4
votes

To tighten up security on our Jenkins CI server (running 1.614 on Ubuntu 14.04), I configured the LDAP plugin yesterday. Everything seemed fine yesterday, and I was able to log in and manually configure and run some builds.

This morning, however, no one - including myself - is able to log in.

We are told to look into the server console output - however, there is nothing recorded in /var/log/jenkins/jenkins.log. I found How do I view the Jenkins server console output on the local filesystem? - but there are no such log files in /usr/lib/jenkins/ (which my jenkins home directory).

I've tried the simple troubleshooting groovy script at https://wiki.jenkins-ci.org/display/JENKINS/LDAP+Plugin, but each query returns:

Checking the name 'wibble'...
  It is NOT a group, reason: No such property: Jenkins for class: RemoteClass
  It is NOT a user, reason: No such property: Jenkins for class: RemoteClass

My security config:

<useSecurity>true</useSecurity>
<authorizationStrategy class="hudson.security.AuthorizationStrategy$Unsecured"/>
<securityRealm class="hudson.security.LDAPSecurityRealm" plugin="[email protected]">
    <server>server.ip.address</server>
    <rootDN>dc=domain,dc=location,dc=au</rootDN>
    <inhibitInferRootDN>false</inhibitInferRootDN>
    <userSearchBase>dc=domain,dc=location,dc=au</userSearchBase>
    <userSearch>sAMAccountName={0}</userSearch>
    <groupSearchBase>ou=groups</groupSearchBase>
    <groupSearchFilter>(&amp; (cn={0}) (objectclass=group) )</groupSearchFilter>
    <groupMembershipStrategy class="jenkins.security.plugins.ldap.FromGroupSearchLDAPGroupMembershipStrategy">
        <filter>(&amp;(objectCategory=group)(member={0}))</filter>
    </groupMembershipStrategy>
    <managerDN>cn=administrator,cn=users,dc=domain,dc=location,dc=au</managerDN>
    <managerPasswordSecret>wurble-bop-de-boo</managerPasswordSecret>
    <disableMailAddressResolver>false</disableMailAddressResolver>
    <displayNameAttributeName>displayname</displayNameAttributeName>
    <mailAddressAttributeName>mail</mailAddressAttributeName>
    <userIdStrategy class="jenkins.model.IdStrategy$CaseInsensitive"/>
    <groupIdStrategy class="jenkins.model.IdStrategy$CaseInsensitive"/>
</securityRealm>

There were no configuration changes made overnight, and we use these same credential/settings for other LDAP integration from about 3 or 4 different applications, and they're all working fine.

1
You mention /usr/lib and /usr/log (does that exist?), but looking at the Ubuntu wiki page, the logs should be in /var/log/jenkins.Christopher Orr
I had a similar issue once and it was the autocompletion from Chrome which, if I recall correctly, completed the manager password in the Advanced settings of LDAP, even though it was not visible. You may want to check, just in case.davidrv87
@ChristopherOrr you're right, that was a typo and I've fixed itHorusKol
@davidrv87 - this is in Firefox. And I don't set any browser to remember passwordsHorusKol

1 Answers

9
votes

I've had a similar issue after simply adding or modifying a user on the Configure Global Security page. I think it's just as @davidrv87 said: Chrome auto-fills some hidden "username" and "password" fields and breaks your LDAP settings.

Result

In the main Jenkins config.xml file, the bad settings appear as new child nodes under <securityRealm>:

  <securityRealm class="hudson.security.LDAPSecurityRealm" plugin="[email protected]">
+      <managerDN>myusername</managerDN>
+      <managerPasswordSecret>uT5S1rfROmNBuEsw8z=</managerPasswordSecret>

How to fix

  1. Edit ~jenkins/config.xml
  2. Remove the managerDN and managerPasswordSecret nodes (lines).
  3. Restart the Jenkins service.

Now LDAP logins should work again!