Hi Stephen, I will see what I can do, but can't promise a quick turnaround (I need to get a fair amount done before the JUC next week)
This may have something to do with the location of the main servers for the domain. e.g. nslookup -q=SRV _ldap._tcp.mydomain.com returns servers that are not located in the same site as Jenkins (indeed some are on the other side of the globe and all have the same weight!). The AD plugin does multiple queries as it recursively checks for group membership (a change that I did - so you can slap me with a wet fish for that). This was to support if you are a member of group Y and group Y is a member of Jenkins_Admins then you will correctly be identified as a user with ROLE_jenkins_admin. pings to the server in the other side of the world are 72ms... pings to my local global catalogue server - well that's <1 ms :-) now you can imagine if each query took just a round trip time that 100 queries (lot of groups in large companies.) that that would be 100 * 72ms which is about 7 seconds, compared to a not noticeable 0.1s. (NB: slight correction below). /James On Tuesday, 15 October 2013 15:32:14 UTC+1, Stephen Connolly wrote: > > James, would you be amenable to firing up a test jenkins and giving some > comparative timings? > > At least in Unix mode they should be pretty much identical in performance, > though theAD plugin should be much easier to configure > > > On 15 October 2013 14:47, teilo <teilo+...@teilo.net <javascript:>> wrote: > >> The LDAP plugin is (at least it was when we unceremoniously ditched the >> AD plugin) MUCH MUCH quicker to authenticate users than the AD one when you >> have a lovely large tree of domains…**** >> >> ** **Now I will prefix this with I am not an AD expert but… >> >> **** >> >> ** **http://technet.microsoft.com/en-us/library/cc728188(v=ws.10).aspx >> >> **** >> >> ** "**The global catalog is a distributed data repository that contains >> a searchable, partial representation of every object in every domain in a >> multidomain Active Directory Domain Services (AD DS) forest. The global >> catalog is stored on domain controllers that have been designated as global >> catalog servers and is distributed through multimaster replication. >> Searches that are directed to the global catalog are faster because they do >> not involve referrals to different domain controllers." >> >> **** >> >> ** **I don’t notice any delay using the global catalogue and LDAP – >> using AD we often saw multi second (into the tens) delays in authentication >> – the above may or may not be the reason for it. >> >> ** **/James >> >> On Tuesday, 15 October 2013 14:01:38 UTC+1, Stephen Connolly wrote: >> >>> Can we just ask one question: >>> >>> WHY ARE YOU USING THE LDAP PLUGIN AND NOT THE ACTIVE DIRECTORY PLUGIN? >>> >>> People seem to keep on wanting to inflict pain on themselves and go with >>> the more complex LDAP plugin rather than the much much easier to use Active >>> Directory plugin. >>> >>> If there is some feature missing that causes you to decide to plump for >>> the LDAP plugin it would be good to know so that the feature could be added >>> to the Active Directory plugin. >>> >>> >>> On 15 October 2013 13:17, Ricardo García Fernández >>> <ricard...