Preparation.
As mentioned in the Jenkins integration post with LDAP, Jenkins, by default, does not mix authentication types, it is either LDAP or native. In other words, something misconfigured, lost admin pass or user, etc., loses access to Jenkins.
There is a plugin to enable Mixing Authentications, but it has not been updated for some time: Mixing Security Realm. But it is still a better option than an intervention that may have downtime.
In these cases, there is a type of rollback, which can be used momentarily to fix, or even completely.
To do this, you at least need shell access to the host/VM/Container/Pod where Jenkins is installed.
Change the authentication type.
Look in the Jenkins service configuration file for the JENKINS_HOME path:
cat /lib/systemd/system/jenkins.service | grep JENKINS_HOME
# $JENKINS_HOME, $JENKINS_LOG, and (if you have already run Jenkins)
Environment="JENKINS_HOME=/var/lib/jenkins"In this folder, there must certainly be a config.xml file, and that is where we will have to intervene. But first, make a backup.
cp /var/lib/jenkins/config.xml /var/lib/jenkins/config.xml.bkpThen edit the file:
vi /var/lib/jenkins/config.xmlInside the Jenkins host, look for the process:
ps -aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
jenkins 1 0.0 0.0 2204 752 ? Ss 21:33 0:00 /usr/bin/tini -- /usr/local/bin/jenkins.sh
jenkins 7 15.2 28.0 5824440 2276884 ? Sl 21:33 0:36 java -Duser.home=/var/jenkins_home -Djenkins.model.Jenkins.slaveAgentPort=50000 -Dhudson.lifecycle=hudson.lifecycle.ExitLifecycle -jar /usr/share/jenkins/jenkins.war
root 110 0.4 0.0 4472 3416 pts/0 Ss 21:36 0:00 /bin/bash
root 116 100 0.0 8432 3828 pts/0 R+ 21:37 0:00 ps -aux
This way it is easier to understand the Jenkins Home path: user.home=/var/jenkins_home
In this folder, there must certainly be a config.xml file, and that is where we will have to intervene. But first, make a backup.
cp /var/jenkins_home/config.xml /var/jenkins_home/config.xml.bkpThen edit the file:
vi /var/jenkins_home/config.xmlLook for the XML block: securityRealm. Probably something like this:
<securityRealm class="hudson.security.LDAPSecurityRealm" plugin="ldap@719.vcb_d039b_77d0d">
<disableMailAddressResolver>false</disableMailAddressResolver>
<configurations>
<jenkins.security.plugins.ldap.LDAPConfiguration>
<server>ldap://ldap.devops-db.info:389</server>
<rootDN>dc=devops-db,dc=info</rootDN>
<inhibitInferRootDN>false</inhibitInferRootDN>
<userSearchBase></userSearchBase>
<userSearch>(&(uid={0})(memberOf=cn=JenkinsGroup,ou=SecurityGroups,dc=devops-db,dc=info))</userSearch>
<groupMembershipStrategy class="jenkins.security.plugins.ldap.FromGroupSearchLDAPGroupMembershipStrategy">
<filter></filter>
</groupMembershipStrategy>
<managerDN>cn=admin,dc=devops-db,dc=info</managerDN>
<managerPasswordSecret>{AQAAABAAAAAgZ4fjZO7b0yCZ4Cw+NL69DIQKweKbC6X4/pmawKV5YPcobwQLBhsfvWVjtWN+oAEE}</managerPasswordSecret>
<displayNameAttributeName>cn</displayNameAttributeName>
<mailAddressAttributeName>mail</mailAddressAttributeName>
<ignoreIfUnavailable>false</ignoreIfUnavailable>
</jenkins.security.plugins.ldap.LDAPConfiguration>
</configurations>
<userIdStrategy class="jenkins.model.IdStrategy$CaseInsensitive"/>
<groupIdStrategy class="jenkins.model.IdStrategy$CaseInsensitive"/>
<disableRolePrefixing>true</disableRolePrefixing>
</securityRealm>And then switch to Jenkins’ default authentication mode, the same one you used and created the first user and password in the installation:
Change the block above to the one below described.
<securityRealm class="hudson.security.HudsonPrivateSecurityRealm">
<disableSignup>true</disableSignup>
<enableCaptcha>false</enableCaptcha>
</securityRealm>
Save the file and restart Jenkins. As soon as the site returns, authentication returns to default and if you still have the administrator username and pass (Created during installation), you will be able to authenticate and make the necessary corrections.
In the worst case, if you no longer have access at all, temporarily remove the authentication security option. In the same config file: /var/jenkins_home/config.xml
Change from:
<useSecurity>true</useSecurity>to:
<useSecurity>false</useSecurity>For Docker, restart the container, for VM, restart the Jenkins service.
This site uses Akismet to reduce spam. Learn how your comment data is processed.
Leave a Reply