So, I tried again with the new Active Directory plugin. When using our Service_Build user, there is no authentication request coming into Active Directory, which is how it should be.
So the problem was the old, buggy Active Directory plugin. Thanks for the help & best regards, Eric -----Ursprüngliche Nachricht----- Von: jenkinsci-users@googlegroups.com [mailto:jenkinsci-users@googlegroups.com] Im Auftrag von Lewis, Eric Gesendet: Montag, 11. Juni 2012 17:08 An: jenkinsci-users@googlegroups.com Betreff: AW: Jenkins CLI user gets locked in Active Directory Ok, upgrading to the latest Active Directory plugin solves at least the problem in the Jenkins configuration page. I'll check tomorrow about the rest of the problem. Best regards, Eric -----Ursprüngliche Nachricht----- Von: jenkinsci-users@googlegroups.com [mailto:jenkinsci-users@googlegroups.com] Im Auftrag von Lewis, Eric Gesendet: Montag, 11. Juni 2012 14:14 An: jenkinsci-users@googlegroups.com Betreff: AW: Jenkins CLI user gets locked in Active Directory Ok, I checked with our sysadmin, but there's not more information in the logs. However, another problem, which I postponed, may be the cause. As I mentioned, we're using Active Directory for authentification. In the Jenkins config, I'm using the Matrix-based security. Since we installed the new version, I always see errors in the GUI and in the log. For instance, for the mentioned Service_Build user, I see: Failed to test the validity of the user name Service_Build org.acegisecurity.BadCredentialsException: Failed to retrieve user information for Service_Build; nested exception is javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1]; remaining name 'DC=ipie,DC=ch' at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:231) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:130) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:95) at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:27) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:551) at hudson.security.GlobalMatrixAuthorizationStrategy$DescriptorImpl.doCheckName_(GlobalMatrixAuthorizationStrategy.java:304) at hudson.security.GlobalMatrixAuthorizationStrategy$DescriptorImpl.doCheckName(GlobalMatrixAuthorizationStrategy.java:288) at sun.reflect.GeneratedMethodAccessor3018.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:288) at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:151) at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:90) at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:111) at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:53) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:574) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:659) at org.kohsuke.stapler.MetaClass$6.doDispatch(MetaClass.java:241) at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:53) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:574) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:659) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:488) at org.kohsuke.stapler.Stapler.service(Stapler.java:162) at javax.servlet.http.HttpServlet.service(HttpServlet.java:45) at winstone.ServletConfiguration.execute(ServletConfiguration.java:248) at winstone.RequestDispatcher.forward(RequestDispatcher.java:333) at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:376) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:95) at hudson.plugins.greenballs.GreenBallFilter.doFilter(GreenBallFilter.java:74) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:98) at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:87) at winstone.FilterConfiguration.execute(FilterConfiguration.java:194) at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:366) at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:47) at winstone.FilterConfiguration.execute(FilterConfiguration.java:194) at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:366) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84) at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.ui.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:166) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:142) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.ui.basicauth.BasicProcessingFilter.doFilter(BasicProcessingFilter.java:173) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at jenkins.security.ApiTokenFilter.doFilter(ApiTokenFilter.java:61) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249) at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:66) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76) at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164) at winstone.FilterConfiguration.execute(FilterConfiguration.java:194) at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:366) at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81) at winstone.FilterConfiguration.execute(FilterConfiguration.java:194) at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:366) at winstone.RequestDispatcher.forward(RequestDispatcher.java:331) at winstone.RequestHandlerThread.processRequest(RequestHandlerThread.java:215) at