Jenkins upgrade to 2.289.3 failed & can't login with LDAP

Using Jenkins
1

I upgraded our jenkins from 2.222.1 to 2.289.3. Used openjdk 1.8. didn’t change java version. after deploying war file to tomcat, jenkins started. But cannot log into jenkins with AD credentials.

Oct 14, 2021 2:00:22 AM jenkins.InitReactorRunner$1 onAttained
INFO: Started initialization
Oct 14, 2021 2:00:22 AM hudson.PluginManager loadDetachedPlugins
INFO: Upgrading Jenkins. The last running version was 2.222.1. This Jenkins is version 2.289.3.
Oct 14, 2021 2:00:22 AM hudson.PluginManager loadDetachedPlugins
INFO: Upgraded Jenkins from version 2.222.1 to version 2.289.3. Loaded detached plugins (and dependencies): [sshd.hpi]
Oct 14, 2021 2:00:22 AM hudson.ClassicPluginStrategy createPluginWrapper
INFO: Plugin greenballs.jpi is disabled
Oct 14, 2021 2:00:22 AM hudson.ClassicPluginStrategy createPluginWrapper
INFO: Plugin blueocean-executor-info.jpi is disabled
Oct 14, 2021 2:00:22 AM hudson.ClassicPluginStrategy createPluginWrapper
INFO: Plugin blueocean-i18n.jpi is disabled
Oct 14, 2021 2:00:23 AM hudson.ClassicPluginStrategy createPluginWrapper
INFO: Plugin blueocean-bitbucket-pipeline.jpi is disabled
Oct 14, 2021 2:00:23 AM hudson.ClassicPluginStrategy createPluginWrapper
INFO: Plugin blueocean-jira.jpi is disabled
Oct 14, 2021 2:00:23 AM hudson.ClassicPluginStrategy createPluginWrapper
INFO: Plugin blueocean-github-pipeline.jpi is disabled
Oct 14, 2021 2:00:23 AM hudson.ClassicPluginStrategy createPluginWrapper
INFO: Plugin blueocean-display-url.jpi is disabled
Oct 14, 2021 2:00:23 AM hudson.ClassicPluginStrategy createPluginWrapper
INFO: Plugin blueocean-config.jpi is disabled
Oct 14, 2021 2:00:24 AM jenkins.InitReactorRunner$1 onTaskFailed
SEVERE: Failed Inspecting plugin /mnt/jenkins/home/plugins/uploaded1376109032086017854.jpi
java.io.IOException: Failed to expand /mnt/jenkins/home/plugins/uploaded1376109032086017854.jpi
	at hudson.ClassicPluginStrategy.explode(ClassicPluginStrategy.java:488)
	at hudson.ClassicPluginStrategy.createPluginWrapper(ClassicPluginStrategy.java:174)
	at hudson.PluginManager$1$3$1.run(PluginManager.java:437)
	at org.jvnet.hudson.reactor.TaskGraphBuilder$TaskImpl.run(TaskGraphBuilder.java:169)
	at org.jvnet.hudson.reactor.Reactor.runTask(Reactor.java:296)
	at jenkins.model.Jenkins$5.runTask(Jenkins.java:1129)
	at org.jvnet.hudson.reactor.Reactor$2.run(Reactor.java:214)
	at org.jvnet.hudson.reactor.Reactor$Node.run(Reactor.java:117)
	at jenkins.security.ImpersonatingExecutorService$1.run(ImpersonatingExecutorService.java:68)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at java.lang.Thread.run(Thread.java:748)
Caused by: Error while expanding /mnt/jenkins/home/plugins/uploaded1376109032086017854.jpi
java.util.zip.ZipException: archive is not a ZIP archive
	at org.apache.tools.ant.taskdefs.Expand.expandFile(Expand.java:214)
	at org.apache.tools.ant.taskdefs.Expand.execute(Expand.java:157)
	at hudson.ClassicPluginStrategy.unzipExceptClasses(ClassicPluginStrategy.java:561)
	at hudson.ClassicPluginStrategy.explode(ClassicPluginStrategy.java:485)
	... 11 more
Caused by: java.util.zip.ZipException: archive is not a ZIP archive
	at org.apache.tools.zip.ZipFile.positionAtEndOfCentralDirectoryRecord(ZipFile.java:780)
	at org.apache.tools.zip.ZipFile.positionAtCentralDirectory(ZipFile.java:716)
	at org.apache.tools.zip.ZipFile.populateFromCentralDirectory(ZipFile.java:461)
	at org.apache.tools.zip.ZipFile.<init>(ZipFile.java:217)
	at org.apache.tools.ant.taskdefs.Expand.expandFile(Expand.java:190)
	... 14 more

