I’m running Jenkins 2.474 with LDAP Plugin version 725.v3cb_b_711b_1a_ef - I’m using the Jenkins RPM repo with ALmaLinux 8 for updates. I decided to do a “dnf update jenkins” and the Jenkins install basically broke, which is not a good look for a repo-based update (are we expected to read the release notes of every package prior to updating them from a repo?!).
It turns out that the LDAP plugin needs to be upgraded “in lockstep” with an update of the Jenkins core update - see the entry for 2.475 in the Jenkins changelog. Unfortunately, this means you can’t upgrade the LDAP plugin to 733.vd3700c27b_043 first (because it needs 2.475 as a minimum) and you can’t upgrade the plugin after upgrading Jenkins core to 2.475+ from the Web interface because, yep, your LDAP login breaks and displays an “Oops!” message with a picture of a Jenkins devil! So it’s time to dive in a very deep rabbit hole…
After some Googling, I found that the JSON file Jenkins uses for updates and that file has the LDAP plugin download URL for the ldap.hpi file. I tried putting that ldap.hpi in /var/lib/jenkins/plugins as ldap.hpi or (overwriting) ldap.jpi (I’d upgraded to Jenkins 2.477 already) and restarting Jenkins, but that didn’t help. I then extracted the jenkins-cli.jar from the Jenkins install and then tried to install the ldap.hpi via the “managing plugins” instructions on the Jenkins site but that failed with:
ERROR: anonymous is missing the Overall/Read permission
I don’t think I can give a username and password like an early answer suggests (LDAP is broken at this point remember) and the final answer suggesting a config.xml doesn’t work (Jenkins 2.477 wouldn’t start with that extra XML added).
So I’ve hit a dead-end - I can’t believe I’m the only person to be using Jenkins with the LDAP plugin (any org with more than one Linux developer is probably using LDAP), so has anyone out there managed to upgrade their Jenkins + LDAP plugin installation? This is so tricky that I think Jenkins needs a link in their ChangeLog to a special doc that explains how to do this upgrade! BTW, apologies for virtually no URLs - as a new forum user, I’m bizarrely limited to just 2 links (I had 6 links or so originally, but apparently that’s “spam”)!
Thanks for the help - I thought I’d done this (put ldap.hpi in as ldap.jpi and restarted Jenkins), but maybe I did something wrong. Your steps did indeed work! It does raise the question whether the RPM in the Jenkins repo should have some scriptlet hook that does the following (makes the RPM have a dependency on wget though):
After Jenkins has been stopped and upgraded successfully, but before it’s started up again (if it was running prior to the upgrade):
If $JENKINS_HOME/plugins/ldap.jpi exists then
mv -f $JENKINS_HOME/plugins/ldap.jpi $JENKINS_HOME/plugins/ldap.bak
wget -O $JENKINS_HOME/plugins/ldap.jpi https://updates.jenkins.io/latest/ldap.hpi
if wget downloaded OK then
Set ownership/group/perms of $JENKINS_HOME/plugins/ldap.jpi
Start new Jenkins version if it was running prior to the upgrade
Exit with success
else
rm -f $JENKINS_HOME/plugins/ldap.jpi
mv -f $JENKINS_HOME/plugins/ldap.bak $JENKINS_HOME/plugins/ldap.jpi
Downgrade Jenkins back to original version
Start old Jenkins version if it was running prior to the upgrade attempt
Exit with failure
fi
fi
It could be improved by checking if the ldap.hpi version already installed is the latest version compared to the one on updates.jenkins.io and not downloading it if it is, but that adds quite a bit more complexity to the scriptlet.
I just feel that 2.475+ upgrades of the RPM completely breaking the login for everyone using the LDAP plugin leaves a bad impression and although the Changelog does mention needing to upgrade the LDAP plugin in lockstep, the instructions Mark has put here really need to be present somewhere in the documentation (ideally in the ChangeLog entry that notes the plugin upgrade requirement) because the normal routes of upgrading the plugin via the Web interface or via the Jenkins CLI tool are not available in this case.
I like the idea of having the installer help the user through the lockstep upgrade of the LDAP plugin, though I’m not sure we have enough time to implement that type of change across the 4 Jenkins installers for this very specific case.
The Jenkins LTS upgrade guide for 2.477.1 will include more detailed instructions on the lockstep upgrade. Jenkins weekly releases don’t have an upgrade guide, in part because they generally don’t need an upgrade guide, and in part because we don’t have anyone that is willing to write and maintain an upgrade guide for weekly releases.