Michael Rose
created JENKINS-25485
Unable to login with standard Jenkins users when Active Directory plugin is in use
Issue Type:
Bug
Assignee:
Unassigned
Components:
active-directory-plugin
Created:
06/Nov/14 11:52 PM
Description:
We use the Active Directory plugin as our security realm. I noticed that even with Active Directory set up as the security realm, an administrator could still create users by navigating to http//JENKINS_URL/user/USERNAME and configuring them. This is useful b/c the newly created user receives an API token which allows jobs to be triggered from scripts. Furthermore there is more control over b/c permission can be setup to restrain them from doing anything except for what they were created to do.
The problem that I'm seeing is that, though authentication is successful when using the API token, an internal error still occurs when the Active Directory plugin attempts to retrieve information about the user from Active Directory. There's an argument that could be made that this is correct behavior since the user does not exist in AD, however most tools that integrate with AD also allow for the tool's internal database to be used as a fallback. I think the plugin should not error out if the user directory and configuration file exists in JENKINS_HOME/users (or however internal users are defined ???).
Here is the error message I am seeing.
Nov 6, 2014 5:09:15 PM jenkins.security.BasicHeaderApiTokenAuthenticator authenticate
WARNING: API token matched for user mynewname but the impersonation failed
org.acegisecurity.userdetails.UsernameNotFoundException: Authentication was successful but cannot locate the user information for mynewname
at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:273)
at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:196)
at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:140)
at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:30)
at jenkins.security.ImpersonatingUserDetailsService.loadUserByUsername(ImpersonatingUserDetailsService.java:32)
at hudson.model.User.impersonate(User.java:282)
at jenkins.security.BasicHeaderApiTokenAuthenticator.authenticate(BasicHeaderApiTokenAuthenticator.java:31)
at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:72)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:46)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1474)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:533)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
at
