[
https://issues.jenkins-ci.org/browse/JENKINS-12180?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Dan Dexter reopened JENKINS-12180:
----------------------------------
Assignee: (was: Kohsuke Kawaguchi)
This appears to still be happening, perhaps a regression or some other cause.
If I only have a group specified in matrix-based security it will not allow a
full login and I get a 404 error. If I have my AD user name specified then it
works.
----
WARNING: Credential exception tying to authenticate against . domain
org.acegisecurity.userdetails.UsernameNotFoundException: Authentication was
successful but cannot locate the user information for group
----
> Active Directory Plugin - Adding AD Group Throws BadCredentialsException
> ------------------------------------------------------------------------
>
> Key: JENKINS-12180
> URL: https://issues.jenkins-ci.org/browse/JENKINS-12180
> Project: Jenkins
> Issue Type: Bug
> Components: active-directory
> Affects Versions: current
> Environment: OS: CentOs 6 64-bit
> Hardware Platform: VMWare ESXi 5.0
> Reporter: Tony Lee
> Labels: AD,, active_directory,, plugins
>
> Adding an AD group, e.g. ciusers on Authorization type "Project-based Matrix
> Authorization Strategy", throws BadCredentialsException.
> Issue:
> doCheckName_() first tries finding a user and this fails and throws the
> BadCredentialsException. The function doCheckName_() then tries
> loadGroupByGroupName() which is throwing UserMayOrMayNotExistException right
> away. Function doCheckName_() uses SecurityRealm.loadGroupByGroupName()
> instead of LDAPSecurityRealm.loadGroupByGroupName().
> Snippet of loadGroupByGroupname() from the SecurityRealm class.
> public GroupDetails loadGroupByGroupname(String groupname) throws
> UsernameNotFoundException, DataAccessException {
> throw new UserMayOrMayNotExistException(groupname);
> }
> Snippet of loadGroupByGroupname() from the LDAPSecurityRealm class.
> public GroupDetails loadGroupByGroupname(String groupname) throws
> UsernameNotFoundException, DataAccessException {
> // TODO: obtain a DN instead so that we can obtain multiple
> attributes later
> String searchBase = groupSearchBase != null ? groupSearchBase : "";
> final Set<String> groups =
> (Set<String>)ldapTemplate.searchForSingleAttributeValues(searchBase,
> GROUP_SEARCH,
> new String[]{groupname}, "cn");
> if(groups.isEmpty())
> throw new UsernameNotFoundException(groupname);
> return new GroupDetails() {
> public String getName() {
> return groups.iterator().next();
> }
> };
> }
> Snippet of doCheckName_():
> public FormValidation doCheckName_(String value, AccessControlled
> subject, Permission permission) throws IOException, ServletException {
> if(!subject.hasPermission(permission)) return
> FormValidation.ok(); // can't check
> final String v = value.substring(1,value.length()-1);
> SecurityRealm sr = Jenkins.getInstance().getSecurityRealm();
> String ev = Functions.escape(v);
> if(v.equals("authenticated"))
> // system reserved group
> return FormValidation.respond(Kind.OK, makeImg("user.png")
> +ev);
> try {
> sr.loadUserByUsername(v);
> return FormValidation.respond(Kind.OK,
> makeImg("person.png")+ev);
> } catch (UserMayOrMayNotExistException e) {
> // undecidable, meaning the user may exist
> return FormValidation.respond(Kind.OK, ev);
> } catch (UsernameNotFoundException e) {
> // fall through next
> } catch (DataAccessException e) {
> // fall through next
> }
> try {
> sr.loadGroupByGroupname(v);
> return FormValidation.respond(Kind.OK, makeImg("user.png")
> +ev);
> } catch (UserMayOrMayNotExistException e) {
> // undecidable, meaning the group may exist
> return FormValidation.respond(Kind.OK, ev);
> } catch (UsernameNotFoundException e) {
> // fall through next
> } catch (DataAccessException e) {
> // fall through next
> }
> // couldn't find it. it doesn't exist
> return FormValidation.respond(Kind.ERROR, makeImg("error.png")
> +ev);
> }
> Stack trace snippet:
> Failed to test the validity of the user name ciusers
> org.acegisecurity.BadCredentialsException: Authentication was successful but
> cannot locate the user information for ciusers
> at
> hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:147)
> at
> hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:105)
> at
> hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:64)
> at
> hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:23)
> at
> hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:514)
> at
> hudson.security.GlobalMatrixAuthorizationStrategy$DescriptorImpl.doCheckName_(GlobalMatrixAuthorizationStrategy.java:303)
> at
> hudson.security.GlobalMatrixAuthorizationStrategy$DescriptorImpl.doCheckName(GlobalMatrixAuthorizationStrategy.java:288)
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jenkins-ci.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