@gmail.com>wrote: >>> >>>> Hi Zac ! >>>> >>>> I was dealing with the same issue: authentication against LDAP/AD and >>>> your answer was the right one. >>>> >>>> Also, I fixed the group filter and configured group properties using >>>> this filter: >>>> >>>> Group search filter: (& (cn={0}) (objectclass=group) ) >>>> Group Search Base: your OU groups separated with comas (,). >>>> >>>> Thus I can configure groups and users from general configuration to Job >>>> one. >>>> >>>> Thanks for your solution it was very helpful >>>> >>>> El miércoles, 14 de diciembre de 2011 20:01:34 UTC+1, Zac Harvey >>>> escribió: >>>>> >>>>> I am trying to set up Jenkins to authenticate using our AD domain over >>>>> LDAP. I have been working with the Systems Group trying to configure >>>>> all of the settings under Manage Jenkins >> Configure System >> Access >>>>> Control. We finally have all the settings configured correctly (at >>>>> least, in the eyes of the Systems people), and we are not getting any >>>>> red validation errors in the GUI. However I still cannot login via >>>>> LDAP/AD. Below is the console output. Any nudges in the right >>>>> direction are enormously appreciated! >>>>> >>>>> Console Output: >>>>> Dec 14, 2011 1:47:21 PM >>>>> hudson.security.**Authentication**ProcessingFilter**2 >>>>> onUnsuccessfulAuthentication >>>>> INFO: Login attempt failed >>>>> org.acegisecurity.**Authenticati**onServiceException**: >>>>> LdapCallback;[LDAP: >>>>> error code 32 - 0000208D: NameErr: DSID-031001E4, problem 2001 >>>>> (NO_OBJECT), data 0, best match of: >>>>> 'DC=MYPROJECT,DC=COM' >>>>> ]; nested exception is javax.naming.**NameNotFoundExcep**tion: [LDAP: >>>>> error code 32 - 0000208D: NameErr: DSID-031001E4, problem 2001 >>>>> (NO_OBJECT), data 0, best match of: >>>>> 'DC=MYPROJECT,DC=COM' >>>>> ]; remaining name 'dc=myproject,dc=com'; nested exception is >>>>> org.acegisecurity.ldap.**LdapDat**aAccessException: >>>>> LdapCallback;[LDAP: >>>>> error code 32 - 0000208D: NameErr: DSID-031001E4, problem 2001 >>>>> (NO_OBJECT), data 0, best match of: >>>>> 'DC=MYPROJECT,DC=COM' >>>>> ]; nested exception is javax.naming.**NameNotFoundExcep**tion: [LDAP: >>>>> error code 32 - 0000208D: NameErr: DSID-031001E4, problem 2001 >>>>> (NO_OBJECT), data 0, best match of: >>>>> 'DC=MYPROJECT,DC=COM' >>>>> ]; remaining name 'dc=myproject,dc=com' >>>>> at >>>>> org.acegisecurity.providers.**ld**ap.**LdapAuthenticationProvider.**** >>>>> retrieveUser(**LdapAuthenticatio**nProvider.**java: >>>>> 238) >>>>> at >>>>> org.acegisecurity.providers.**da**o.**AbstractUserDetailsAuthentic**at >>>>> **ionProvider.authenticate(**Abs**tractUserDetailsAuthenticat**ion** >>>>> Provider.java: >>>>> 119) >>>>> at >>>>> org.acegisecurity.providers.**Pr**oviderManager.**doAuthentication**(* >>>>> *ProviderManager.java: >>>>> 195) >>>>> at >>>>> org.acegisecurity.**AbstractAuth**enticationManager.**authenticate**(* >>>>> *AbstractAuthenticationManager**.**java: >>>>> 45) >>>>> at >>>>> org.acegisecurity.ui.webapp.**Au**thenticationProcessingFilter**.** >>>>> attemptAuthentication(**Authenti**cationProcessingFilter**.java: >>>>> 71) >>>>> at >>>>> org.acegisecurity.ui.**AbstractP**rocessingFilter.**doFilter(**Abstr** >>>>> actProcessingFilter.java: >>>>> 252) >>>>> at hudson.security.**ChainedServlet**Filter >>>>> $1.doFilter(**ChainedServletFilt**er.java:87) >>>>> at >>>>> org.acegisecurity.ui.