Cannot login using LDAP in Jenkins
I've had a similar issue after simply adding or modifying a user on the Configure Global Security page. I think it's just as @davidrv87 said: Chrome auto-fills some hidden "username" and "password" fields and breaks your LDAP settings.
Result
In the main Jenkins config.xml
file, the bad settings appear as new child nodes under <securityRealm>
:
<securityRealm class="hudson.security.LDAPSecurityRealm" plugin="[email protected]">
+ <managerDN>myusername</managerDN>
+ <managerPasswordSecret>uT5S1rfROmNBuEsw8z=</managerPasswordSecret>
How to fix
- Edit
~jenkins/config.xml
- Remove the
managerDN
andmanagerPasswordSecret
nodes (lines). - Restart the Jenkins service.
Now LDAP logins should work again!
Comments
-
HorusKol almost 2 years
To tighten up security on our Jenkins CI server (running 1.614 on Ubuntu 14.04), I configured the LDAP plugin yesterday. Everything seemed fine yesterday, and I was able to log in and manually configure and run some builds.
This morning, however, no one - including myself - is able to log in.
We are told to look into the server console output - however, there is nothing recorded in
/var/log/jenkins/jenkins.log
. I found How do I view the Jenkins server console output on the local filesystem? - but there are no such log files in/usr/lib/jenkins/
(which my jenkins home directory).I've tried the simple troubleshooting groovy script at https://wiki.jenkins-ci.org/display/JENKINS/LDAP+Plugin, but each query returns:
Checking the name 'wibble'... It is NOT a group, reason: No such property: Jenkins for class: RemoteClass It is NOT a user, reason: No such property: Jenkins for class: RemoteClass
My security config:
<useSecurity>true</useSecurity> <authorizationStrategy class="hudson.security.AuthorizationStrategy$Unsecured"/> <securityRealm class="hudson.security.LDAPSecurityRealm" plugin="[email protected]"> <server>server.ip.address</server> <rootDN>dc=domain,dc=location,dc=au</rootDN> <inhibitInferRootDN>false</inhibitInferRootDN> <userSearchBase>dc=domain,dc=location,dc=au</userSearchBase> <userSearch>sAMAccountName={0}</userSearch> <groupSearchBase>ou=groups</groupSearchBase> <groupSearchFilter>(& (cn={0}) (objectclass=group) )</groupSearchFilter> <groupMembershipStrategy class="jenkins.security.plugins.ldap.FromGroupSearchLDAPGroupMembershipStrategy"> <filter>(&(objectCategory=group)(member={0}))</filter> </groupMembershipStrategy> <managerDN>cn=administrator,cn=users,dc=domain,dc=location,dc=au</managerDN> <managerPasswordSecret>wurble-bop-de-boo</managerPasswordSecret> <disableMailAddressResolver>false</disableMailAddressResolver> <displayNameAttributeName>displayname</displayNameAttributeName> <mailAddressAttributeName>mail</mailAddressAttributeName> <userIdStrategy class="jenkins.model.IdStrategy$CaseInsensitive"/> <groupIdStrategy class="jenkins.model.IdStrategy$CaseInsensitive"/> </securityRealm>
There were no configuration changes made overnight, and we use these same credential/settings for other LDAP integration from about 3 or 4 different applications, and they're all working fine.
-
davidrv87 almost 8 yearsThat was exactly my problem
-
v.shashenko over 7 yearsAfter cloning the Jenkins config to another server, I wasn't able to login and there were javax.naming.ServiceUnavailableException errors in Jenkins log. Removing those two settings solved the problem.