gocd / gocd-ldap-authentication-plugin Goto Github PK

View Code? Open in Web Editor NEW

7.0 12.0 13.0 976 KB

LDAP authentication plugin for GoCD

Home Page: https://www.gocd.org

License: Apache License 2.0

Java 96.53% HTML 3.47%

gocd ldap plugin authentication

gocd-ldap-authentication-plugin's Introduction

GoCD LDAP/AD Authentication Plugin

LDAP plugin which implements the GoCD Authorization Plugin endpoint.

Building the code base

To build the jar, run ./gradlew clean test assemble

Requirements

These plugins require GoCD version v17.5 or above.

Installation

From GoCD 17.5.0 onwards the plugin comes bundled along with server, hence a separate installation is not required.

Ldap Client

The plugin uses JNDI and ApacheDs ldap client for the authentication. Defaults to ApacheDs client. In order to use JNDI client use system property use.jndi.ldap.client=true while starting the GoCD server.

Configuration

The plugin requires necessary configurations to connect to LDAP/AD. The configuration can be added by adding a Authorization Configuration by visting the Authorization Configuration page under Admin > Security.

Alternatively, the configuration can be added directly to the config.xml using the <authConfig> configuration.

Example Configuration

 <security>
   <authConfigs>
     <authConfig id="profile-id" pluginId="cd.go.authentication.ldap">
       <property>
         <key>Url</key>
         <value>ldap://ldap-server-url</value>
       </property>
       <property>
         <key>ManagerDN</key>
         <value>cn=go,ou=Teams,dc=corporate,dc=example,dc=com</value>
       </property>
       <property>
         <key>Password</key>
         <value>secret</value>
       </property>
       <property>
         <key>SearchBases</key>
         <value>ou=Teams,dc=corporate,dc=example,dc=com</value>
       </property>
       <property>
         <key>UserLoginFilter</key>
         <value>(sAMAccountName={0})</value>
       </property>
       <property>
         <key>UserSearchFilter</key>
         <value>(|(sAMAccountName=*{0}*)(uid=*{0}*)(cn=*{0}*)(mail=*{0}*)(otherMailbox=*{0}*))</value>
       </property>
       <property>
         <key>DisplayNameAttribute</key>
         <value>displayName</value>
       </property>
       <property>
         <key>EmailAttribute</key>
         <value>mail</value>
       </property>
     </authConfig>
   </authConfigs>
 </security>

Url (Mandatory) : Specify your ldap server URL. The plugin does not support configuring certificates for connecting to LDAP server over SSL, a workaround for this issue involves importing the certificates directly into java's cacerts.
```
<property>
   <key>Url</key>
   <value>ldap://ldap-server-url:1234</value>
</property>
```

if you are trying to configure ldaps then use the url as:

```xml
<property>
   <key>Url</key>
   <value>ldaps://ldap-server-url:1234</value>
</property>
```

ManagerDN (Optional): The LDAP/AD manager user's DN, used to connect to the LDAP/AD server.

<property>
   <key>ManagerDN</key>
   <value>uid=admin,ou=system,dc=example,dc=com</value>
</property>

Password (Mandatory if ManagerDN provided): The LDAP/AD manager password, used to connect to the LDAP/AD server. Required only if a ManagerDN is specified.
SearchBases (Mandatory): This field defines the location in the directory from which the LDAP search begins. You can provide multiple search bases. If multiple search bases are configured the plugin would look for the user in each search base sequentially until the user is found.

Single search base:
```
<property>
   <key>SearchBases</key>
   <value>ou=users,ou=system</value>
</property>
```
Multiple search base
```
<property>
   <key>SearchBases</key>
   <value>
    ou=users,ou=system
    ou=employee,ou=system
    </value>
</property>
```
UserLoginFilter (Mandatory): It is an LDAP search filter used during authentication to lookup for a user entry matching the given expression.

In the following example the filter would search for a username matching the sAMAccountName attribute.
```
<property>
   <key>UserLoginFilter</key>
   <value>(sAMAccountName={0})</value>
</property>
```
UserSearchFilter (Optional): It is an LDAP search filter used to lookup for users matching a given search term. This is an optional configuration, the default filter used is (|(sAMAccountName=*{0}*)(uid=*{0}*)(cn=*{0}*)(mail=*{0}*)(otherMailbox=*{0}*)).
```
<property>
   <key>UserSearchFilter</key>
   <value>(|(sAMAccountName=*{0}*)(uid=*{0}*))</value>
</property>
```
DisplayNameAttribute (Optional): Value of this attribute is mapped to GoCD User displayname, default attribute used is cn.
```
<property>
   <key>DisplayNameAttribute</key>
   <value>displayName</value>
</property>
```
EmailAttribute (Optional): Value of this attribute is mapped to GoCD User mail, default value used is mail.
```
 <property>
     <key>EmailAttribute</key>
     <value>mail</value>
 </property>
```

Note: The plugin allows having multiple configurations to connect to different LDAP/AD servers

<authConfig id="second-profile-id" pluginId="cd.go.authentication.ldap">
...
</authConfig>

Troubleshooting

Verify Connection

For a given Authorization Configuration verify if the plugin can connect to the LDAP/AD server. The Authorization Configuration page under Admin > Security gives an option to verify connection.

