapDataAccessException: LdapCallback;[LDAP: error code 50 - Search access not permitted with that filter]; nested exception is javax.naming.NoPermissionException: [LDAP: error code 50 - Search access not permitted with that filter]; remaining name ''

... along with a java stack backtrace.  If I use the Linux ldapsearch tool with a filter "username=bgp863" it says exactly the same thing - "Search access not permitted with that filter".

I can search using ldapsearch with the filter "uid=bgp863" - if I understand jenkins properly, I should be able to get it to search using the uid field by setting the "User search filter" field in the LDAP advanced settings to be "uid={0}" (which is also the default) - but setting this doesn't change the fact that jenkins is trying to search using the username= field instead of "uid=".

Here's my config.xml:

<?xml version='1.0' encoding='UTF-8'?>
<hudson>
  <disabledAdministrativeMonitors/>
  <version>1.418</version>
  <numExecutors>2</numExecutors>
  <mode>NORMAL</mode>
  <useSecurity>true</useSecurity>
  <authorizationStrategy class="hudson.security.ProjectMatrixAuthorizationStrategy">
    <permission>hudson.model.Computer.Configure:anonymous</permission>
    <permission>hudson.model.Computer.Configure:authenticated</permission>
    <permission>hudson.model.Computer.Delete:anonymous</permission>
    <permission>hudson.model.Computer.Delete:authenticated</permission>
    <permission>hudson.model.Hudson.Administer:anonymous</permission>
    <permission>hudson.model.Hudson.Administer:authenticated</permission>
    <permission>hudson.model.Hudson.Read:anonymous</permission>
    <permission>hudson.model.Hudson.Read:authenticated</permission>
    <permission>hudson.model.Item.Build:anonymous</permission>
    <permission>hudson.model.Item.Build:authenticated</permission>
    <permission>hudson.model.Item.Configure:anonymous</permission>
    <permission>hudson.model.Item.Configure:authenticated</permission>
    <permission>hudson.model.Item.Create:anonymous</permission>
    <permission>hudson.model.Item.Create:authenticated</permission>
    <permission>hudson.model.Item.Delete:anonymous</permission>
    <permission>hudson.model.Item.Delete:authenticated</permission>
    <permission>hudson.model.Item.Read:anonymous</permission>
    <permission>hudson.model.Item.Read:authenticated</permission>
    <permission>hudson.model.Item.Workspace:anonymous</permission>
    <permission>hudson.model.Item.Workspace:authenticated</permission>
    <permission>hudson.model.View.Configure:anonymous</permission>
    <permission>hudson.model.View.Configure:authenticated</permission>
    <permission>hudson.model.View.Create:anonymous</permission>
    <permission>hudson.model.View.Create:authenticated</permission>
    <permission>hudson.model.View.Delete:anonymous</permission>
    <permission>hudson.model.View.Delete:authenticated</permission>
  </authorizationStrategy>
  <securityRealm class="hudson.security.LDAPSecurityRealm">
    <server>ids.mot-mobility.com</server>
    <rootDN>dc=motorola,dc=com</rootDN>
    <inhibitInferRootDN>false</inhibitInferRootDN>
    <userSearchBase></userSearchBase>
    <userSearch>uid={0}</userSearch>
    <managerPassword>THZNZEs5Nm1GZEtBUFNRZGh5VlIwZz09</managerPassword>
  </securityRealm>
  <markupFormatter class="hudson.markup.RawHtmlMarkupFormatter"/>
  <jdks/>
  <viewsTabBar class="hudson.views.DefaultViewsTabBar"/>
  <myViewsTabBar class="hudson.views.DefaultMyViewsTabBar"/>
  <clouds/>
  <slaves/>
  <quietPeriod>5</quietPeriod>
  <scmCheckoutRetryCount>0</scmCheckoutRetryCount>
  <views>
    <hudson.model.AllView>
      <owner class="hudson" reference="../../.."/>
      <name>All</name>
      <filterExecutors>false</filterExecutors>
      <filterQueue>false</filterQueue>
      <properties class="hudson.model.View$PropertyList"/>
    </hudson.model.AllView>
  </views>
  <primaryView>All</primaryView>
  <slaveAgentPort>0</slaveAgentPort>
  <label></label>
  <nodeProperties/>
  <globalNodeProperties/>
</hudson>

Help!

Lezz Giles
Reply | Threaded
Open this post in threaded view
|

Re: Problem with LDAP authentication, username=

Vladimir Smolensky
I'm having the exact same problem, Jenkins ignores "User search filter", have you found a solution?

regards

On Thursday, June 30, 2011 at 10:22:08 PM UTC+3, Lezz Giles wrote:
New installation of Jenkins 1.418.  I've set it up to use LDAP, but I can't get authentication to work.  In particular when I enter a name into the project-based matrix authorization table, I get this in the log file....

