Clever Geek Handbook

Can't login with LDAP to Jenkins

To harden security on our Jenkins CI server (running 1.614 on Ubuntu 14.04), I configured an LDAP plugin yesterday. Everything looked good yesterday and I was able to log in and manually configure and run some builds.

This morning, however, no one, including me, can log in.

We are told that we are looking at the server console output, but nothing is written to /var/log/jenkins/jenkins.log

. I found How to view the console output of the Jenkins server on the local file system? - but there are no such log files in /usr/lib/jenkins/

(which is in my jenkins home directory).

I've tried a simple groovy troubleshooting script at https://wiki.jenkins-ci.org/display/JENKINS/LDAP+Plugin , but each request returns:

Checking the name 'wibble'...
  It is NOT a group, reason: No such property: Jenkins for class: RemoteClass
  It is NOT a user, reason: No such property: Jenkins for class: RemoteClass

My security config:

<useSecurity>true</useSecurity>
<authorizationStrategy class="hudson.security.AuthorizationStrategy$Unsecured"/>
<securityRealm class="hudson.security.LDAPSecurityRealm" plugin="ldap@1.11">
    <server>server.ip.address</server>
    <rootDN>dc=domain,dc=location,dc=au</rootDN>
    <inhibitInferRootDN>false</inhibitInferRootDN>
    <userSearchBase>dc=domain,dc=location,dc=au</userSearchBase>
    <userSearch>sAMAccountName={0}</userSearch>
    <groupSearchBase>ou=groups</groupSearchBase>
    <groupSearchFilter>(&amp; (cn={0}) (objectclass=group) )</groupSearchFilter>
    <groupMembershipStrategy class="jenkins.security.plugins.ldap.FromGroupSearchLDAPGroupMembershipStrategy">
        <filter>(&amp;(objectCategory=group)(member={0}))</filter>
    </groupMembershipStrategy>
    <managerDN>cn=administrator,cn=users,dc=domain,dc=location,dc=au</managerDN>
    <managerPasswordSecret>wurble-bop-de-boo</managerPasswordSecret>
    <disableMailAddressResolver>false</disableMailAddressResolver>
    <displayNameAttributeName>displayname</displayNameAttributeName>
    <mailAddressAttributeName>mail</mailAddressAttributeName>
    <userIdStrategy class="jenkins.model.IdStrategy$CaseInsensitive"/>
    <groupIdStrategy class="jenkins.model.IdStrategy$CaseInsensitive"/>
</securityRealm>

The configuration changes were not made overnight and we use the same credentials / settings for another LDAP integration from about 3 or 4 different applications and they all work fine.

+3


source to share


1 answer


I had a similar problem after simply adding or modifying a user on the Configure Global Security page. I think just like @ davidrv87 said: Chrome automatically fills in some hidden "username" and "password" fields and breaks your LDAP settings.

Result

In the main Jenkins file, the config.xml

wrong settings show up as new child nodes under <securityRealm>

:

  <securityRealm class="hudson.security.LDAPSecurityRealm" plugin="ldap@1.11">
+      <managerDN>myusername</managerDN>
+      <managerPasswordSecret>uT5S1rfROmNBuEsw8z=</managerPasswordSecret>


How to fix

  • Edit ~jenkins/config.xml

  • Remove nodes (lines) managerDN

    and managerPasswordSecret

    .
  • Restart Jenkins service.

The LDAP logins should now work again!

+8


source






More articles:


All Articles