Unable to add a certain user - it is treated as a group by Jenkins

We are using JENKINS since quite some time and have added lots of users over time. Now we are facing a weird problem where the newly added user is showing the group icon left to the name - instance of the single user.
Any idea what this might cause? Did one of you have ever faces such an issue before?
Many thanks in advance, M

It would help if you provide more details about your system. Which Jenkins version are you using, which authorization plugin in which version.
In older versions of Matrix Auth and Role-strategy you could not explicitly specify if you want to add a user or a group.

hello mawinter69
I will collect all the details and answer asap.
By the way: we don’t want to use groups at all; we only want to use USERS - but JENKINS is thinking this user is a group. Using this query:

String names = [“firstname.lastname”];
for (name in names) {
println(“Checking the name '” + name + “'…”)
try {
println(" It is a USER: " + Jenkins.instance.securityRealm.loadUserByUsername(name))
println(" Has groups/authorities: " + Jenkins.instance.securityRealm.loadUserByUsername(name).getAuthorities())
} catch (Exception e) {
try {
println(" It is a GROUP: " + Jenkins.instance.securityRealm.loadGroupByGroupname(name))
println(“”)
continue
} catch (Exception e1) {
println(" It is NOT a group, reason: " + e1.getMessage())
}
println(" It is NOT a user, reason: " + e.getMessage())
}
println(“”);
}

we are getting this result:

Checking the name ‘firstname.lastname’…
It is a GROUP: hudson.security.LDAPSecurityRealm$GroupDetailsImpl@65bc5cf1

the user (name changed) is definitely not a group, AD is showing USER

Hello again

we are using Jenkins 2.426.3

we are using Role-based Authorization Strategy 717.v6a_69a_fe98974

Shout anytime if you need more details, cheers
Martin

What message you get for exception e (the output of println(" It is NOT a user, reason: " + e.getMessage()))

new code to make it more clear:
(User 1: existing user but treated as a group
User 2: existing user treated as a user correctly
User3: not existing user to proof the query)

String[] names = ["user1",'user2','user3'];
   for (name in names) {
     println("Checking the name '" + name + "'...")
     try {
       println("  It is a USER: " + Jenkins.instance.securityRealm.loadUserByUsername(name))
       println("  Has groups/authorities: " + Jenkins.instance.securityRealm.loadUserByUsername(name).getAuthorities())
     } catch (Exception e) {
         try {
           println(" Exception raised trying to loadUserByUsername: " + e.getMessage())
	   println("  It is a GROUP: " + Jenkins.instance.securityRealm.loadGroupByGroupname(name))
           println(" The system has found the request in the 'loadGRoupByGRoupname' method")
	   continue
         } catch (Exception e1) {
           println("  It is NOT a group, reason: " + e1.getMessage())
	   println(" Exception raised trying to loadGroupByGroupname: " + e1.getMessage())
         }
       println("  It is NOT a user, reason: " + e.getMessage())
     }
     println("");
   }

result from the new query:

Checking the name ‘User1’…
Exception raised trying to loadUserByUsername: org.springframework.security.core.userdetails.UsernameNotFoundException: User User1 not found in directory.; nested exception is org.springframework.security.core.userdetails.UsernameNotFoundException: User User1 not found in directory.
It is a GROUP: hudson.security.LDAPSecurityRealm$GroupDetailsImpl@b1f3228
The system has found the request in the ‘loadGRoupByGRoupname’ method