winstone.RequestHandlerThread.run(RequestHandlerThread.java:138) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:441) at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303) at java.util.concurrent.FutureTask.run(FutureTask.java:138) at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) at java.lang.Thread.run(Thread.java:662) Caused by: javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1]; remaining name 'DC=ipie,DC=ch' at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3107) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3013) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2820) at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1829) at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1752) at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1769) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:394) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:376) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358) at hudson.plugins.active_directory.LDAPSearchBuilder.search(LDAPSearchBuilder.java:52) at hudson.plugins.active_directory.LDAPSearchBuilder.searchOne(LDAPSearchBuilder.java:42) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:191) ... 70 more The users however can very well log into Jenkins and are authenticated. Also the Active Directory test in the config works. I postponed this error because people can still work, but it's still an error. And I see the same whenever I try to do something with the Service_Build user. So maybe this is the root cause of my problems? It looks like it's a known issue: https://issues.jenkins-ci.org/browse/JENKINS-12619 Best regards, Eric -----Ursprüngliche Nachricht----- Von: jenkinsci-users@googlegroups.com [mailto:jenkinsci-users@googlegroups.com] Im Auftrag von Lewis, Eric Gesendet: Freitag, 8. Juni 2012 16:56 An: jenkinsci-users@googlegroups.com Betreff: AW: Jenkins CLI user gets locked in Active Directory I don't see that file. I'll have to check with our Linux admin on Monday. Best regards, Eric -----Ursprüngliche Nachricht----- Von: Alex Earl [mailto:slide.o....@gmail.com] Gesendet: Freitag, 8. Juni 2012 16:45 An: Lewis, Eric; jenkinsci-users@googlegroups.com Betreff: RE: Jenkins CLI user gets locked in Active Directory Usually they are in /var/log I believe. Look for auth.log or something similar Sent from my Windows Phone From: Lewis, Eric Sent: 6/8/2012 7:33 AM To: jenkinsci-users@googlegroups.com Subject: AW: Jenkins CLI user gets locked in Active Directory Oh... :-) Well, I'm not really a Linux guru, so could you tell me where I find those logs? (Also, I'm not root either) Best regards, Eric -----Ursprüngliche Nachricht----- Von: Alex Earl [mailto:slide.o....@gmail.com] Gesendet: Freitag, 8. Juni 2012 16:23 An: Lewis, Eric; jenkinsci-users@googlegroups.com Betreff: RE: Jenkins CLI user gets locked in Active Directory I was meaning the logs on the Linux machine. Sent from my Windows Phone From: Lewis, Eric Sent: 6/8/2012 7:06 AM To: jenkinsci-users@googlegroups.com Subject: AW: Jenkins CLI user gets locked in Active Directory Ok, I'll have to check (on Monday) with our Windows admins, since I don't have access to those logs. Best regards, Eric -----Ursprüngliche Nachricht----- Von: Alex Earl [mailto:slide.o....@gmail.com] Gesendet: Freitag, 8. Juni 2012 16:00 An: Lewis, Eric; jenkinsci-users@googlegroups.com Betreff: RE: Jenkins CLI user gets locked in Active Directory Can you check the logs for authentication and see if AD is being tried before the key based auth? Sent from my Windows Phone From: Lewis, Eric Sent: 6/8/2012 6:32 AM To: jenkinsci-users@googlegroups.com Subject: AW: Jenkins CLI user gets locked in Active Directory Sorry! :-) Yes, Jenkins is running on Red Hat Linux (apparently Red Hat Enterprise Linux Server release 5.8 (Tikanga)) Best regards, Eric -----Ursprüngliche Nachricht----- Von: jenkinsci-users@googlegroups.com [mailto:jenkinsci-users@googlegroups.com] Im Auftrag von Slide Gesendet: Freitag, 8. Juni 2012 15:30 An: jenkinsci-users@googlegroups.com Betreff: Re: Jenkins CLI user gets locked in Active Directory Is this running on Linux? More information about your platforms and such would be useful. On Tue, Jun 5, 2012 at 5:58 AM, Lewis, Eric <eric.le...@ipi.ch> wrote: > Hi > > We have a user called Service_Build which is used for issuing Jenkins CLI > commands (either in bash or in Jenkins). > This user is defined in Active Directory, which is what we use for > authentication. So normally, I can log in as this user and I have > administrator rights in Jenkins. > > I followed the documentation in the Jenkins wiki and (with help from Rob > Mandeville) managed to authenticate the Service_Build user with > public/private key credentials. So that part works well. > > However, it looks like Jenkins is still trying to authenticate that user with > Active Directory, because the user is locked in Active Directory after a > number of CLI commands (eight in our case). > Should I have created the private key using the Active Directory password? Or > how can I prevent that Active Directory locking? > > Best regards, > Eric -- Website: http://earl-of-code.com