[
https://issues.jenkins-ci.org/browse/JENKINS-12180?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=162095#comment-162095
]
Dan Dexter commented on JENKINS-12180:
--------------------------------------
Never mind on my previous note. I figured out the issue. It looks like some
parts of the plugin and/or authentication routine are case sensitive. I can
enter the group name as all lower case, for example, and it will show the group
icon showing it's able to look it up properly, but it will only fully
authenticate if I enter the group name with the exact same case as it's entered
in AD. I will close this out.
> Active Directory Plugin - Adding AD Group Throws BadCredentialsException
> ------------------------------------------------------------------------
>
> Key: JENKINS-12180
> URL: https://issues.jenkins-ci.org/browse/JENKINS-12180
> Project: Jenkins
> Issue Type: Bug
> Components: active-directory
> Affects Versions: current
> Environment: OS: CentOs 6 64-bit
> Hardware Platform: VMWare ESXi 5.0
> Reporter: Tony Lee
> Labels: AD,, active_directory,, plugins
>
> Adding an AD group, e.g. ciusers on Authorization type "Project-based Matrix
> Authorization Strategy", throws BadCredentialsException.
> Issue:
> doCheckName_() first tries finding a user and this fails and throws the
> BadCredentialsException. The function doCheckName_() then tries
> loadGroupByGroupName() which is throwing UserMayOrMayNotExistException right
> away. Function doCheckName_() uses SecurityRealm.loadGroupByGroupName()
> instead of LDAPSecurityRealm.loadGroupByGroupName().
> Snippet of loadGroupByGroupname() from the SecurityRealm class.
> public GroupDetails loadGroupByGroupname(String groupname) throws
> UsernameNotFoundException, DataAccessException {
> throw new UserMayOrMayNotExistException(groupname);
> }
> Snippet of loadGroupByGroupname() from the LDAPSecurityRealm class.
> public GroupDetails loadGroupByGroupname(String groupname) throws
> UsernameNotFoundException, DataAccessException {
> // TODO: obtain a DN instead so that we can obtain multiple
> attributes later
> String searchBase = groupSearchBase != null ? groupSearchBase : "";
> final Set<String> groups =
> (Set<String>)ldapTemplate.searchForSingleAttributeValues(searchBase,
> GROUP_SEARCH,
> new String[]{groupname}, "cn");
> if(groups.isEmpty())
> throw new UsernameNotFoundException(groupname);
> return new GroupDetails() {
> public String getName() {
> return groups.iterator().next();
> }
> };
> }
> Snippet of doCheckName_():
> public FormValidation doCheckName_(String value, AccessControlled
> subject, Permission permission) throws IOException, ServletException {
> if(!subject.hasPermission(permission)) return
> FormValidation.ok(); // can't check
> final String v = value.substring(1,value.length()-1);
> SecurityRealm sr = Jenkins.getInstance().getSecurityRealm();
> String ev = Functions.escape(v);
> if(v.equals("authenticated"))
> // system reserved group
> return FormValidation.respond(Kind.OK, makeImg("user.png")
> +ev);
> try {
> sr.loadUserByUsername(v);
> return FormValidation.respond(Kind.OK,
> makeImg("person.png")+ev);
> } catch (UserMayOrMayNotExistException e) {
> // undecidable, meaning the user may exist
> return FormValidation.respond(Kind.OK, ev);
> } catch (UsernameNotFoundException e) {
> // fall through next
> } catch (DataAccessException e) {
> // fall through next
> }
> try {
> sr.loadGroupByGroupname(v);
> return FormValidation.respond(Kind.OK, makeImg("user.png")
> +ev);
> } catch (UserMayOrMayNotExistException e) {
> // undecidable, meaning the group may exist
> return FormValidation.respond(Kind.OK, ev);
> } catch (UsernameNotFoundException e) {
> // fall through next
> } catch (DataAccessException e) {
> // fall through next
> }
> // couldn't find it. it doesn't exist
> return FormValidation.respond(Kind.ERROR, makeImg("error.png")
> +ev);
> }
> Stack trace snippet:
> Failed to test the validity of the user name ciusers
> org.acegisecurity.BadCredentialsException: Authentication was successful but
> cannot locate the user information for ciusers
> at
> hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:147)
> at
> hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:105)
> at
> hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:64)
> at
> hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:23)
> at
> hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:514)
> at
> hudson.security.GlobalMatrixAuthorizationStrategy$DescriptorImpl.doCheckName_(GlobalMatrixAuthorizationStrategy.java:303)
> at
> hudson.security.GlobalMatrixAuthorizationStrategy$DescriptorImpl.doCheckName(GlobalMatrixAuthorizationStrategy.java:288)
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jenkins-ci.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
