To tighten up security on our Jenkins CI server (running 1.614 on Ubuntu 14.04), I configured the LDAP plugin yesterday. Everything seemed fine yesterday, and I was able to log in and manually configure and run some builds.
This morning, however, no one - including myself - is able to log in.
We are told to look into the server console output - however, there is nothing recorded in /var/log/jenkins/jenkins.log
. I found How do I view the Jenkins server console output on the local filesystem? - but there are no such log files in /usr/lib/jenkins/
(which my jenkins home directory).
I've tried the simple troubleshooting groovy script at https://wiki.jenkins-ci.org/display/JENKINS/LDAP+Plugin, but each query returns:
Checking the name 'wibble'...
It is NOT a group, reason: No such property: Jenkins for class: RemoteClass
It is NOT a user, reason: No such property: Jenkins for class: RemoteClass
My security config:
<useSecurity>true</useSecurity>
<authorizationStrategy class="hudson.security.AuthorizationStrategy$Unsecured"/>
<securityRealm class="hudson.security.LDAPSecurityRealm" plugin="[email protected]">
<server>server.ip.address</server>
<rootDN>dc=domain,dc=location,dc=au</rootDN>
<inhibitInferRootDN>false</inhibitInferRootDN>
<userSearchBase>dc=domain,dc=location,dc=au</userSearchBase>
<userSearch>sAMAccountName={0}</userSearch>
<groupSearchBase>ou=groups</groupSearchBase>
<groupSearchFilter>(& (cn={0}) (objectclass=group) )</groupSearchFilter>
<groupMembershipStrategy class="jenkins.security.plugins.ldap.FromGroupSearchLDAPGroupMembershipStrategy">
<filter>(&(objectCategory=group)(member={0}))</filter>
</groupMembershipStrategy>
<managerDN>cn=administrator,cn=users,dc=domain,dc=location,dc=au</managerDN>
<managerPasswordSecret>wurble-bop-de-boo</managerPasswordSecret>
<disableMailAddressResolver>false</disableMailAddressResolver>
<displayNameAttributeName>displayname</displayNameAttributeName>
<mailAddressAttributeName>mail</mailAddressAttributeName>
<userIdStrategy class="jenkins.model.IdStrategy$CaseInsensitive"/>
<groupIdStrategy class="jenkins.model.IdStrategy$CaseInsensitive"/>
</securityRealm>
There were no configuration changes made overnight, and we use these same credential/settings for other LDAP integration from about 3 or 4 different applications, and they're all working fine.
I've had a similar issue after simply adding or modifying a user on the Configure Global Security page. I think it's just as @davidrv87 said: Chrome auto-fills some hidden "username" and "password" fields and breaks your LDAP settings.
Result
In the main Jenkins config.xml
file, the bad settings appear as new child nodes under <securityRealm>
:
<securityRealm class="hudson.security.LDAPSecurityRealm" plugin="[email protected]">
+ <managerDN>myusername</managerDN>
+ <managerPasswordSecret>uT5S1rfROmNBuEsw8z=</managerPasswordSecret>
How to fix
~jenkins/config.xml
managerDN
and managerPasswordSecret
nodes (lines).Now LDAP logins should work again!
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With