Enable Debug Logs

If you are on GoCD version 19.6 and above:

Edit the file wrapper-properties.conf on your GoCD server and add the following options. The location of the wrapper-properties.conf can be found in the installation documentation of the GoCD server.

# We recommend that you begin with the index `100` and increment the index for each system property
wrapper.java.additional.105=-Dplugin.cd.go.authentication.ldap.log.level=debug

For this to work it's extremely important that there are no other entries with the same index number for wrapper.java.additional. E.g. with the docker version in the docker-entrypoint.sh is a line that adds an item for wrapper.java.additional.100 but only after boot time.

If you're running with GoCD server 19.6 and above on docker using one of the supported GoCD server images, set the environment variable GOCD_SERVER_JVM_OPTIONS:

docker run -e "GOCD_SERVER_JVM_OPTIONS=-Dplugin.cd.go.authentication.ldap.log.level=debug" ...

If you are on GoCD version 19.5 and lower:

On Linux:

Enabling debug level logging can help you troubleshoot an issue with this plugin. To enable debug level logs, edit the file /etc/default/go-server (for Linux) to add:
```
export GO_SERVER_SYSTEM_PROPERTIES="$GO_SERVER_SYSTEM_PROPERTIES -Dplugin.cd.go.authentication.ldap.log.level=debug"
```
If you're running the server via ./server.sh script:
```
$ GO_SERVER_SYSTEM_PROPERTIES="-Dplugin.cd.go.authentication.ldap.log.level=debug" ./server.sh
```

On windows:

Edit the file config/wrapper-properties.conf inside the GoCD Server installation directory (typically C:\Program Files\Go Server):

# config/wrapper-properties.conf
# since the last "wrapper.java.additional" index is 15, we use the next available index.
wrapper.java.additional.16=-Dplugin.cd.go.authentication.ldap.log.level=debug

Known issues while upgrading to Plugin version 2.0.1-90

A must change would be to now specify a fully qualified ManagerDN instead of just username.
The user search base specified should return unique result for the given username.

License

Copyright 2022 Thoughtworks, Inc.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

gocd-ldap-authentication-plugin's People

Contributors

Stargazers

Watchers

Forkers

bdpiprava sprotheroe jyotisingh maheshp ketan ganeshspatil guojingyinan219 pghildiy arvindsv vishaldevgire dhanasp caljnj isabella232

gocd-ldap-authentication-plugin's Issues

Search results limit is not configurable

Search result limits is not configurable and It is set to 100 by default.

Failed to get attribute `mail` value.

I see the following log message a few times a second. Any idea?

2017-10-01 19:27:56,967 ERROR [qtp66233253-114326] LdapPlugin:69 [plugin-cd.go.authentication.ldap] - Failed to get attribute mail value.

        <authConfig id="b32df702-8a93-4269-a5d9-835e1ab2ecc9" pluginId="cd.go.authentication.ldap">
          <property>
            <key>Url</key>
            <value>ldap://example.com</value>
          </property>
          <property>
            <key>ManagerDN</key>
            <value>manager</value>
          </property>
          <property>
            <key>SearchBases</key>
            <value>dc=example,dc=com</value>
          </property>
          <property>
            <key>UserLoginFilter</key>
            <value>(sAMAccountName={0})</value>
          </property>
          <property>
            <key>Password</key>
            <encryptedValue>*****</encryptedValue>
          </property>
          <property>
            <key>UserSearchFilter</key>
            <value />
          </property>
          <property>
            <key>DisplayNameAttribute</key>
            <value>cn</value>
          </property>
          <property>
            <key>EmailAttribute</key>
            <value>mail</value>
          </property>
        </authConfig>