**basicauth**.**BasicProcessingFilter.**doFilte** >>>>> r(**BasicProcessingFilter.java: >>>>> 173) >>>>> at hudson.security.**ChainedServlet**Filter >>>>> $1.doFilter(**ChainedServletFilt**er.java:87) >>>>> at jenkins.security.**ApiTokenFilte**r.doFilter(** >>>>> ApiTokenFilter.**java:61) >>>>> at hudson.security.**ChainedServlet**Filter >>>>> $1.doFilter(**ChainedServletFilt**er.java:87) >>>>> at >>>>> org.acegisecurity.context.**Http**SessionContextIntegrationF**ilte** >>>>> r.doFilter(**HttpSessionContextI**ntegrationF**ilter.java: >>>>> 249) >>>>> at >>>>> hudson.security.**HttpSessionCon**textIntegrationF**ilter2.**doFilter( >>>>> **HttpSessionContextInt**egrationF**ilter2.java: >>>>> 66) >>>>> at hudson.security.**ChainedServlet**Filter >>>>> $1.doFilter(**ChainedServletFilt**er.java:87) >>>>> at >>>>> hudson.security.**ChainedServlet**Filter.doFilter(**ChainedServlet** >>>>> Filter.java: >>>>> 76) >>>>> at hudson.security.HudsonFilter.**d** >>>>> oFilter(HudsonFilter.java:**164) >>>>> at >>>>> org.apache.catalina.core.**Appli**cationFilterChain.**internalDoFi** >>>>> lter(**ApplicationFilterChain.**java: >>>>> 243) >>>>> at >>>>> org.apache.catalina.core.**Appli**cationFilterChain.**doFilter(**App** >>>>> licationFilterChain.java: >>>>> 210) >>>>> at >>>>> hudson.util.**CharacterEncodingF**ilter.**doFilter(**CharacterEncodi** >>>>> ngFilter.java: >>>>> 81) >>>>> at >>>>> org.apache.catalina.core.**Appli**cationFilterChain.**internalDoFi** >>>>> lter(**ApplicationFilterChain.**java: >>>>> 243) >>>>> at >>>>> org.apache.catalina.core.**Appli**cationFilterChain.**doFilter(**App** >>>>> licationFilterChain.java: >>>>> 210) >>>>> at >>>>> org.apache.catalina.core.**Stand**ardWrapperValve.invoke(**Standar** >>>>> dWrapperValve.java: >>>>> 224) >>>>> at >>>>> org.apache.catalina.core.**Stand**ardContextValve.invoke(**Standar** >>>>> dContextValve.java: >>>>> 185) >>>>> at >>>>> org.apache.catalina.**authentica**tor.**AuthenticatorBase.invoke(**A** >>>>> uthenticatorBase.java: >>>>> 472) >>>>> at >>>>> org.apache.catalina.core.**Stand**ardHostValve.invoke(**StandardHo** >>>>> stValve.java: >>>>> 151) >>>>> at >>>>> org.apache.catalina.valves.**Err**orReportValve.invoke(**ErrorRepo** >>>>> rtValve.java: >>>>> 100) >>>>> at >>>>> org.apache.catalina.valves.**Acc**essLogValve.invoke(**AccessLogVa** >>>>> lve.java: >>>>> 929) >>>>> at >>>>> org.apache.catalina.core.**Stand**ardEngineValve.invoke(**Standard** >>>>> EngineValve.java: >>>>> 118) >>>>> at >>>>> org.apache.catalina.connector.****CoyoteAdapter.service(**CoyoteAd** >>>>> apter.java: >>>>> 405) >>>>> at >>>>> org.apache.coyote.http11.**Http1**1Processor.process(**Http11Proce** >>>>> ssor.java: >>>>> 269) >>>>> at org.apache.coyote.**AbstractProt**ocol >>>>> $AbstractConnectionHandler.**pro**cess(AbstractProtocol.java:**515**) >>>>> at org.apache.tomcat.util.net.**JIo**Endpoint >>>>> $SocketProcessor.run(**JIoEndpoi**nt.java:302) >>>>> at java.util.concurrent.**ThreadPoo**lExecutor >>>>> $Worker.runTask(**ThreadPoolExec**utor.java:886) >>>>> at java.util.concurrent.**ThreadPoo**lExecutor >>>>> $Worker.run(**ThreadPoolExecutor**.java:908) >>>>> at java.lang.Thread.run(Thread.**ja**va:662) >>>>> Caused by: org.acegisecurity.ldap.