Jenkins: How to Change LDAP Password - jenkins

My institution requires me to periodically change my LDAP password.
In the past, I was able to perform the following steps to change my password:-
Create a Base64 encoded password at http://www.base64encode.org/
Edit /var/lib/jenkins/config.xml and change <managerPassword/>.
However, the recent version of Jenkins no longer use <managerPassword/>. Instead, I'm seeing <managerPasswordSecret/>.
I'm not sure how to generate the new secret password, so I did the following:-
Backup /var/lib/jenkins/config.xml first.
Edit /var/lib/jenkins/config.xml and change <useSecurity/> to false.
Restart Jenkins service.
Go to Jenkins.
Enable LDAP Security.
Enter new LDAP password.
Save it.
Open up /var/lib/jenkins/config.xml and copy <managerPasswordSecret/>.
Restore backup config file.
Replace <managerPasswordSecret/> with the new value.
This is incredibly convoluted.
Is there a more straightforward way for me to maintain my LDAP password change in the future?
Thanks much!

None of the above solutions worked for me with a newer version of Jenkins (2.78). What did work was putting the managerPasswordSecret in without any encryption. Once I ran Jenkins, the password got encrypted for me.

You can still use <managerPassword>.
Generate the new encoded password with
perl -e 'use MIME::Base64; print encode_base64("yourNewPassword");'
In your config.xml, find <hudson>/<securityRealm>/<managerPasswordSecret>. Change <managerPasswordSecret> to <managerPassword> (both before and after) and put the encoding from #1 between them. Save the file.
Restart jenkins
Login and using the UI, reset the LDAP Manager password to the same yourNewPassword. config.xml should now be back to <managerPasswordSecret>.
If you are paranoid (like me), restart jenkins again to use the newly modified config.xml.

I was trying to do same thing and this is simple solution (use from Jenkins console):
import com.trilead.ssh2.crypto.Base64;
import javax.crypto.Cipher;
import jenkins.security.CryptoConfidentialKey;
import hudson.util.Secret;
CryptoConfidentialKey KEY = new CryptoConfidentialKey(Secret.class.getName());
Cipher cipher = KEY.encrypt();
String MAGIC = "::::MAGIC::::";
String VALUE_TO_ENCRYPT = "";
println(new String(Base64.encode(cipher.doFinal((VALUE_TO_ENCRYPT + MAGIC).getBytes("UTF-8")))));
Decoding is simpler:
println(hudson.util.Secret.decrypt(HashFromConfigXmlHere));

Edit your config.xml file by hand.
If your Jenkins uses a <managerPasswordSecret> set of tags, put the new plain text password in there and Jenkins will read it. Once Jenkins starts up, go to the Configure System > Configure Global Security page and click Save. That will update that field with the encrypted version.

The current easiest and fastest solution (just worked for me) is from Cloudbees: simply enter the new password into the password field in the config.xml as plain text (not encrypted) then Jenkins will read that correctly. Once you start Jenkins and just re-save the Manage Jenkins -> Configure Global Security page
https://support.cloudbees.com/hc/en-us/articles/221230028-Changing-LDAP-Password

I tried solution provided by #alkuzad and its working fine. Just to clarify that you can't use Jenkins web Console when LDAP user password is expired. So what I did is as follow (I have groovy script plugin in Jenkins. I also provided run script access to anonymous user - not a good idea but it's the way I initially found to resolve this recurring issue).
Downloaded jenkins-cli.jar
put above code in GroovyPasswordClass.txt (not to forget using new password in place of VALUE_TO_ENCRYPT in code)
start jenkins server (its requirement to have jenkins running)
run below command from command prompt
java -jar jenkins-cli.jar -s groovy GroovyPasswordClass.txt
This will print encrypted password.
Better Option
Well, later I found better way to do authentication if directory service provider is MS Active Directory. In that case instead of LDAP plugin, I used Active Directory plugin for authentication. This I found better because
1) Response is faster when use Active directory plugin instead of generic LDAP protocol based plugin
2) Active Directory plugin uses user data with which Jenkins service was started and no need to configure any user account in Jenkins. So you will never have situation that your Jenkins login not working because user configured for ldap has expired password.
Hope this will help others trying to resolve this issue.