{
  "Timestamp": "2017-10-01T19:39:48+02:00",
  "Go Server Information": {
    "Version": "17.10.0 (5380-05598d88fd4dabdde1184faa4fbffc5f9406d0dc)"
  },
  "Config Statistics": {
    "Valid Config": {
      "Number of pipelines": 331,
      "Number of agents": 129,
      "Number of environments": 21,
      "Number of unique materials": 270,
      "Number of schedulable materials": 273
    },
    "Security": {
      "LDAP": false,
      "Password": false
    }
  },
  "Config file locations": {
    "loc.config.dir": "/go-working-dir/config",
    "loc.log.root.0": "/go-working-dir/logs",
    "loc.log.basename.0": "go-server.log",
    "loc.log.root.1": "/go-working-dir/logs",
    "loc.log.basename.1": "plugin-com.thoughtworks.gocd.authorization.ldap.log",
    "loc.log.root.2": "/go-working-dir/logs",
    "loc.log.basename.2": "plugin-cd.go.authentication.ldap.log",
    "loc.log.root.3": "/go-working-dir/logs",
    "loc.log.basename.3": "web-requests.log",
    "loc.log.root.4": "/go-working-dir/logs",
    "loc.log.basename.4": "plugin-build.badge.log",
    "loc.log.root.5": "/go-working-dir/logs",
    "loc.log.basename.5": "plugin-cd.go.authentication.passwordfile.log",
    "loc.log.root.6": "/go-working-dir/logs",
    "loc.log.basename.6": "go-shine.log",
    "loc.log.root.7": "/go-working-dir/logs",
    "loc.log.basename.7": "plugin-gocd.guest.user.auth.plugin.log"
  },
  "OS Information": {
    "OS Name": "Linux",
    "OS Version": "3.10.0-693.2.1.el7.x86_64",
    "System Architecture": "amd64",
    "Available Processors": 16,
    "Average System Load": 2.62548828125
  },
  "Runtime Information": {
    "Name": "18@72589142750b",
    "Uptime": 10160182,
    "Uptime (in Time Format)": "[About 2 hours, 49 minutes, 20 seconds]",
    "Spec Name": "Java Virtual Machine Specification",
    "Spec Vendor": "Oracle Corporation",
    "Spec Version": "1.8",
    "Input Arguments": [
      "-Djava.security.egd\u003dfile:/dev/./urandom",
      "-Xms512m",
      "-Xmx10g",
      "-XX:MaxMetaspaceSize\u003d256m",
      "-Dplugin.cd.go.contrib.elastic-agent.docker-swarm.log.level\u003ddebug",
      "-Dgo.config.repo.gc.periodic\u003dY",
      "-Dgo.config.repo.gc.aggressive\u003dY",
      "-Dgo.config.repo.gc.cron\u003d0 10 * * * ?",
      "-Duser.timezone\u003dEurope/Stockholm",
      "-Dgo.database.provider\u003dcom.thoughtworks.go.postgresql.PostgresqlDatabase",
      "-Dgo.console.stdout\u003dtrue",
      "-Duser.language\u003den",
      "-Djruby.rack.request.size.threshold.bytes\u003d30000000",
      "-Duser.country\u003dUS",
      "-Dcruise.config.dir\u003d/go-working-dir/config",
      "-Dcruise.config.file\u003d/go-working-dir/config/cruise-config.xml",
      "-Dcruise.server.port\u003d8153",
      "-Dcruise.server.ssl.port\u003d8154"
    ],

ldap unable to find user but ldapsearch can

Hi,

I really hope someone will be able to help, I'm nearly having to move away from GoCD because I can't fix this, and I'm hoping it is a configuration issue on my behalf.

I'm trying to configure ldap to an on-prem ad. The server can find a user using ldapsearch as follows:

ldapsearch -x -H ldap://url:port -b "DC=#REMOVED,DC=#REMOVED,DC=#REMOVED,DC=#REMOVED" -D "CN=#REMOVED,OU=#REMOVED,DC=#REMOVED,DC=#REMOVED,DC=#REMOVED,DC=#REMOVED" -W "(cn=username)"

When I configure the ldap plugin with the same credintials, using a UserLoginFilter of any combination of |(sAMAccountName={0})(mail={0})(cn={0})), the 'check connection' returns an error code of ;

ERR_02002_FAILURE_ON_UNDERLYING_CURSOR Failure on underlying Cursor

My config (with managerDN specified) is as follows;

