I'm installing a new Jenkins server (let's name it "A") and my LDAP authentication runs into the error
"[LDAP: error code 50 - You do not have sufficient privileges to perform an unindexed search"
The LDAP configration is identically to another Jenkins installation (version 1.642.2, let's name it "B") in the same network where LDAP works fine (Due to security reasons, I can't give exact names below)
- Server: ldaps://server.domain:port
- root DN: dc=XXX,dc=com
- User search base: ou=people
- User search filter: uid={0}
- Manager DN: uid=XYZ,ou=people,dc=XXX,dc=com
- Manager Password: ****
Group search base and Group search filte are not defined
The server "A" has currently no openldap2-client package installed. So I can't test on the command line on server "A".
When testing on server "B", the following query returns successfully:
ldapsearch -x -D "uid=XYZ,ou=people,dc=XXX,dc=com" -W -H ldaps://server.domain:port 'uid=myAccount'
Without giving the account to search for
ldapsearch -x -D "uid=XYZ,ou=people,dc=XXX,dc=com" -W -H ldaps://server.domain:port
returns the same error as I get in Jenkins on "A": "[LDAP: error code 50 - You do not have sufficient privileges to perform an unindexed search".
This works as expected, indeed.
So I assume, that somehow the User search filter uid={0} in Jenkins "A" isn't interpreted correctly.
I created a new log recorder in Jenkins for the "hudson.security.LDAPSecurityRealm" with priority "All", but it doesn't give more information about the LDAP query.
Any hints what could be wrong here?
Adding the Group Search Base "ou=groups" did the trick!
This is not necessary in Jenkins Vers. 1.642.2 - the Jenkins Version, which is installed on my question's server "B". There everything works fine without this option.
When using the LTS Version 2.263.1 (I forgot to mention the version in my question) it's necessary (in my case) to add the Group Search Base.
Thanks to all the people, who spend some time for reading my post!
Regards!
Related
In Jenkins, I would like to execute my scriptler script via REST API from bash and curl. According to documentation it should work, but there isn't any working example.
I have created simple script testScr, which is just one liner: println "OK". I'm trying to execute it with curl:
curl -d '{}' --user <userid>:<Token> http://<jenkins_server>/scriptler/run/testScr > result.html
Resulting html says: "Oops! A problem occurred while processing the request."
How to do it correctly? Is even it working for somebody?
Yes that works for me.
Have you made sure that the user have the right permission and the token is corrct?
In my case I'm using Role-based Authorization Strategy
And you can execute it if you're admin
if you want another user different that admin execute it you can also grant permissions
I have just installed puppet server enterprise and successfully added a few nodes and got some custom modules running also. I am now wanting to move to Code Manager before we get too deep in it.
I have followed the instructions for creating an empty Bitbucket repo here and initializing it with one single file environment.conf on a production branch as described in that link.
I have then followed the steps here to configure Code Manager but when I get to Test the control repository section to test the connection with puppet-code deploy --dry-run I get the following error:
--dry-run implies --all.
--dry-run implies --wait.
Dry-run deploying all environments.
2021/12/21 20:21:12 ERROR - [POST /deploys][500] Errors while collecting a list of environments to deploy (exit code: 1).
"/opt/puppetlabs/puppet/lib/ruby/gems/2.7.0/gems/rugged-0.27.7/lib/rugged/repository.rb:258: warning: Using the last argument as keyword parameters is deprecated\nERROR\t -\u003e Unable to determine current branches for Git source 'puppet' (/etc/puppetlabs/code-staging/environments)\nOriginal exception:\nFailed to authenticate SSH session: Unable to send userauth-publickey request at /opt/puppetlabs/server/data/code-manager/git/git#git.company.com-1234-in-puppet-control-repo.git\n"
I have added the puppet server's SSH pub key to the bitbucket repo's access tokens.
There are a few things in that error message im not fully understanding.
Unable to determine current branches for Git source 'puppet' - What is meant by source 'puppet' - my repo is called puppet-control-repo...?
Failed to authenticate SSH session: Unable to send userauth-publickey request - My puppet master's SSH keys are in the token list for that repo so confused here also.
Any guidance would be appreciated.
UPDATE (13-01-2022):
I can successfully clone on puppet server using command
git clone ssh://git#git.example.com:1234/project/puppet-control-repo.git --config core.sshCommand="ssh -i /etc/puppetlabs/puppetserver/ssh/id-control_repo.rsa"
Note sure why puppet is still returning:
Failed to authenticate SSH session: Unable to send userauth-publickey request
I don't know if you saw the instructions here https://puppet.com/docs/pe/2021.4/control_repo.html#managing_environments_with_a_control_repository but you can run
puppet infrastructure configure
which makes sure the files have right permissions.
