Discussion:
LDAP in Jenkins Fails, but ldapsearch works
Sverre Moe
2015-10-09 07:22:19 UTC
Permalink
I have configured authentication with LDAP

My LDAP Configuration:
Server: helios.company.com
root DN: dc=arctic,dc=company,dc=com
User search base: ou=users
User search filter: samaccountname={0}
Group membership: Parse user attribute for list of groups => memberOf
Manager DN: ***@arctic.company.com
Manager password: ldapUserPassword
Display Name LDAP Attribute: displayName
Email Address LDAP Attribute: mail

There is an port opening between my Jenkins server and helios.company.com
since ldapsearch is working fine
ldapsearch -D ***@arctic.company.com -w ldapUserPassword -h helios.
company.com -b "dc=arctic,dc=company,dc=com" "samaccountname=user"


What is missing from the configuration?

If I use the same configuration on another Jenkins running within the same
subnet of my ldap server, it works. I then cannot falter the configuration,
however why does ldapsearch work?

I cannot see anything wrong in the Jenkins log (it is empty). I have added
logger for org.acegisecurity, hudson.security and jenkins.security with log
level INFO.
--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/94d07a78-aa59-4097-960c-6b9d370f7649%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Maciej Jaros
2015-10-09 11:29:25 UTC
Permalink
|Usersearch base:ou=users
|
I think it should be "CN=Users".
|
Usersearch filter:samaccountname={0}
|
Not sure if case matters, but we use "sAMAccountName={0}"
|
This is Windows AD? If so then I think you should use "domain\user"
format. At least it works for me.

Regards,
Nux.
--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/5617A515.6090806%40mol.com.pl.
For more options, visit https://groups.google.com/d/optout.
Sverre Moe
2015-10-09 11:47:32 UTC
Permalink
I have done nothing with the LDAP configuration, but now it works. It takes
30 seconds before I'm logged in.
The only thing I have done is to add Proxy configuration to Jenkins.

I have tried both samaccountname and sAMAccountName. I don't think ours is
case sensitive.

Using DOMAIN\username does not work.
Post by Sverre Moe
User search base: ou=users
I think it should be "CN=Users".
User search filter: samaccountname={0}
Not sure if case matters, but we use "sAMAccountName={0}"
This is Windows AD? If so then I think you should use "domain\user"
format. At least it works for me.
Regards,
Nux.
--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/f17979c5-94fa-4005-8f30-550b5850f49c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Sverre Moe
2015-10-12 07:01:25 UTC
Permalink
I spoke to soon. It worked for a short while, but now I am getting several
invalid login "Invalid login information. Please try again. "
There is still nothing in the log.

What is Jenkins doing different than ldapsearch. It should communicate with
the server on default port 389. I am using a Proxy, but both Jenkins and
Java has been configured to use this proxy.
Post by Sverre Moe
I have done nothing with the LDAP configuration, but now it works. It
takes 30 seconds before I'm logged in.
The only thing I have done is to add Proxy configuration to Jenkins.
I have tried both samaccountname and sAMAccountName. I don't think ours
is case sensitive.
Using DOMAIN\username does not work.
Post by Sverre Moe
User search base: ou=users
I think it should be "CN=Users".
User search filter: samaccountname={0}
Not sure if case matters, but we use "sAMAccountName={0}"
This is Windows AD? If so then I think you should use "domain\user"
format. At least it works for me.
Regards,
Nux.
--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/f8b9a102-d570-427f-818a-8c1faac79476%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
James Nord
2015-10-13 17:10:46 UTC
Permalink
if you are using port 389 then unless TLS upgrade is happening then this is
all plaintext (including your passwords!) so I would suggest a network
capture with wireshark and then compare Jenkins and ldapsearch and see if
you can spot some differences that can lead you to understand why this is
happening.
Post by Sverre Moe
I spoke to soon. It worked for a short while, but now I am getting several
invalid login "Invalid login information. Please try again. "
There is still nothing in the log.
What is Jenkins doing different than ldapsearch. It should communicate
with the server on default port 389. I am using a Proxy, but both Jenkins
and Java has been configured to use this proxy.
Post by Sverre Moe
I have done nothing with the LDAP configuration, but now it works. It
takes 30 seconds before I'm logged in.
The only thing I have done is to add Proxy configuration to Jenkins.
I have tried both samaccountname and sAMAccountName. I don't think ours
is case sensitive.
Using DOMAIN\username does not work.
Post by Sverre Moe
User search base: ou=users
I think it should be "CN=Users".
User search filter: samaccountname={0}
Not sure if case matters, but we use "sAMAccountName={0}"
This is Windows AD? If so then I think you should use "domain\user"
format. At least it works for me.
Regards,
Nux.
--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/15289b03-7728-4ba1-b311-3d9591c3578d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Adis Azizan
2015-10-16 03:17:32 UTC
Permalink
Same issues with me. Anybody actually can solve this? I try to use ldaps://
and it given me different error which is SSL Exception
Post by Sverre Moe
I have configured authentication with LDAP
Server: helios.company.com
root DN: dc=arctic,dc=company,dc=com
User search base: ou=users
User search filter: samaccountname={0}
Group membership: Parse user attribute for list of groups => memberOf
Manager password: ldapUserPassword
Display Name LDAP Attribute: displayName
Email Address LDAP Attribute: mail
There is an port opening between my Jenkins server and helios.company.com
since ldapsearch is working fine
company.com -b "dc=arctic,dc=company,dc=com" "samaccountname=user"
What is missing from the configuration?
If I use the same configuration on another Jenkins running within the same
subnet of my ldap server, it works. I then cannot falter the configuration,
however why does ldapsearch work?
I cannot see anything wrong in the Jenkins log (it is empty). I have added
logger for org.acegisecurity, hudson.security and jenkins.security with log
level INFO.
--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/d69bd917-270f-4f2d-98ba-54267b3797e0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Shravan naidu
2016-04-20 21:05:41 UTC
Permalink
The Jenkins LDAP plugin has a bug which fills up manager DN field with a
random string and that fails the login procedure. Luckily, the manager DN
field is not mandatoy to be filled and can be left blank. I would recommend
to fill root DN and leave rest of the field blank and try logging in. I had
the same prob.
Post by Sverre Moe
I have configured authentication with LDAP
Server: helios.company.com
root DN: dc=arctic,dc=company,dc=com
User search base: ou=users
User search filter: samaccountname={0}
Group membership: Parse user attribute for list of groups => memberOf
Manager password: ldapUserPassword
Display Name LDAP Attribute: displayName
Email Address LDAP Attribute: mail
There is an port opening between my Jenkins server and helios.company.com
since ldapsearch is working fine
company.com -b "dc=arctic,dc=company,dc=com" "samaccountname=user"
What is missing from the configuration?
If I use the same configuration on another Jenkins running within the same
subnet of my ldap server, it works. I then cannot falter the configuration,
however why does ldapsearch work?
I cannot see anything wrong in the Jenkins log (it is empty). I have added
logger for org.acegisecurity, hudson.security and jenkins.security with log
level INFO.
--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/09dba699-90e4-48c8-8ea9-4e3a8d955a59%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Loading...