[JIRA] [core] (JENKINS-29162) Jenkins internal user in order to be able to log-in under an authentication failure with LDAP AD, ...

2 views
Skip to first unread message

fbelzunc@gmail.com (JIRA)

unread,
Jul 1, 2015, 5:44:01 AM7/1/15
to jenkinsc...@googlegroups.com
Félix Belzunce Arcos created an issue
 
Jenkins / Improvement JENKINS-29162
Jenkins internal user in order to be able to log-in under an authentication failure with LDAP AD, ...
Issue Type: Improvement Improvement
Assignee: Unassigned
Components: core, plugin-proposals
Created: 01/Jul/15 9:43 AM
Priority: Minor Minor
Reporter: Félix Belzunce Arcos

Having Jenkins administration completely dependent on the availability of an external LDAP server might be a real problem/risk. Jenkins could be accessible even if LDAP/AD/.. server becomes unavailable.

Basically, this will try to avoid to configure LDAP in Jenkins only to find out it is not working and then no longer be able to login to Jenkins.

Maybe this can be done as a plugin.
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265)
Atlassian logo

dbeck@cloudbees.com (JIRA)

unread,
Jul 1, 2015, 7:57:01 AM7/1/15
to jenkinsc...@googlegroups.com

dbeck@cloudbees.com (JIRA)

unread,
Jul 1, 2015, 7:58:02 AM7/1/15
to jenkinsc...@googlegroups.com

Could probably implemented by caching auth realm data and using that as fallback if there is an error connecting to the live auth realm.

dbeck@cloudbees.com (JIRA)

unread,
Jul 1, 2015, 7:59:01 AM7/1/15
to jenkinsc...@googlegroups.com
Daniel Beck updated an issue
 

Not a core issue as authentication is completely done in plugins.

Adding LDAP plugin component as the issue description specifically refers to that.
Change By: Daniel Beck
Component/s: ldap-plugin
Component/s: core

akostadinov@java.net (JIRA)

unread,
Sep 2, 2015, 4:05:02 AM9/2/15
to jenkinsc...@googlegroups.com
akostadinov commented on Improvement JENKINS-29162
 
Re: Jenkins internal user in order to be able to log-in under an authentication failure with LDAP AD, ...

I'd advocate for support of non-LDAP users. Sometimes one needs a machine account to just access jenkins. Setting up an LDAP account might be an issue with IT.

slc@cisco.com (JIRA)

unread,
Nov 19, 2015, 5:06:07 PM11/19/15
to jenkinsc...@googlegroups.com

Good points. We were burned by this issue just recently when our corporate LDAP server experienced issues. Our build and deploy pipeline became invisible since no log in is possible. The maximum cache currently allowed by the LDAP plugin is 1 hour. We need something like 3 days, or a way to have a local login in addition to the LDAP authenticated login.

teilo@java.net (JIRA)

unread,
Nov 20, 2015, 6:00:03 AM11/20/15
to jenkinsc...@googlegroups.com

You can configure the plugin with multiple LDAP servers so to failover to a backup if the primary goes down. If you only have one LDAP server then I would recommend getting another one - (Steven - your company is not short of LDAP servers).

There are current non Jenkins workarounds like using a service like MS AD LDS - solutions from other vendors apply also - but this does indeed add to the complexity of getting something like this working adds to support and are less than ideal.
An API token should still work for script based access in order to reset some configuration - but there appears to be no API for Configure System or Configure Global Security that I could find that would allow you to change this.

As for the 1 hour maximum (worth a different JIRA - but 3 days sounds a little excessive to me from a security perspective) - PRs welcome to this code

Daniel Beck LDAP plugin should already cache this data (assuming you have already authenticated)

fbelzunc@gmail.com (JIRA)

unread,
Dec 1, 2015, 2:51:02 AM12/1/15
to jenkinsc...@googlegroups.com

I think the best solution here might be to support multiple security realms with failover.

https://issues.jenkins-ci.org/browse/JENKINS-15063

harold.a.johnson@gov.bc.ca (JIRA)

unread,
Oct 14, 2016, 5:35:01 PM10/14/16
to jenkinsc...@googlegroups.com

As a comment to this, JIRA allows this sort of authentication - you can log in with both external LDAP and an internal user - whatever you need. This is useful if you need to edit the LDAP definition in JIRA, by logging in using the internal user.

As I was trying to set up Jenkins recently as a new install, I kept having issues with LDAP/AD in Jenkins and kept getting locked out. Had to turn off security constantly while I worked out the issues. Would have been nice to have an internal login available.
btw, I eventually abandoned the LDAP/AD plugins as non-functioning and went with the CROWD2 plugin for JIRA.

This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c)
Atlassian logo

bjoern.martin@gmx.net (JIRA)

unread,
Mar 8, 2017, 10:59:04 AM3/8/17
to jenkinsc...@googlegroups.com

Just voted - specifically for Harry Johnson s proposal: I had the exact same issue while trying to get LDAP working with a test installation.
This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e)
Atlassian logo

faucher.benp@gmail.com (JIRA)

unread,
Feb 9, 2020, 9:30:04 PM2/9/20
to jenkinsc...@googlegroups.com

I'll add another voice to the pile for this. I need failover to internal specifically for the admin account, and bot accounts for API keys for automation.
This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)
Atlassian logo
Reply all
Reply to author
Forward
0 new messages