I would also test attempting a clone with keys works outside of code deploy
git clone -i /etc/puppetlabs/puppetserver/ssh/id-control_repo.rsa your_gir_url
If this works it may be worth being aware of an issue we experienced on github https://puppet.com/blog/how-githubs-protocol-changes-impact-your-puppet-code-deployments/ which depending on bitbuckets approach to protocal may be having a similar affect.
We are updating docs to recommend the usage of more secure keys ed25519 creating as per the article.
if a manual clone doesnt work it suggests bitbucket doesn't have your public key correctly
Also a more complete debugging command is
runuser -u pe-puppet -- /opt/puppetlabs/puppet/bin/r10k -c /opt/puppetlabs/server/data/code-manager/r10k.yaml deploy environment production --puppetfile --verbose debug2
FOLLOWUP
On investigation we found https://support.puppet.com/hc/en-us/articles/227829007 which showed ssh:// was required at the start of r10k_remote making an example command of ssh://git#bitbucket.org:davidsandilands/control-repo.git
I have requested updates to https://support.puppet.com/hc/en-us/articles/227829007 to highlight this is not a version confined issue and asked for the puppet code manager configuration docs to be updated to reflect this may be required.
I see that you have a .pub file in the ssh directory. I believe it's expecting a private key there.
Also do you have the master class set up to point to your repo inside of Puppet Enterprise web ui?
You'll want to set the following parameters on that class.
code_manager_auto_configure = true
r10k_private_key = $PRIVATE_KEY_IN_SSH_FOLDER_ABSOLUTE_PATH
r10k_remote = Your git URL
The PE Master can be found in Node Groups on the PE Web UI Node Groups -> PE Infrastructure -> PE Master
Thanks to #david-sandilands for helping me resolve this and guiding me to this article via the puppet community slack. Top guy!
EDIT 1:
The solution was documented here: https://support.puppet.com/hc/en-us/articles/227829007-Fix-your-Bitbucket-Stash-Code-Manager-configuration-in-Puppet-Enterprise-2015-3-to-2017-2
However the documentation was out of date as it affected version 2021.4 also.
In short:
r10k_remote = "ssh://git#git.company.com:1234/project/control-repo.git"
Not
r10k_remote = "git#git.company.com:1234/project/control-repo.git"
When working with Bitbucket Server.
EDIT 2:
Puppet have since updated their documentation:
https://puppet.com/docs/pe/2021.5/code_mgr_config.html#code_mgr_enable
I have been using InfluxDB (server version 1.7.5) with the InfluxQL language for some time now. Unfortunately, InfluxQL does not allow me to perform any form of joins, so I need to use InfluxDB's new scripting language Flux instead.
The manual states that I have to enable Flux in /etc/influxdb/influxdb.conf by setting flux-enabled=true which I have done. I restarted the server to make sure I got the new settings and started the Influx Command Line tool with "-type=flux".
I then do get a different user interface than when I use InfluxQL. So far so good. I can also set and read variables etc. So I can set:
> dummy = 1
> dummy
1
However, when I try to do any form of query of the tables such as: from(bucket:"db_OxyFlux-test/autogen")
I always get
Error: Flux query service disabled. Verify flux-enabled=true in the [http] section of the InfluxDB config.
: 403 Forbidden
I found the manual for Fluxlang rather lacking in basic details of Schema exploration and so I am not sure if this is just an issue with my query raising this error or if something else is going wrong. I tested this both on my own home machine and on our remote work server and I get the same results.
Re: Vilix
Thank you. This lead me in the right direction.
I realised that InfluxDB does not automatically read the config file (which is not very intuitive). But your solution also forces me to start the deamon by hand each time. After some more googling I used:
"sudo influxd config -config /etc/influxdb/influxdb.conf"
So hopefully now the daemon will start automatically each time on startup rather than me having to do this by hand.
I have the same issue and solution is to start influxd with -config option:
influxd -config /etc/influxdb/influxdb.conf
I have installed influxdb. But in the server every user can login when ther type inlux.
Why is it like that? Is not it a security problem. And how can I solve it?
I want to login with spesific admin user and its admin password.
