Jenkins: How to Change LDAP Password

Question

My institution requires me to periodically change my LDAP password.

In the past, I was able to perform the following steps to change my password:-

• Create a Base64 encoded password at http://www.base64encode.org/
• Edit /var/lib/jenkins/config.xml and change <managerPassword/>.

However, the recent version of Jenkins no longer use <managerPassword/>. Instead, I'm seeing <managerPasswordSecret/>.

I'm not sure how to generate the new secret password, so I did the following:-

• Backup /var/lib/jenkins/config.xml first.
• Edit /var/lib/jenkins/config.xml and change <useSecurity/> to false.
• Restart Jenkins service.
• Go to Jenkins.
• Enable LDAP Security.
• Enter new LDAP password.
• Save it.
• Open up /var/lib/jenkins/config.xml and copy <managerPasswordSecret/>.
• Restore backup config file.
• Replace <managerPasswordSecret/> with the new value.

This is incredibly convoluted.

Is there a more straightforward way for me to maintain my LDAP password change in the future?

Thanks much!

Answer 1

I was trying to do same thing and this is simple solution (use from Jenkins console):

import com.trilead.ssh2.crypto.Base64;
import javax.crypto.Cipher;
import jenkins.security.CryptoConfidentialKey;
import hudson.util.Secret;

CryptoConfidentialKey KEY = new CryptoConfidentialKey(Secret.class.getName());
Cipher cipher = KEY.encrypt();
String MAGIC = "::::MAGIC::::";


String VALUE_TO_ENCRYPT = "";
println(new String(Base64.encode(cipher.doFinal((VALUE_TO_ENCRYPT + MAGIC).getBytes("UTF-8")))));

Decoding is simpler:

println(hudson.util.Secret.decrypt(HashFromConfigXmlHere));

Answer 2

The current easiest and fastest solution (just worked for me) is from Cloudbees: simply enter the new password into the password field in the config.xml as plain text (not encrypted) then Jenkins will read that correctly. Once you start Jenkins and just re-save the Manage Jenkins -> Configure Global Security page

https://support.cloudbees.com/hc/en-us/articles/221230028-Changing-LDAP-Password

Answer 3

Edit your config.xml file by hand.

If your Jenkins uses a <managerPasswordSecret> set of tags, put the new plain text password in there and Jenkins will read it. Once Jenkins starts up, go to the Configure System > Configure Global Security page and click Save. That will update that field with the encrypted version.

Answer 4

None of the above solutions worked for me with a newer version of Jenkins (2.78). What did work was putting the managerPasswordSecret in without any encryption. Once I ran Jenkins, the password got encrypted for me.

Answer 5

You can still use <managerPassword>.

1. Generate the new encoded password with

   perl -e 'use MIME::Base64; print encode_base64("yourNewPassword");'

2. In your config.xml, find <hudson>/<securityRealm>/<managerPasswordSecret>. Change <managerPasswordSecret> to <managerPassword> (both before and after) and put the encoding from #1 between them. Save the file.

3. Restart jenkins
4. Login and using the UI, reset the LDAP Manager password to the same yourNewPassword. config.xml should now be back to <managerPasswordSecret>.
5. If you are paranoid (like me), restart jenkins again to use the newly modified config.xml.

Answer 6

I tried solution provided by @alkuzad and its working fine. Just to clarify that you can't use Jenkins web Console when LDAP user password is expired. So what I did is as follow (I have groovy script plugin in Jenkins. I also provided run script access to anonymous user - not a good idea but it's the way I initially found to resolve this recurring issue).

1. Downloaded jenkins-cli.jar
2. put above code in GroovyPasswordClass.txt (not to forget using new password in place of VALUE_TO_ENCRYPT in code)
3. start jenkins server (its requirement to have jenkins running)
4. run below command from command prompt

java -jar jenkins-cli.jar -s groovy GroovyPasswordClass.txt

This will print encrypted password.

Better Option

Well, later I found better way to do authentication if directory service provider is MS Active Directory. In that case instead of LDAP plugin, I used Active Directory plugin for authentication. This I found better because

1) Response is faster when use Active directory plugin instead of generic LDAP protocol based plugin 2) Active Directory plugin uses user data with which Jenkins service was started and no need to configure any user account in Jenkins. So you will never have situation that your Jenkins login not working because user configured for ldap has expired password.

Hope this will help others trying to resolve this issue.