        <authConfig id="ad-ldap" pluginId="cd.go.authentication.ldap">
          <property>
            <key>Url</key>
            <value>ldap://url:port</value>
          </property>
          <property>
            <key>SearchBases</key>
            <value>dc=#REMOVED,dc=#REMOVED,dc=#REMOVED,dc=#REMOVED</value>
          </property>
          <property>
            <key>ManagerDN</key>
            <value>CN=#REMOVED,OU=#REMOVED,DC=#REMOVED,DC=#REMOVED,DC=#REMOVED,DC=#REMOVED</value>
          </property>
          <property>
            <key>Password</key>
            <encryptedValue>#REMOVED</encryptedValue>
          </property>
          <property>
            <key>UserSearchFilter</key>
          </property>
          <property>
            <key>UserLoginFilter</key>
            <value>(|(sAMAccountName={0})(mail={0})(cn={0}))</value>
          </property>
          <property>
            <key>DisplayNameAttribute</key>
          </property>
          <property>
            <key>EmailAttribute</key>
          </property>
          <property>
            <key>SearchTimeout</key>
          </property>
        </authConfig>
		</authConfigs>

Included below are error logs running with, or without the ManagerDM included.
With ManagerDM, when I try to log in to GoCD I get the error;

2020-03-12 12:45:45,247 DEBUG [qtp1724460017-26] LdapPlugin:46 - [Authenticate] Authenticating User: #UserCN using auth_config: ad-ldap
2020-03-12 12:45:45,247 DEBUG [qtp1724460017-26] LdapPlugin:46 - Using entry mapper.
2020-03-12 12:45:45,261 INFO  [qtp1724460017-26] LdapPlugin:72 - [Authenticate] Failed to authenticate user #UserCN on ldap://url:port.
2020-03-12 12:45:45,261 DEBUG [qtp1724460017-26] LdapPlugin:51 - Exception:
java.lang.RuntimeException: ERR_02002_FAILURE_ON_UNDERLYING_CURSOR Failure on underlying Cursor.
        at org.apache.directory.api.ldap.model.cursor.CursorIterator.next(CursorIterator.java:89)
        at org.apache.directory.ldap.client.template.LdapConnectionTemplate.search(LdapConnectionTemplate.java:684)
        at cd.go.apacheds.ApacheDsLdapClient.search(ApacheDsLdapClient.java:117)
        at cd.go.apacheds.ApacheDsLdapClient.findLdapEntryForAuthentication(ApacheDsLdapClient.java:163)
        at cd.go.apacheds.ApacheDsLdapClient.authenticate(ApacheDsLdapClient.java:62)
        at cd.go.authentication.ldap.LdapAuthenticator.authenticateWithAuthConfig(LdapAuthenticator.java:57)
        at cd.go.authentication.ldap.LdapAuthenticator.authenticate(LdapAuthenticator.java:43)
        at cd.go.authentication.ldap.executor.UserAuthenticationExecutor.execute(UserAuthenticationExecutor.java:46)
        at cd.go.authentication.ldap.executor.UserAuthenticationExecutor.execute(UserAuthenticationExecutor.java:33)
        at cd.go.plugin.base.executors.AbstractExecutor.execute(AbstractExecutor.java:27)
        at cd.go.plugin.base.dispatcher.RequestDispatcher.lambda$dispatch$0(RequestDispatcher.java:41)
        at java.base/java.util.Optional.map(Unknown Source)
        at cd.go.plugin.base.dispatcher.RequestDispatcher.dispatch(RequestDispatcher.java:41)
        at cd.go.authentication.ldap.LdapPlugin.handle(LdapPlugin.java:68)
        at com.thoughtworks.go.plugin.infra.DefaultPluginManager.lambda$submitTo$0(DefaultPluginManager.java:134)
        at com.thoughtworks.go.plugin.infra.FelixGoPluginOSGiFramework.executeActionOnTheService(FelixGoPluginOSGiFramework.java:208)
        at com.thoughtworks.go.plugin.infra.FelixGoPluginOSGiFramework.doOn(FelixGoPluginOSGiFramework.java:164)
        at com.thoughtworks.go.plugin.infra.DefaultPluginManager.submitTo(DefaultPluginManager.java:131)
        at com.thoughtworks.go.plugin.access.PluginRequestHelper.submitRequest(PluginRequestHelper.java:49)
        at com.thoughtworks.go.plugin.access.authorization.AuthorizationExtension.authenticateUser(AuthorizationExtension.java:120)
        at com.thoughtworks.go.server.newsecurity.providers.PasswordBasedPluginAuthenticationProvider.authenticateWithExtension(PasswordBasedPluginAuthenticationProvider.java:77)
        at com.thoughtworks.go.server.newsecurity.providers.PasswordBasedPluginAuthenticationProvider.authenticateWithExtension(PasswordBasedPluginAuthenticationProvider.java:38)
        at com.thoughtworks.go.server.newsecurity.providers.AbstractPluginAuthenticationProvider.authenticateUser(AbstractPluginAuthenticationProvider.java:118)
        at com.thoughtworks.go.server.newsecurity.providers.AbstractPluginAuthenticationProvider.authenticate(AbstractPluginAuthenticationProvider.java:85)
        at com.thoughtworks.go.server.newsecurity.controllers.AuthenticationController.performLogin(AuthenticationController.java:83)
        at jdk.internal.reflect.GeneratedMethodAccessor74.invoke(Unknown Source)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
        at java.base/java.lang.reflect.Method.invoke(Unknown Source)
        at org.springframework.web.bind.annotation.support.HandlerMethodInvoker.invokeHandlerMethod(HandlerMethodInvoker.java:181)
        at org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.invokeHandlerMethod(AnnotationMethodHandlerAdapter.java:440)
        at org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.handle(AnnotationMethodHandlerAdapter.java:428)
        at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:967)
        at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:901)
        at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970)
        at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:872)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
        at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
        at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:876)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1623)
        at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:176)
        at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:145)
        at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:92)
        at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:381)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:317)
        at com.thoughtworks.go.server.web.FlashLoadingFilter.doFilterInternal(FlashLoadingFilter.java:38)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