Jun 30, 2011 3:15:44 PM hudson.security.LDAPSecurityRealm$LDAPUserDetailsService loadUserByUsername
WARNING: Failed to search LDAP for username=bgp863
org.acegisecurity.ldap.LdapDataAccessException: LdapCallback;[LDAP: error code 50 - Search access not permitted with that filter]; nested exception is javax.naming.NoPermissionException: [LDAP: error code 50 - Search access not permitted with that filter]; remaining name ''

... along with a java stack backtrace.  If I use the Linux ldapsearch tool with a filter "username=bgp863" it says exactly the same thing - "Search access not permitted with that filter".

I can search using ldapsearch with the filter "uid=bgp863" - if I understand jenkins properly, I should be able to get it to search using the uid field by setting the "User search filter" field in the LDAP advanced settings to be "uid={0}" (which is also the default) - but setting this doesn't change the fact that jenkins is trying to search using the username= field instead of "uid=".

Here's my config.xml:

<?xml version='1.0' encoding='UTF-8'?>
<hudson>
  <disabledAdministrativeMonitors/>
  <version>1.418</version>
  <numExecutors>2</numExecutors>
  <mode>NORMAL</mode>
  <useSecurity>true</useSecurity>
  <authorizationStrategy class="hudson.security.ProjectMatrixAuthorizationStrategy">
    <permission>hudson.model.Computer.Configure:anonymous</permission>
    <permission>hudson.model.Computer.Configure:authenticated</permission>
    <permission>hudson.model.Computer.Delete:anonymous</permission>
    <permission>hudson.model.Computer.Delete:authenticated</permission>
    <permission>hudson.model.Hudson.Administer:anonymous</permission>
    <permission>hudson.model.Hudson.Administer:authenticated</permission>
    <permission>hudson.model.Hudson.Read:anonymous</permission>
    <permission>hudson.model.Hudson.Read:authenticated</permission>
    <permission>hudson.model.Item.Build:anonymous</permission>
    <permission>hudson.model.Item.Build:authenticated</permission>
    <permission>hudson.model.Item.Configure:anonymous</permission>
    <permission>hudson.model.Item.Configure:authenticated</permission>
    <permission>hudson.model.Item.Create:anonymous</permission>
    <permission>hudson.model.Item.Create:authenticated</permission>
    <permission>hudson.model.Item.Delete:anonymous</permission>
    <permission>hudson.model.Item.Delete:authenticated</permission>
    <permission>hudson.model.Item.Read:anonymous</permission>
    <permission>hudson.model.Item.Read:authenticated</permission>
    <permission>hudson.model.Item.Workspace:anonymous</permission>
    <permission>hudson.model.Item.Workspace:authenticated</permission>
    <permission>hudson.model.View.Configure:anonymous</permission>
    <permission>hudson.model.View.Configure:authenticated</permission>
    <permission>hudson.model.View.Create:anonymous</permission>
    <permission>hudson.model.View.Create:authenticated</permission>
    <permission>hudson.model.View.Delete:anonymous</permission>
    <permission>hudson.model.View.Delete:authenticated</permission>
  </authorizationStrategy>
  <securityRealm class="hudson.security.LDAPSecurityRealm">
    <server><a href="http://ids.mot-mobility.com" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fids.mot-mobility.com\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNG3zV8iY2c8aLVtDwlUKJyaiG-atg&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fids.mot-mobility.com\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNG3zV8iY2c8aLVtDwlUKJyaiG-atg&#39;;return true;">ids.mot-mobility.com</server>
    <rootDN>dc=motorola,dc=com</rootDN>
    <inhibitInferRootDN>false</inhibitInferRootDN>
    <userSearchBase></userSearchBase>
    <userSearch>uid={0}</userSearch>
    <managerPassword>THZNZEs5Nm1GZEtBUFNRZGh5VlIwZz09</managerPassword>
  </securityRealm>
  <markupFormatter class="hudson.markup.RawHtmlMarkupFormatter"/>
  <jdks/>
  <viewsTabBar class="hudson.views.DefaultViewsTabBar"/>
  <myViewsTabBar class="hudson.views.DefaultMyViewsTabBar"/>
  <clouds/>
  <slaves/>
  <quietPeriod>5</quietPeriod>
  <scmCheckoutRetryCount>0</scmCheckoutRetryCount>
  <views>
    <hudson.model.AllView>
      <owner class="hudson" reference="../../.."/>
      <name>All</name>
      <filterExecutors>false</filterExecutors>
      <filterQueue>false</filterQueue>
      <properties class="hudson.model.View$PropertyList"/>
    </hudson.model.AllView>
  </views>
  <primaryView>All</primaryView>
  <slaveAgentPort>0</slaveAgentPort>
  <label></label>
  <nodeProperties/>
  <globalNodeProperties/>
</hudson>

Help!

Lezz Giles

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/d1898245-33dd-463f-ba20-d0cf21fc89fb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.