Menu
My institution requires me to periodically change my LDAP password.
In the past, I was able to perform the following steps to change my password:-
/var/lib/jenkins/config.xml and change <managerPassword/>.However, the recent version of Jenkins no longer use <managerPassword/>. Instead, I'm seeing <managerPasswordSecret/>.
I'm not sure how to generate the new secret password, so I did the following:-
/var/lib/jenkins/config.xml first./var/lib/jenkins/config.xml and change <useSecurity/> to false./var/lib/jenkins/config.xml and copy <managerPasswordSecret/>.<managerPasswordSecret/> with the new value.This is incredibly convoluted.
Is there a more straightforward way for me to maintain my LDAP password change in the future?
Thanks much!
652
LDAP password is stored on the Advanced Authentication server at the following two places: User data: It is used for OS logon (Windows Client, Mac OS X Client, and Linux PAM Client) and is stored when Save LDAP password option in LDAP Password method is set to ON.
None of the above solutions worked for me with a newer version of Jenkins (2.78). What did work was putting the managerPasswordSecret in without any encryption. Once I ran Jenkins, the password got encrypted for me.
137
You can still use <managerPassword>.
Generate the new encoded password with
perl -e 'use MIME::Base64; print encode_base64("yourNewPassword");'
In your config.xml, find <hudson>/<securityRealm>/<managerPasswordSecret>. Change <managerPasswordSecret> to <managerPassword> (both before and after) and put the encoding from #1 between them. Save the file.
39
I was trying to do same thing and this is simple solution (use from Jenkins console):
import com.trilead.ssh2.crypto.Base64;
import javax.crypto.Cipher;
import jenkins.security.CryptoConfidentialKey;
import hudson.util.Secret;
CryptoConfidentialKey KEY = new CryptoConfidentialKey(Secret.class.getName());
Cipher cipher = KEY.encrypt();
String MAGIC = "::::MAGIC::::";
String VALUE_TO_ENCRYPT = "";
println(new String(Base64.encode(cipher.doFinal((VALUE_TO_ENCRYPT + MAGIC).getBytes("UTF-8")))));
Decoding is simpler:
println(hudson.util.Secret.decrypt(HashFromConfigXmlHere));
20
Edit your config.xml file by hand.
If your Jenkins uses a <managerPasswordSecret> set of tags, put the new plain text password in there and Jenkins will read it. Once Jenkins starts up, go to the Configure System > Configure Global Security page and click Save. That will update that field with the encrypted version.
2
The current easiest and fastest solution (just worked for me) is from Cloudbees: simply enter the new password into the password field in the config.xml as plain text (not encrypted) then Jenkins will read that correctly. Once you start Jenkins and just re-save the Manage Jenkins -> Configure Global Security page
https://support.cloudbees.com/hc/en-us/articles/221230028-Changing-LDAP-Password
2
I tried solution provided by @alkuzad and its working fine. Just to clarify that you can't use Jenkins web Console when LDAP user password is expired. So what I did is as follow (I have groovy script plugin in Jenkins. I also provided run script access to anonymous user - not a good idea but it's the way I initially found to resolve this recurring issue).
java -jar jenkins-cli.jar -s groovy GroovyPasswordClass.txt
This will print encrypted password.
Well, later I found better way to do authentication if directory service provider is MS Active Directory. In that case instead of LDAP plugin, I used Active Directory plugin for authentication. This I found better because
1) Response is faster when use Active directory plugin instead of generic LDAP protocol based plugin 2) Active Directory plugin uses user data with which Jenkins service was started and no need to configure any user account in Jenkins. So you will never have situation that your Jenkins login not working because user configured for ldap has expired password.
Hope this will help others trying to resolve this issue.
1
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
