[JENKINS-33422] Provide a way to get back into Jenkins when active directory bind password expire

[timja]

In my corporation, all activedirectory account are setup to have a password that expire every 40 days.

This include the account used as bind account for querying activedirectory with active-directory-plugin.

When the password is changed, if I'm not currently logged in Jenkins, I have no way to get back logged-in in order to change the password. The only workaround I found is to stop jenkins, set useSecurity to false in config.xml, restart it and reconfigure the authentication using new password. This is not very convenient.

I have two ideas of feature that can solve this problem:

• The active-directory-plugin can provide a tool to encrypt the password from command line or from a cli command that is accessible to anonymous user, then the encrypted password can be replaced in config.xml file (this can be done automatically from a shell script when a password change is detected).

• The jenkins core can allow to use two authentication at the same time: the one that is mainly used and a backup one (for example fixed to "use jenkins internal database") providing an always accessible "admin" login.

---

Originally reported by fievez, imported from: Provide a way to get back into Jenkins when active directory bind password expire

• assignee: fbelzunc
• status: Open
• priority: Major
• resolution: Unresolved
• imported: 2022/01/10

[timja]

jhoblitt:

See https://issues.jenkins-ci.org/browse/JENKINS-15063. Essentially, this would require an incompatible change.

[timja]

fbelzunc:

Instead you can create a checkbox to fallback momentary into Jenkins user database. I think this might be possible.

[timja]

duemir:

 

According to https://plugins.jenkins.io/active-directory the fallback-user is available since 2.5.