Related

Jenkins asking to enter initialadminstration password when upgrading version

I am trying to upgrade Jenkins version and deployed jenkins.war to webapps folder.After restarting the tomcat server jenkins taking to initial set up to register admin user.But i have already users created and assigned with roles.How to skip the initial set up and to to login page instead.
Looks like loading variables from JNDI was removed in 2.332.
https://community.jenkins.io/t/jenkins-home-variable-not-read-in-2-332-1-running-in-apache-tomcat-9/1826/4
To get it working, add the below in tomcat/bin/setenv.sh. Replace the path according to your directory structure
export JENKINS_HOME=/apps/jenkins

How to configure Jenkins email notification on start up?

I am currently working on dockerizing Jenkins FROM jenkins/jenkins:lts image. I am not so familiar with Groovy nor Jenkins, but I managed to run few scripts by adding this line to my Dockerfile
COPY /jenkins/script.groovy /usr/share/jenkins/ref/init.groovy.d/
The problem is that I couldn't find a way to automatically setup the email notification settings such as SMTP server, check the checkbox of Use SMTP Authentication. Is there a way to configure those using a Groovy script? If it's not possible then is there any other way to do so?
I'd recommend using Jenkins Configuration as Code -JCasC for as much of the Global Settings and plugin settings that are supported. A very %ge can be be done that way, including anyone. Easiest approach is manually configure an Instance (local is fine), export settings via JCasC, backup actual configure, wipe configure, load JCasC and compare to backup.
eg: mailer plugin
It does not handle the installation of the plugins,so you must do that first, maybe via plugin manager installation tool or Docker file
Update (Jenkins configuration as code)
I managed to set up the email config using JCasC plugin thanks to Ian W on the recent answer, it wasn't the answer for my question but helped me follow through.
So to set up a config in this example you will need to set up just mailing config or even more, so all you need to do is create a new file with a YAML configuration like this:
unclassified:
mailer:
authentication:
password: "AES-128-Encrypted password"
username: "example#gmail.com"
charset: "UTF-8"
smtpHost: "smtp.gmail.com"
smtpPort: "465"
useSsl: true
useTls: false
type the email and other configs like SMTP settings in plain text but for the password, you will need an encrypted password (AES-128), to do so you can simply go to:
http://<jenkins-ip>:<jenkins-port>/script
You will have a text box to type the following groovy script to encrypt that password (update your password to match your email's pass)
import hudson.util.Secret
def secret = Secret.fromString("Your Password")
println(secret.getEncryptedValue())
Once you run the script you will get a new encrypted password, simply copy then paste it in the Config file password field.
Now we are going to simply use that file to apply the new mail configuration by visiting (again make sure that you have configuration-as-code plugin installed):
http://<jenkins-ip>:<jenkins-port>/configuration-as-code/
Then copy the configuration file path inside the config path field (you can also use a URL of a config)
/path/to/conf.yaml
and finally, apply a new configuration!
You can use the JCasC for your desire find more here also see the GitHub repo

Camunda: How to login with spring security?

Sorry for this naive question.
I generated a project using start.camunda.com, with spring security.
I do see spring security pwd in console. When I try to use admin/, I get a message password is invalid. Should I use some other userid/pwd?
The starter
The app config:
The cmd line spring security pwd
Login fail
a) On the form-based login page provided by Spring Boot you can use the generated credentials as you tried above and as described here:
https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#servlet-hello-boot-dependencies
In you example above this would be:
user: user
password: the generated password you highlighted on the console
b) This gets you past the spring security login, but the project would still be missing the SSO config for Camunda. To make this work quickly you can copy the packages
config
filter
from
https://github.com/camunda-consulting/code/tree/master/snippets/springboot-security-sso/src/main/java/com/camunda/demo
c) if you copy those folders into the generated starter project then the package name will differ, so you need to adjust
com.example.workflow.config.WebAppSecurityConfig line 33
to reflect the changed package name:
filterRegistration.setInitParameters(Collections.singletonMap("authentication-provider", "com.example.workflow.filter.webapp.SpringSecurityAuthenticationProvider"));
d) as a result of the new security configuration the credentials from a) will not exist anymore. Instead you can now use the credentials defined in
com.example.workflow.config.SecurityConfig
For instance access http://localhost:8080/ using the credentials john/john or demo/demo
Also see: https://camunda.com/best-practices/securing-camunda/