Oct 14, 2021 2:00:33 AM hudson.ExtensionFinder$GuiceFinder$SezpozModule configure
WARNING: Failed to load hudson.security.LDAPSecurityRealm$DescriptorImpl
java.lang.NoClassDefFoundError: org/acegisecurity/ldap/LdapDataAccessException
	at java.lang.Class.getDeclaredConstructors0(Native Method)
	at java.lang.Class.privateGetDeclaredConstructors(Class.java:2671)
	at java.lang.Class.getDeclaredConstructors(Class.java:2020)
	at hudson.ExtensionFinder$GuiceFinder$SezpozModule.resolve(ExtensionFinder.java:493)
	at hudson.ExtensionFinder$GuiceFinder$SezpozModule.resolve(ExtensionFinder.java:480)
	at hudson.ExtensionFinder$GuiceFinder$SezpozModule.configure(ExtensionFinder.java:523)
	at com.google.inject.AbstractModule.configure(AbstractModule.java:62)
	at com.google.inject.spi.Elements$RecordingBinder.install(Elements.java:340)
	at com.google.inject.spi.Elements.getElements(Elements.java:110)
	at com.google.inject.internal.InjectorShell$Builder.build(InjectorShell.java:138)
	at com.google.inject.internal.InternalInjectorCreator.build(InternalInjectorCreator.java:104)
	at com.google.inject.Guice.createInjector(Guice.java:96)
	at com.google.inject.Guice.createInjector(Guice.java:73)
	at hudson.ExtensionFinder$GuiceFinder.<init>(ExtensionFinder.java:283)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
	at java.lang.Class.newInstance(Class.java:442)
	at net.java.sezpoz.IndexItem.instance(IndexItem.java:181)
	at hudson.ExtensionFinder$Sezpoz._find(ExtensionFinder.java:701)
	at hudson.ExtensionFinder$Sezpoz.find(ExtensionFinder.java:687)
	at hudson.ClassicPluginStrategy.findComponents(ClassicPluginStrategy.java:348)
	at hudson.ExtensionList.load(ExtensionList.java:380)
	at hudson.ExtensionList.ensureLoaded(ExtensionList.java:316)
	at hudson.ExtensionList.getComponents(ExtensionList.java:182)
	at jenkins.model.Jenkins$6.onInitMilestoneAttained(Jenkins.java:1159)
	at jenkins.InitReactorRunner$1.onAttained(InitReactorRunner.java:88)
	at org.jvnet.hudson.reactor.ReactorListener$Aggregator.lambda$onAttained$3(ReactorListener.java:102)
	at org.jvnet.hudson.reactor.ReactorListener$Aggregator.run(ReactorListener.java:109)
	at org.jvnet.hudson.reactor.ReactorListener$Aggregator.onAttained(ReactorListener.java:102)
	at org.jvnet.hudson.reactor.Reactor$1.run(Reactor.java:177)
	at org.jvnet.hudson.reactor.Reactor$Node.run(Reactor.java:117)
	at jenkins.security.ImpersonatingExecutorService$1.run(ImpersonatingExecutorService.java:68)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.ClassNotFoundException: org.acegisecurity.ldap.LdapDataAccessException
	at jenkins.util.AntClassLoader.findClassInComponents(AntClassLoader.java:1392)
	at jenkins.util.AntClassLoader.findClass(AntClassLoader.java:1347)
	at jenkins.util.AntClassLoader.loadClass(AntClassLoader.java:1093)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:351)
	... 37 more

Oct 14, 2021 2:00:37 AM jenkins.InitReactorRunner$1 onAttained
INFO: Prepared all plugins
Oct 14, 2021 2:00:38 AM hudson.ExtensionFinder$GuiceFinder$FaultTolerantScope$1 error
WARNING: Failed to instantiate Key[type=jenkins.security.plugins.ldap.FromGroupSearchLDAPGroupMembershipStrategy$DescriptorImpl, annotation=[none]]; skipping this component
com.google.inject.ProvisionException: Unable to provision, see the following errors:

1) Error injecting constructor, java.lang.NoClassDefFoundError: org/acegisecurity/ldap/LdapEntryMapper
  at jenkins.security.plugins.ldap.FromGroupSearchLDAPGroupMembershipStrategy$DescriptorImpl.<init>(FromGroupSearchLDAPGroupMembershipStrategy.java:92)

1 error
	at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:52)
	at com.google.inject.internal.SingletonScope$1.get(SingletonScope.java:145)
2

I think you had to upgrade your plugins to latest before going past 2.265 or so.

You can either downgrade and do that or start by manually updating the ldap plugin by dropping the latest version in the plugins directory

3

Once the upgrade is completed, I cannot log into Jenkins (we use our AD credentials) to upgrade addons. you mean upgrade the addon prior to the jenkins upgrade?

4

That class was removed from Jenkins core.
If you can upgrade plugins before updating core you should be fine.
Failing that as timja said, download the new LDAP plugin manually and deploy it by hand (copy to dir).
Or upgrade core. Disable security. Upgrade LDAP plugin. Tenable security

5

I can add some more specifics here.

The LDAP plugin was affected by the switch to Spring Security from Acegi which took place in 2.266 (in LTS terms, between 2.263 and 2.277). Older versions of the plugin would not work in this scenario, which would result in you being locked out. Release 1.26 included forward-compatible support for Spring Security so that you would not be locked out after an upgrade (and I can personally confirm that I was able to log into an upgraded instance after the upgrade when using this version) and you could then upgrade the plugins afterwards.

At this point, you will either need to roll back to 2.222.1 and take a more winding upgrade path (described below), or download the latest ldap.hpi from plugins.jenkins.io (2.7 as of this post).

If you want to upgrade without replacing ldap.hpi by hand, this will be a bit more complicated as 1.26 requires Jenkins 2.235.3 or later. Here’s what I’d suggest:

  1. Start at 2.222.1
  2. Upgrade to 2.263.4
  3. Upgrade all plugins (make sure that LDAP 1.26 is downloaded as part of this) and restart to apply the changes
  4. Upgrade to 2.289.3 (or to 2.303.x, as that’s the latest LTS now)
  5. Upgrade all plugins again and restart to apply the changes
1 Like
6

you can also use GitHub - jenkinsci/plugin-installation-manager-tool: Plugin Manager CLI tool for Jenkins and just say “install ldap”