        at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:208)
        at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:185)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:317)
        at com.thoughtworks.go.server.newsecurity.filters.DenyIfRefererIsNotFilesFilter.doFilterInternal(DenyIfRefererIsNotFilesFilter.java:52)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
        at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)
        at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:185)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:317)
        at com.thoughtworks.go.server.newsecurity.filters.AllowAllAccessFilter.doFilterInternal(AllowAllAccessFilter.java:33)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
        at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)
        at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:185)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:317)
        at com.thoughtworks.go.server.newsecurity.filters.AbstractUserEnabledCheckFilter.doFilterInternal(AbstractUserEnabledCheckFilter.java:66)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
        at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)
        at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:185)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
        at com.thoughtworks.go.server.newsecurity.filters.ThreadLocalUserFilter.doFilterInternal(ThreadLocalUserFilter.java:41)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:317)
        at com.thoughtworks.go.server.newsecurity.filters.AssumeAnonymousUserFilter.doFilterInternal(AssumeAnonymousUserFilter.java:64)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
        at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)
        at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:185)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
        at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:208)
        at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:185)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:317)
        at com.thoughtworks.go.server.newsecurity.filters.AlwaysCreateSessionFilter.doFilterInternal(AlwaysCreateSessionFilter.java:40)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
        at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)
        at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:185)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
        at com.thoughtworks.go.server.newsecurity.filters.ModeAwareFilter.doFilter(ModeAwareFilter.java:79)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
        at com.thoughtworks.go.server.web.BackupFilter.doFilterInternal(BackupFilter.java:79)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
        at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)
        at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
        at com.thoughtworks.go.server.newsecurity.filterchains.MainFilterChain.doFilter(MainFilterChain.java:79)
        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347)
        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
        at com.thoughtworks.go.server.web.DefaultHeadersFilter.doFilter(DefaultHeadersFilter.java:51)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1602)
        at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:540)
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146)
        at org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:753)
        at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)
        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
        at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257)
        at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1711)
        at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)
        at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1347)
        at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203)
        at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:480)
        at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1678)
        at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201)
        at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1249)
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)
        at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:220)
        at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:152)
        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
        at org.eclipse.jetty.server.Server.handle(Server.java:505)
        at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:370)
        at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:267)
        at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305)
        at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
        at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:427)
        at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:321)
        at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:159)
        at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
        at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117)
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333)
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310)
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168)
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126)
        at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366)
        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:781)
        at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:917)
        at java.base/java.lang.Thread.run(Unknown Source)
Caused by: org.apache.directory.api.ldap.model.cursor.CursorLdapReferralException: null
        at org.apache.directory.ldap.client.api.EntryCursorImpl.get(EntryCursorImpl.java:174)
        at org.apache.directory.ldap.client.api.EntryCursorImpl.get(EntryCursorImpl.java:52)
        at org.apache.directory.api.ldap.model.cursor.CursorIterator.next(CursorIterator.java:82)
        ... 141 common frames omitted

If I remove the ManagerDN and password, I get a different error:

2020-03-12 12:50:02,477 DEBUG [qtp1724460017-26] LdapPlugin:46 - [Authenticate] Authenticating User: #UserCN using auth_config: ad-ldap
2020-03-12 12:50:02,478 DEBUG [qtp1724460017-26] LdapPlugin:46 - Using entry mapper.
2020-03-12 12:50:02,482 INFO  [qtp1724460017-26] LdapPlugin:72 - [Authenticate] Failed to authenticate user #UserCN on ldap://url:port.
2020-03-12 12:50:02,483 DEBUG [qtp1724460017-26] LdapPlugin:51 - Exception:
java.lang.RuntimeException: User #UserCN does not exist in ldap://url:port
        at cd.go.apacheds.ApacheDsLdapClient.findLdapEntryForAuthentication(ApacheDsLdapClient.java:166)
        at cd.go.apacheds.ApacheDsLdapClient.authenticate(ApacheDsLdapClient.java:62)
        at cd.go.authentication.ldap.LdapAuthenticator.authenticateWithAuthConfig(LdapAuthenticator.java:57)
        at cd.go.authentication.ldap.LdapAuthenticator.authenticate(LdapAuthenticator.java:43)
        at cd.go.authentication.ldap.executor.UserAuthenticationExecutor.execute(UserAuthenticationExecutor.java:46)
        at cd.go.authentication.ldap.executor.UserAuthenticationExecutor.execute(UserAuthenticationExecutor.java:33)
        at cd.go.plugin.base.executors.AbstractExecutor.execute(AbstractExecutor.java:27)
        at cd.go.plugin.base.dispatcher.RequestDispatcher.lambda$dispatch$0(RequestDispatcher.java:41)
        at java.base/java.util.Optional.map(Unknown Source)
        at cd.go.plugin.base.dispatcher.RequestDispatcher.dispatch(RequestDispatcher.java:41)
        at cd.go.authentication.ldap.LdapPlugin.handle(LdapPlugin.java:68)
        at com.thoughtworks.go.plugin.infra.DefaultPluginManager.lambda$submitTo$0(DefaultPluginManager.java:134)
        at com.thoughtworks.go.plugin.infra.FelixGoPluginOSGiFramework.executeActionOnTheService(FelixGoPluginOSGiFramework.java:208)
        at com.thoughtworks.go.plugin.infra.FelixGoPluginOSGiFramework.doOn(FelixGoPluginOSGiFramework.java:164)
        at com.thoughtworks.go.plugin.infra.DefaultPluginManager.submitTo(DefaultPluginManager.java:131)
        at com.thoughtworks.go.plugin.access.PluginRequestHelper.submitRequest(PluginRequestHelper.java:49)
        at com.thoughtworks.go.plugin.access.authorization.AuthorizationExtension.authenticateUser(AuthorizationExtension.java:120)
        at com.thoughtworks.go.server.newsecurity.providers.PasswordBasedPluginAuthenticationProvider.authenticateWithExtension(PasswordBasedPluginAuthenticationProvider.java:77)
        at com.thoughtworks.go.server.newsecurity.providers.PasswordBasedPluginAuthenticationProvider.authenticateWithExtension(PasswordBasedPluginAuthenticationProvider.java:38)
        at com.thoughtworks.go.server.newsecurity.providers.AbstractPluginAuthenticationProvider.authenticateUser(AbstractPluginAuthenticationProvider.java:118)
        at com.thoughtworks.go.server.newsecurity.providers.AbstractPluginAuthenticationProvider.authenticate(AbstractPluginAuthenticationProvider.java:85)
        at com.thoughtworks.go.server.newsecurity.controllers.AuthenticationController.performLogin(AuthenticationController.java:83)
        at jdk.internal.reflect.GeneratedMethodAccessor74.invoke(Unknown Source)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
        at java.base/java.lang.reflect.Method.invoke(Unknown Source)
        at org.springframework.web.bind.annotation.support.HandlerMethodInvoker.invokeHandlerMethod(HandlerMethodInvoker.java:181)
        at org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.invokeHandlerMethod(AnnotationMethodHandlerAdapter.java:440)
        at org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.handle(AnnotationMethodHandlerAdapter.java:428)
        at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:967)
        at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:901)
        at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970)
        at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:872)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
        at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
        at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:876)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1623)
        at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:176)
        at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:145)
        at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:92)
        at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:381)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:317)
        at com.thoughtworks.go.server.web.FlashLoadingFilter.doFilterInternal(FlashLoadingFilter.java:38)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
        at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:208)
        at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:185)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:317)
        at com.thoughtworks.go.server.newsecurity.filters.DenyIfRefererIsNotFilesFilter.doFilterInternal(DenyIfRefererIsNotFilesFilter.java:52)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
        at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)
        at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:185)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:317)
        at com.thoughtworks.go.server.newsecurity.filters.AllowAllAccessFilter.doFilterInternal(AllowAllAccessFilter.java:33)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
        at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)
        at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:185)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:317)
        at com.thoughtworks.go.server.newsecurity.filters.AbstractUserEnabledCheckFilter.doFilterInternal(AbstractUserEnabledCheckFilter.java:66)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
        at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)
        at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:185)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
        at com.thoughtworks.go.server.newsecurity.filters.ThreadLocalUserFilter.doFilterInternal(ThreadLocalUserFilter.java:41)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:317)
        at com.thoughtworks.go.server.newsecurity.filters.AssumeAnonymousUserFilter.doFilterInternal(AssumeAnonymousUserFilter.java:64)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
        at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)
        at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:185)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
        at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:208)
        at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:185)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:317)
        at com.thoughtworks.go.server.newsecurity.filters.AlwaysCreateSessionFilter.doFilterInternal(AlwaysCreateSessionFilter.java:40)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
        at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)
        at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:185)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
        at com.thoughtworks.go.server.newsecurity.filters.ModeAwareFilter.doFilter(ModeAwareFilter.java:79)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
        at com.thoughtworks.go.server.web.BackupFilter.doFilterInternal(BackupFilter.java:79)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
        at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)
        at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
        at com.thoughtworks.go.server.newsecurity.filterchains.MainFilterChain.doFilter(MainFilterChain.java:79)
        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347)
        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
        at com.thoughtworks.go.server.web.DefaultHeadersFilter.doFilter(DefaultHeadersFilter.java:51)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1602)
        at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:540)
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146)
        at org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:753)
        at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)
        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
        at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257)
        at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1711)
        at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)
        at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1347)
        at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203)
        at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:480)
        at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1678)
        at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201)
        at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1249)
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)
        at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:220)
        at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:152)
        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
        at org.eclipse.jetty.server.Server.handle(Server.java:505)
        at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:370)
        at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:267)
        at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305)
        at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
        at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:427)
        at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:321)
        at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:159)
        at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
        at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117)
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333)
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310)
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168)
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126)
        at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366)
        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:781)
        at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:917)
        at java.base/java.lang.Thread.run(Unknown Source)