Checking the name ‘User2’…
It is a USER: org.acegisecurity.userdetails.UserDetails$1@3cc2c8ab
Has groups/authorities: [bts_LongView_OKTA_BEPS_DEV, CEG_Blueroom, SH800057985B, SH800057985F, CEGSEC_FIT_VISIONAIR_APP, bts_RiskLink_SQL_UAT_RW_UAT, bts_RiskLink_SQL_ZNA_RW_PROD, bts_RiskLink_SQL_GRE_RW_PROD, bts_RiskLink_SQL_RD_RW_PROD, bts_RiskLink_SQL_EMEA_RW_PROD, BloomFlow, CEUSEC_DBI_PLT_WORKIVA_OKTA_USERS, ZurichOkta_GroupAccumulationManagement_RiskModelerExclusive_Prod, TRIS Database Administrators FW Allow, bts_a2c_aws_rds_access_noprod, MyJourney_Global_Feature_CourseraAccess, M365 VIVA Advanced Insights ES Servizurich, Zurich Azure ch-jenkinsgam-prd AdministratorAccess, Zurich Azure ch-jenkinsgam-uat AdministratorAccess, Global MicroFocus-ALM-Prod Users Members Auth, CEUSEC_DBI_PLT_SAP_OKTA_USERS, Zurich OKTA Cloudability CBO, Global GLAD2 PROD Users, Global GLAD2 UAT Users, InTune MDM VPN EMEA, InTune MDM EMEA, PowerBI-All_DXC_Staff_Report, Windows 365 External Access, CEUSEC_DBI_PLT_MSTR_OKTA_USERS, Global Technical Underwriting Connect Users, Global XEMA-Confluence-prod Users Members Auth, Global XEMA-Jira-prod Users Members Auth, Zurich_Azure_NoSAP_SQLDB_AdminAccess_NOPROD, SH700005054B, SH700005054S, SH700005054F, Zurich_NoSAP_CloudAdminConsole_SME, SH6500001115R, Global Jira-Prod Users Members Auth, Global Confluence-Prod Users Members Auth, Zurich OKTA Alfabet 04 AppOwner, AppInsights_DevMetrics_BTS_users, Zurich Okta Global GEMS employees, Brand Center for Excel Add-In Users, Brand Center for Word Add-In Users, EMEA_Citrix_PROF_PROD_CH_FinanceSaaS_BaseApps, EMEA_Citrix_PROF_UAT_CH_FinanceSaaS_BaseApps, Zurich Okta AWS GF-NON-SAP-AWS-Dev PowerUsers, EMEA_Citrix_PROF_PROD_VDI_External_Access, CEGSEC_Zurich_Okta_ZMule_ZWI_API_Discoverer, Office365OneDriveAllowed, Zurich Okta Global myDevelopment employees, Brand Center for PowerPoint Add-In Users, Zurich Okta CH MW controller DATA APP, EMEA_Citrix_PROF_PROD_CH_Business_FinancialAuditorWorkplace_BaseApps, EMEA_Citrix_PROF_UAT_CH_Business_FinancialAuditorWorkplace_BaseApps, EMEA_Citrix_PROF_PROD_CH-FIT_TRIS_AdminApps, EMEA_Citrix_PROF_UAT_CH-FIT_TRIS_AdminApps, cegsec_isp_rl_access_uat, cegsec_isp_rl_access_prod, PAGCVD_ZNA_PERS SMALL W10, SH700000862F, SH700000862B, O365 Workplace Analytics, AIP - Unified Label Access Group, ZNA_DT_ML_USR, All Zurich Users, SH6500001115B, Global Recert Helpsite EMEA Visitor Access, Zurich Okta Global Egencia Prod Users, ES CompensaCH Employee Login, Global Recert Helpsite Visitor Access, CH vs-ldc-gf02 SWIFT_Support RW, ES vs-ldc-gf02 FOS_BloomAIM RW, DE vs-ldc-gf02 DE_uploads_PROD RW, O365 Exchange, EMEA PROD URL Filtering Base NEW, global_OKTA_LiL_employees, CEGSEC_EMEA Remove Pac File, global_apps_at_work_myPdc_employees, EMEA CoE IE Default Page, EMEA - AIP Labels, CEGSEC_RiskLink_Admin, O365 Insights by MyAnalytics User, Spain PROD URL Filtering EXCEPTION Internet Communications and T, EMEA PROD URL Filtering Base, O365 Visio Online Plan 2 Users, CEGORG_ZUR_DT_GF_NPROD, CEGORG_ZUR_DT_GF_PROD, EMEA PROD GlobalProtect SSL VPN, CEGSEC_GCiE_Reserving_Support_Team, All Zurich Users EMEA, CEGSEC_Prod_UserSSLVPN, CELAPP_UAT_Access_MoveIT, CELSEC_ESDS-SWIFT_Support–rw, SH6500003333F, SH6500003331B, SH6500003331F, SH6500003333B, CEGORG_EMEA_MDM_ALL, CEGSEC_PROD_MobileSSLVPN, Zurich Okta Global DigiLearn POC, CEGSEC_ES_Temporary, CELAPP_Access_MoveIT, CEGSEC_TDC_SZ_BCN_USERS, CEGSEC_CLM_Request-WEBcert, SH6500002589F, SH6500002589B, SH6500002501B, SH6500002501F, EMEA Exchange Online, SH6500001841F, SH6500001841D, SH6500001841B, SH6500001115F, SH6500001110B, SH6500001110F, SH6500001110D, WORKPLACEBYFACEBOOK_PRODUCTION, O365 Teams User, GIS Splunk SC_dxc_all, O365 Skype, O365 Office Online, O365 E3, O365 SharePoint, O365 Planner User, O365 Flow User, Office 365 ProPlus User, O365 Forms User, O365 PowerApps User, O365 Stream User, O365 Sway User, O365 Azure Rights Management User, Office365 Intune MAM Allowed, Office365SharePointExternalSharingAllowed, EMEA STO DETECTION SPAIN USERS, PAR MFA Login, EMEA MDM All, EMEA APP MDM Users, ZNET_ZURINT, ES Oracle ESSO Prod Users, EMEA Mobile SSL VPN, authenticated]

Checking the name User3…
Exception raised trying to loadUserByUsername: org.springframework.security.core.userdetails.UsernameNotFoundException: User mickey.mouse not found in directory.; nested exception is org.springframework.security.core.userdetails.UsernameNotFoundException: User mickey.mouse not found in directory.
It is NOT a group, reason: org.springframework.security.core.userdetails.UsernameNotFoundException: mickey.mouse; nested exception is org.springframework.security.core.userdetails.UsernameNotFoundException: mickey.mouse
Exception raised trying to loadGroupByGroupname: org.springframework.security.core.userdetails.UsernameNotFoundException: mickey.mouse; nested exception is org.springframework.security.core.userdetails.UsernameNotFoundException: mickey.mouse
It is NOT a user, reason: org.springframework.security.core.userdetails.UsernameNotFoundException: User mickey.mouse not found in directory.; nested exception is org.springframework.security.core.userdetails.UsernameNotFoundException: User mickey.mouse not found in directory.

I think there are 2 problems here:

  1. The LDAP security realm is reporting that user1 is not a user but a group
  2. role-strategy is showing a group icon for what should be a user

For the first problem this might be a configuration issue of the ldap plugin. As I’m not familiar with that plugin I can’t help here.

The second problem can only occur normally when the entry is ambiguous in the config, means you haven’t chosen for an old existing entry if it should reflect a user or a group.
If you add a new entry via the button Add User it should theoretically be impossible that for this user a group symbol is shown.
Note that role-strategy (but also matrix-auth) do call the security realm to check if a user/group exists only to be able to show this in the UI.
If you add a user then only a user with that name will have the corresponding permissions, similar for groups.
The assignment of groups to users is done by the security realm and independent of the auth strategy