The "why"
Different databases have used reasonings with minor differences over the years, but basically, it goes like this:
In its most simple install, <insert DBMS here> should just run - for integration tests, simple evaluation purposes etc. We could generate a root/admin/superhoncho user password, but more often than not, this is not going to be changed, and that is a Bad Thing™.
And since nobody sane would run a database in production without authentication and authorisation enabled, providing easy access in the default installation is not a problem anyway, is it?
I tend to agree with this reasoning, though I am off the opinion that in the case the DBMS has authentication and authorisation disabled per default, it should bind to localhost by default, too. You make your DBMS accessible to the outside world, and be it only your company's network? You surely have thought about the implications!
The "how"
Authentication
I am going to use docker to illustrate it and it is quite obvious what you have to do in a non-docker environment.
First, we pull the influxdb docker image and create a default config file in one go:
$ docker run --rm influxdb influxd config > influxdb.conf
Unable to find image 'influxdb:latest' locally
latest: Pulling from library/influxdb
...
Digest: sha256:0aa7fea5336b5e5cc1c80e16062865821ec772e06519c138947ef5ebd9b34907
Status: Downloaded newer image for influxdb:latest
Merging with configuration at: /etc/influxdb/influxdb.conf
Now we change the authentication parameter in the [http] section of our influxdb.conf to true:
...
[http]
auth-enabled = true
...
Next, we start our InfluxDB using this modified config file:
$ docker run -d --name influxdb -p 8086:8086 \
-v $PWD/influxdb.conf:/etc/influxdb/influxdb.conf:ro \
influxdb -config /etc/influxdb/influxdb.conf
1987f962c331d2404a2564bb752d971553b13181dbbbb1e38cf50d345b3191c4
(The hash sum you get will be different.)
Now, we connect to our influxdb and create the admin user
$ docker exec -it influxdb influx
Connected to http://localhost:8086 version 1.7.8
InfluxDB shell version: 1.7.8
> create user admin with password 'secret' with all privileges;
From this point on, credentials are needed for pretty much everything
> show users
ERR: unable to parse authentication credentials
Warning: It is possible this error is due to not setting a database.
Please set a database with the command "use <database>".
> auth
username: admin
password:
> show users
user admin
---- -----
admin true
Authorization
Simple mnemonic: "Users are granted permissions per database." So, in order to grant something to a user, that user must first exist:
> create user berkancetin with password 'supersecret';
> create database foobar
> grant read on foobar to berkancetin
> show users
user admin
---- -----
admin true
berkancetin false
> show grants for "berkancetin"
database privilege
-------- ---------
foobar READ
Further reading (!!!)
Ignore at your own risk. You. Have. Been. Warned.
InfluxDB authentication
InfluxDB docs on Authorization
Some of our Jenkins jobs are such that they deploy e.g. to a client acceptance test environment. It is very important that this type of jobs are not triggered by accident. Is it therefore possible to configure Jenkins to somehow require a password when triggering a specific build?
Set up Project based security, then you can restrict build access on a per-job basis.
From the help on the Jenkins configuration page:
[Project based security] is an extension to "Matrix-based security"
that allows additional ACL matrix to be defined for each project
separately (which is done on the job configuration screen.)
This allows you to say things like "Joe can access project A, B, and C
but he can't see D." See the help of "Matrix-based security" for the
concept of matrix-based security in general.
ACLs are additive, so the access rights granted below will be
effective for all the projects.*
ok.
my 5cents about this question.
Our Jenkins uses Redmine's mysql db as auth input.
in Jenkins you'll need next plugins:
Parameterized Build
Build User Vars Plugin
and after activating Password parameter, you'll be asked for it before build.
So, i figured out 2 options.
It is applicable, if your slaves has direct connection with mysql (or any DB engine).
then pre-build check:
SALT=$(mysql --defaults-extra-file="~/redmcheck.my" -B -se "select salt from redmine.users where login='${BUILD_USER}';")
HASH=$(mysql --defaults-extra-file="~/redmcheck.my" -B -se "select hashed_password from redmine.users where login='${BUILD_USER}';")
CHECK=$(sha1 -qs $SALT$(sha1 -qs $Password))
if [ $HASH != $CHECK ]
then
exit 1;
fi
It will broke build, if your entered password doesn't equal.
Second solution, is to use Rest API in Redmine.
And it allows to recheck user on remote slaves.
CODE=$(curl -X GET -u ${BUILD_USER}:${Password} --write-out "%{http_code}" -o /dev/null -s https://redmine/users/current.json);
if [ $CODE != "200" ]
then
exit 1;
fi
If it gets 200 code, so it goes build.