Any ideas?

Thanks!!

No administrator user

Hi,

There are a way to not create LDAP user as GoCD administrator ?
In default setting, all LDAP user are administrator after the first login in GoCD 17.10.0.

Best Regards,
disaster

LDAP users are keyed against the wrong username.

Issue Type

Bug Report
Feature enhancement

Summary

When using the LDAP authentication plugin, users are keyed against the wrong username.

Basic environment details

GoCD Version: 20.7.0 (12097-f4f86ca8d433edaf9235ed92790c11e19d7be4ed).
LDAP Plugin: LDAP Authentication Plugin for GoCD v2.0.1-90 (bundled)

Steps to Reproduce

Setup LDAP plugin to accept both mail or uid (|(uid={0})(mail={0})) connected to a directory at example.com.
Login with email ([email protected])
Logout
Login with uid (nick)
Notice that two users have been created

Expected Results

I would expect users to be created with a username equal to their uid attribute.
Specifying either mail or uid (or any combination supported by the user filter) at login would log you into the same user.

Actual Results

Users are created with usernames equal to the value entered into the username field at login.
A user is created for each variant supplied in the login field, even if mapped to the same LDAP user.

Possible Fix

Use the LDAP uid attribute to key users, rather than the user-supplied value.
Alternatively, supply a config option on the plugin to specify how the username field should be filled.

Support for search scope in ldap directory

Currently supported search scope is "SUBTREE_SCOPE".

Not supported

ONELEVEL_SCOPE
OBJECT_SCOPE

Add ldap connection timeout for user/manager bind

javax.naming.SizeLimitExceededException: [LDAP: error code 4 - Sizelimit Exceeded];

private LdapConfiguration ldapConfiguration;
 private final int MAX_AUTHENTICATION_RESULT = 1;

why set sizelimit to 1 ?

Ldap plugin implementation currently supports only 'simple' authentication method

Other authentication methods:

GSSAPI
KRB5 etc..

Example link

Add support for LDAP with SSL

In the in-built implementation the end-users have to imports the certificates directly into java's cacerts. This is usually problematic as users may move to a different system and their ldap authentication stops working suddenly. The issue also comes if their switch to a different version of java. They need to re-import all the certs. Since this is moving to a plugin, could we provide an option in auth-config for the plugin to specify the certs in order to avoid the same issue that we have with the in-built one.

[Verify Connection] Verify connection failed with errors

I'm running into the following error when I do "Check connection" for my corporate LDAP authentication. Proper CA certs are installed. For e.g., ldapsearch on the same host with similar parameters works fine. I'm not sure whether I'm overlooking something. Stack trace is attached too. I would appreciate any support in resolving the issue. Please feel free to let me know if additional information is required.