Cannot login using LDAP in Jenkins

To tighten up security on our Jenkins CI server (running 1.614 on Ubuntu 14.04), I configured the LDAP plugin yesterday. Everything seemed fine yesterday, and I was able to log in and manually configure and run some builds.
This morning, however, no one - including myself - is able to log in.
We are told to look into the server console output - however, there is nothing recorded in /var/log/jenkins/jenkins.log. I found How do I view the Jenkins server console output on the local filesystem? - but there are no such log files in /usr/lib/jenkins/ (which my jenkins home directory).
I've tried the simple troubleshooting groovy script at https://wiki.jenkins-ci.org/display/JENKINS/LDAP+Plugin, but each query returns:
Checking the name 'wibble'...
It is NOT a group, reason: No such property: Jenkins for class: RemoteClass
It is NOT a user, reason: No such property: Jenkins for class: RemoteClass
My security config:
<useSecurity>true</useSecurity>
<authorizationStrategy class="hudson.security.AuthorizationStrategy$Unsecured"/>
<securityRealm class="hudson.security.LDAPSecurityRealm" plugin="ldap#1.11">
<server>server.ip.address</server>
<rootDN>dc=domain,dc=location,dc=au</rootDN>
<inhibitInferRootDN>false</inhibitInferRootDN>
<userSearchBase>dc=domain,dc=location,dc=au</userSearchBase>
<userSearch>sAMAccountName={0}</userSearch>
<groupSearchBase>ou=groups</groupSearchBase>
<groupSearchFilter>(& (cn={0}) (objectclass=group) )</groupSearchFilter>
<groupMembershipStrategy class="jenkins.security.plugins.ldap.FromGroupSearchLDAPGroupMembershipStrategy">
<filter>(&(objectCategory=group)(member={0}))</filter>
</groupMembershipStrategy>
<managerDN>cn=administrator,cn=users,dc=domain,dc=location,dc=au</managerDN>
<managerPasswordSecret>wurble-bop-de-boo</managerPasswordSecret>
<disableMailAddressResolver>false</disableMailAddressResolver>
<displayNameAttributeName>displayname</displayNameAttributeName>
<mailAddressAttributeName>mail</mailAddressAttributeName>
<userIdStrategy class="jenkins.model.IdStrategy$CaseInsensitive"/>
<groupIdStrategy class="jenkins.model.IdStrategy$CaseInsensitive"/>
</securityRealm>
There were no configuration changes made overnight, and we use these same credential/settings for other LDAP integration from about 3 or 4 different applications, and they're all working fine.
I've had a similar issue after simply adding or modifying a user on the Configure Global Security page. I think it's just as #davidrv87 said: Chrome auto-fills some hidden "username" and "password" fields and breaks your LDAP settings.
Result
In the main Jenkins config.xml file, the bad settings appear as new child nodes under <securityRealm>:
<securityRealm class="hudson.security.LDAPSecurityRealm" plugin="ldap#1.11">
+ <managerDN>myusername</managerDN>
+ <managerPasswordSecret>uT5S1rfROmNBuEsw8z=</managerPasswordSecret>
How to fix
Edit ~jenkins/config.xml
Remove the managerDN and managerPasswordSecret nodes (lines).
Restart the Jenkins service.
Now LDAP logins should work again!

Jenkins Cannot import the following key file

I am able to build my application on Visual Studio without any problem. I am trying Jenkins out on the same machine. When I try to build my application from my git remote repository (It contains the .pfx file in the SVC) I get the error
error MSB3325: Cannot import the following key file: Key.pfx. The key
file may be password protected. To correct this, try to import the
certificate again or manually install the certificate to the Strong
Name CSP with the following key container name: VS_KEY...
error MSB3321: Importing key file "Key.pfx" was canceled.
I had already run the command shown on the answer of this question Cannot import the keyfile 'blah.pfx' - error 'The keyfile may be password protected' and that is the reason my application runs in Visual Studio (I've done it through the command prompt as administrator fyi), which means when I try running it again the object already exists and if I uninstall and reinstall the same problem happens again.
Anyone has any ideas of how I can solve this problem?
Its the IIDentity (the windows account/identity) that is running Jenkins, most likely.
As a quick test, edit the Jenkins service and put in your credentials.
..
If that works, either keep it that way, or do your manual import voodoo using the identity that you want Jenkins to run under.

Resources