[JIRA] (JENKINS-37858) Group based LDAP authentication does not work

2 views
Skip to first unread message

max-jenkins@lasevich.net (JIRA)

unread,
Aug 31, 2016, 11:16:04 AM8/31/16
to jenkinsc...@googlegroups.com
Michael Lasevich created an issue
 
Jenkins / Bug JENKINS-37858
Group based LDAP authentication does not work
Issue Type: Bug Bug
Assignee: Kohsuke Kawaguchi
Components: ldap-plugin
Created: 2016/Aug/31 3:15 PM
Environment: Jenkins 2.10 (recreated in 1.566)
ldap-plugin 1.12
Labels: ldap authorization
Priority: Critical Critical
Reporter: Michael Lasevich

When using LDAP Plugin, groups are not read unless user is explicitly granted admin rights ahead of time (defeating the point of using LDAP groups).

I believe it is not a config issue as if the user is admin, they can, in fact, see groups with same config.

To Recreate:

1 - Set up LDAP Plugin to point to a working LDAP server with two user accounts (say, "admin" and "user" - make both have groups attached to them)
2 - Set Authorization to "Anyone Can Do anything"
3 - Verify you can login with each user and each user can see own groups by going to /users/<username> uri
4 - Set up matrix auth (any conditional auth will do, matrix is the easiest one though) and grant "admin" overall admin rights, and "user" overall "read"
5 - Repeat step 3, - at this point admin will see their own groups, but "user" will not be able too

This is not just visual, group based authentication does not work - looking in logs it appears that "user" only has "authorized" permission when no admin rights
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c)
Atlassian logo

skilldeal@outlook.com (JIRA)

unread,
Sep 1, 2016, 10:23:01 AM9/1/16
to jenkinsc...@googlegroups.com
Taylor K commented on Bug JENKINS-37858
 
Re: Group based LDAP authentication does not work

I have same issue with LDAP Plugin 1.12 and Jenkins 2.7.2.

Using the matrix, I can authenticate usernames but not groups if user is member.

guillaume.menguy@gmail.com (JIRA)

unread,
Mar 3, 2017, 5:22:02 AM3/3/17
to jenkinsc...@googlegroups.com

Hello,

Same problem with Jenkins 2.32.2, LDAP 1.14, the LDAP group matrix authorization does not work, all authenticated users have only 'anonymous' default permissions

Here is a simple Groovy script to test it :

try {
    println("  Has authorities: " + Jenkins.instance.securityRealm.authenticate("myLdapUser","****").getAuthorities())
  
   println("  Has groups : " + Jenkins.instance.securityRealm.loadUserByUsername("myLdapUser").getAuthorities())

} catch (Exception e) {
		println(e)
}

the result with my company Ldap server returns :
Has authorities: [authenticated]
Has groups: [INTERNET, TOKEN , *** ,*** .......]

guillaume.menguy@gmail.com (JIRA)

unread,
Mar 3, 2017, 5:29:01 AM3/3/17
to jenkinsc...@googlegroups.com
Guillaume Menguy edited a comment on Bug JENKINS-37858
Hello,

Same problem with Jenkins 2.32.2, LDAP 1.14, the LDAP group matrix authorization does not work, all authenticated users have only 'anonymous' default permissions

Here is a simple Groovy script to test it :

{code:java}

try {
    println("  Has authorities: " + Jenkins.instance.securityRealm.authenticate("myLdapUser","****").getAuthorities())
  
   println("  Has groups : " + Jenkins.instance.securityRealm.loadUserByUsername("myLdapUser").getAuthorities())

} catch (Exception e) {
  println(e)
}
{code}


the result with my company Ldap server returns :
  Has authorities: [authenticated]
  Has groups: [INTERNET, TOKEN , *** ,***  .......]

My understanding is that the first call should contain also the LDAP groups/authorities, no ?

o.v.nenashev@gmail.com (JIRA)

unread,
Jun 12, 2018, 1:46:24 PM6/12/18
to jenkinsc...@googlegroups.com
Oleg Nenashev assigned an issue to Unassigned
 

In order to set proper expectation, I have unassigned Kohsuke from this tickets.
Currently there is no Default assignee in the LDAP plugin, any contributions will be appreciated.
Change By: Oleg Nenashev
Assignee: Kohsuke Kawaguchi
This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e)
Atlassian logo

linmark333@gmail.com (JIRA)

unread,
Oct 5, 2018, 11:23:02 AM10/5/18
to jenkinsc...@googlegroups.com
Mark Lin commented on Bug JENKINS-37858
 
Re: Group based LDAP authentication does not work

For a hack fix, I'm using jumpcloud, if user is enabled with "Enable as LDAP Bind DN", then group can be searched without user being added to admin first.  Although enabled with Bind DN meant user can search LDAP.

It's still a bit odd, cases where user can see group info.

  1. user without "Enable as LDAP Bind DN" in jumpcloud, but with Administer privileges can view user groups
  2. user with  "Enable as LDAP Bind DN" in jumpcloud, but without Administer privileges can also view user groups

Of course, user with admin and enable ldap can see group as well.

That drives an hypothesis which is that admin privileged user can use manager DN in ldap connection setting to search group membership, where user  without admin privileges has to rely on its own ldap permission to query for group.
This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

linmark333@gmail.com (JIRA)

unread,
Oct 5, 2018, 11:24:02 AM10/5/18
to jenkinsc...@googlegroups.com
Mark Lin edited a comment on Bug JENKINS-37858
For a hack fix, I'm using jumpcloud, if user is enabled with "Enable as LDAP Bind DN", then group can be searched without user being added to admin first.  Although enabled with Bind DN meant user can search LDAP.

It's still a bit odd, cases where user can see group info.
# user *without* "Enable as LDAP Bind DN" in jumpcloud, but *with* Administer privileges can view user groups
# user *with*  "Enable as LDAP Bind DN" in jumpcloud, but *without* Administer privileges can also view user groups


Of course, user with admin and enable ldap can see group as well.

That drives an hypothesis which is that admin privileged user can use manager DN in ldap connection setting to search group membership, where user  without admin privileges has to rely on its own ldap permission to query for group.


jenkins - 2.141

ldap plugin - 1.20

john@jeffers.cc (JIRA)

unread,
Dec 24, 2019, 3:37:05 PM12/24/19
to jenkinsc...@googlegroups.com

Any chance we can get someone to look into this? I have the same problem as others here, also using Jumpcloud. The only way I can get LDAP groups to work is if I give the user account "Enable as LDAP Bind DN" permissions. Without that, group memberships are not honored, and the logged in user does not get the permissions assigned to the group.

Does anyone using other LDAP providers have this problem, or is this unique to Jumpcloud? Not really sure who I should be asking to fix this problem.
This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)
Atlassian logo
Reply all
Reply to author
Forward
0 new messages