2018-06-27 16:43:45,090 ERROR [qtp662822946-27] LdapPlugin:128 - [Verify Connection] Verify connection failed with errors.
javax.naming.CommunicationException: ldap.thefacebook.com:636
        at com.sun.jndi.ldap.Connection.<init>(Connection.java:216)
        at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137)
        at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1615)
        at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749)
        at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
        at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
        at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
        at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
        at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
        at javax.naming.InitialContext.init(InitialContext.java:244)
        at javax.naming.InitialContext.<init>(InitialContext.java:216)
        at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101)
        at cd.go.framework.ldap.Ldap.getDirContext(Ldap.java:103)
        at cd.go.framework.ldap.Ldap.authenticate(Ldap.java:158)
        at cd.go.framework.ldap.Ldap.validate(Ldap.java:162)
        at cd.go.authentication.ldap.executor.VerifyConnectionRequestExecutor.verifyConnection(VerifyConnectionRequestExecutor.java:75)
        at cd.go.authentication.ldap.executor.VerifyConnectionRequestExecutor.execute(VerifyConnectionRequestExecutor.java:62)
        at cd.go.authentication.ldap.LdapPlugin.handle(LdapPlugin.java:67)
        at com.thoughtworks.go.plugin.infra.DefaultPluginManager.lambda$submitTo$0(DefaultPluginManager.java:143)
        at com.thoughtworks.go.plugin.infra.FelixGoPluginOSGiFramework.executeActionOnTheService(FelixGoPluginOSGiFramework.java:219)
        at com.thoughtworks.go.plugin.infra.FelixGoPluginOSGiFramework.doOn(FelixGoPluginOSGiFramework.java:202)
        at com.thoughtworks.go.plugin.infra.DefaultPluginManager.submitTo(DefaultPluginManager.java:140)
        at com.thoughtworks.go.plugin.access.PluginRequestHelper.submitRequest(PluginRequestHelper.java:48)
        at com.thoughtworks.go.plugin.access.authorization.AuthorizationExtension.verifyConnection(AuthorizationExtension.java:105)
        at com.thoughtworks.go.server.service.SecurityAuthConfigService.verifyConnection(SecurityAuthConfigService.java:85)
<..snip..>

Password field is shown as mandatory but is actually not mandatory

The password field as shown below is marked with an * when it's actually not mandatory.

Add support for authentication/search timeout

Issue Type

Bug Report

Summary

LdapUserSearch is hard coding the LDAP search timelimit parameter which prevents the administrator from tuning this parameter as appropriate for their environment.

I believe this is normally handled by the system property com.sun.jndi.ldap.read.timeout .

Steps to Reproduce

Find an LDAP server with over 100,000 entries with 'memberOf' overlay enabled
Add an LDAP filter in GoCD to use memberOf
wait 6 seconds

Expected Results

Slow but working response

Actual Results

Soft sobbing

Possible Fix

Remove line 90 in above referenced file

Any other info

I really do like you guys. Ignore the snark.

Better error message for verifyConnection call

Ldap error messages for verify connection is not self explanatory.

Can I configure it to use multiple servers (as fallback)?

In the case my first server is down, but my second one is up — does this support configuring to have a fallback LDAP server?

Would I then have multiple Url properties?
Or multiple <authConfig>s?

Found multiple users in search base

I am trying to set LDAP configuration up with the help of our admin, I can connect to the LDAP server (the Ok Test in GoCD says that everything is alright), but when I try to connect with a username, I always get this output in the logfile and the user can't authenticate.

2018-07-13 12:20:58,982 ERROR [qtp1895219288-37] LdapPlugin:128 - [Authenticate] Failed to authenticate user <username> on ldap://****.****:****. 
java.lang.RuntimeException: Found multiple users in search base `OU=***,OU=users,OU=****,DC=****,DC=****,DC=com` with username `<username>`. 
	at cd.go.framework.ldap.Ldap.authenticate(Ldap.java:61)

(I blanked out the servername etc.)

Since the Manager DN and URL seem fine (as confirmed by the GoCD "Ok Test"), I only post the other relevant configuration

UserLoginFilter (userPrincipalName={0})

The searchbase matches the Manager DN's - without the CN of the manager. Any ideas?

how to add a cacert to make ldaps working

Hi,

What is different compared to what is described in https://docs.gocd.org/current/installation/ssl_tls/custom_server_certificate.html
is that
the ca cert (for ldap) is used to make sure the (ldap) server is presenting the right cert before i send my credentials to it
All we need to do is to import the cacert into the keystore.

Could you please describe how to ? As it is not described in the docs ?

Add help text on configuration field.

Add tooltip text on authorization configuration and role configuration field

Attributes filter is not supported.

Instead of fetching all attributes of all the users fetch only required attributes( username, display name, email).

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.