**LdapDat**aAccessException: >>>>> LdapCallback;[LDAP: error code 32 - 0000208D: NameErr: DSID-031001E4, >>>>> problem 2001 (NO_OBJECT), data 0, best match of: >>>>> 'DC=MYPROJECT,DC=COM' >>>>> ]; nested exception is javax.naming.**NameNotFoundExcep**tion: [LDAP: >>>>> error code 32 - 0000208D: NameErr: DSID-031001E4, problem 2001 >>>>> (NO_OBJECT), data 0, best match of: >>>>> 'DC=MYPROJECT,DC=COM' >>>>> ]; remaining name 'dc=myproject,dc=com' >>>>> at org.acegisecurity.ldap.**LdapTem**plate >>>>> $LdapExceptionTranslator.**trans**late(LdapTemplate.java:**295) >>>>> at org.acegisecurity.ldap.**LdapTem**plate.execute(** >>>>> LdapTemplate.**java:128) >>>>> at >>>>> org.acegisecurity.ldap.**LdapTem**plate.**searchForSingleEntry(**Lda** >>>>> pTemplate.java: >>>>> 246) >>>>> at >>>>> org.acegisecurity.ldap.search.****FilterBasedLdapUserSearch.**sear** >>>>> chForUser(**FilterBasedLdapUserS**earch.**java: >>>>> 119) >>>>> at >>>>> org.acegisecurity.providers.**ld**ap.authenticator.**BindAuthentic** >>>>> ator.**authenticate(**BindAuthenti**cator.java: >>>>> 71) >>>>> at >>>>> org.acegisecurity.providers.**ld**ap.authenticator.**BindAuthentic** >>>>> ator2.**authenticate(**BindAuthent**icator2.java: >>>>> 49) >>>>> at >>>>> org.acegisecurity.providers.**ld**ap.**LdapAuthenticationProvider.**** >>>>> retrieveUser(**LdapAuthenticatio**nProvider.**java: >>>>> 233) >>>>> ... 34 more >>>>> Caused by: javax.naming.**NameNotFoundExcep**tion: [LDAP: error code >>>>> 32 - >>>>> 0000208D: NameErr: DSID-031001E4, problem 2001 (NO_OBJECT), data 0, >>>>> best match of: >>>>> 'DC=MYPROJECT,DC=COM' >>>>> ]; remaining name 'dc=myproject,dc=com' >>>>> at com.sun.jndi.ldap.LdapCtx.**mapE**rrorCode(LdapCtx.java:** >>>>> 3066) >>>>> at com.sun.jndi.ldap.LdapCtx.**proc**essReturnCode(LdapCtx.** >>>>> java:**2987) >>>>> at com.sun.jndi.ldap.LdapCtx.**proc**essReturnCode(LdapCtx.** >>>>> java:**2794) >>>>> at com.sun.jndi.ldap.LdapCtx.**sear**chAux(LdapCtx.java:1826) >>>>> at com.sun.jndi.ldap.LdapCtx.c_**se**arch(LdapCtx.java:1749) >>>>> at com.sun.jndi.ldap.LdapCtx.c_**se**arch(LdapCtx.java:1766) >>>>> at >>>>> com.sun.jndi.toolkit.ctx.**Compo**nentDirContext.p_search(**Compon** >>>>> entDirContext.java: >>>>> 394) >>>>> at >>>>> com.sun.jndi.toolkit.ctx.**Parti**alCompositeDirContext.**search(**P** >>>>> artialCompositeDirContext.**java**: >>>>> 376) >>>>> at >>>>> com.sun.jndi.toolkit.ctx.**Parti**alCompositeDirContext.**search(**P** >>>>> artialCompositeDirContext.**java**: >>>>> 358) >>>>> at >>>>> javax.naming.directory.**Initial**DirContext.search(**InitialDirCo** >>>>> ntext.java: >>>>> 267) >>>>> at org.acegisecurity.ldap.**LdapTem**plate >>>>> $3.doInDirContext(**LdapTemplate**.java:249) >>>>> at org.acegisecurity.ldap.**LdapTem**plate.execute(** >>>>> LdapTemplate.**java:126) >>>>> ... 39 more >>>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Jenkins Users" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to jenkinsci-use...@**googlegroups.com. >>>> >>>> For more options, visit >>>> https://groups.google.com/**groups/opt_out<https://groups.google.com/groups/opt_out> >>>> . >>>> >>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "Jenkins Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to jenkinsci-use...@googlegroups.com <javascript:>. >> For more options, visit https://groups.google.com/groups/opt_out. >> > > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
