[JIRA] (JENKINS-61761) LDAP not matching groups with different base dn as user

[cjp135@yahoo.com (JIRA)]

Topher Perusse created an issue

Jenkins / JENKINS-61761 LDAP not matching groups with different base dn as user Issue Type: Bug Assignee: Unassigned Components: ldap-plugin Created: 2020-03-31 23:00 Environment: Jenkins: 2.190.2 LDAP Plugin: 1.21 Priority: Major Reporter: Topher Perusse We have a pretty large company that has users create in different domains and user groups in a single domain. When we attempt to do user grouping, if the users base dn doesn't match the group dn, the group won't match to the user. We try to manage access all via a single (largely nested) ldap group. What I observe: User 1: CN=UserName1,OU=Users,OU=SomePlace,dc=foo,DC=company,DC=com User 2: CN=UserName2,OU=Users,OU=SomeOtherPlace,dc=bar,DC=company,DC=com Group 1: CN=MyBigGroup,OU=Distribution Lists,DC=foo,DC=company,DC=com Group 2: CN=MyNestedGroup,OU=Distribution Lists,DC=foo,DC=company,DC=com User 1 and User 2 are a members of "MyNestedGroup".  Here is my ldap config: Server: ldap://server.company.com:3268 Root DN: DC=company,DC=com User Search Base: <empty> User Search Filter: sAMAccountName={0} Group Search Base: <empty> Group Search Filter: (&(cn={0})(objectclass=group)) Group Membership: (Search for LDAP groups containing user) Group Membership Filter: (&(objectClass=group)(member:1.2.840.113556.1.4.1941:={0})) When I search for "UserName1" it matches to MyNestedGroup and MyBigGroup, when I search for "UserName2" it doesn't match to any groups. Am I doing something wrong with my queries/filters or is this a bug in the ldap-plugin? *Note, when I do "Parse user attribute for list of LDAP groups" instead, I see "MyNestedGgroup" for both users (no matches to MyBigGroup, which is expected as not reverse lookup appears to be done here)   Add Comment

This message was sent by Atlassian Jira (v7.13.12#713012-sha1:6e07c38)

[cjp135@yahoo.com (JIRA)]

Topher Perusse updated an issue

Jenkins / JENKINS-61761 LDAP not matching groups with different base dn as user

Change By: Topher Perusse We have a pretty large company that has users create created in different domains and user groups in a single domain. When we attempt to do user grouping, if the users base dn doesn't match the group dn, the group won't match to the user. We try to manage access all via a single (largely nested) ldap group.

What I observe: User 1: CN=UserName1,OU=Users,OU=SomePlace,dc=foo,DC=company,DC=com User 2: CN=UserName2,OU=Users,OU=SomeOtherPlace,dc=bar,DC=company,DC=com Group 1: CN=MyBigGroup,OU=Distribution Lists,DC=foo,DC=company,DC=com Group 2: CN=MyNestedGroup,OU=Distribution Lists,DC=foo,DC=company,DC=com User 1 and User 2 are a members of "MyNestedGroup".  Here is my ldap config: Server: ldap://server.company.com:3268 Root DN: DC=company,DC=com User Search Base: <empty> User Search Filter: sAMAccountName=\{0} Group Search Base: <empty> Group Search Filter: (&(cn=\{0})(objectclass=group)) Group Membership: (Search for LDAP groups containing user) Group Membership Filter: (&(objectClass=group)(member:1.2.840.113556.1.4.1941:=\{0})) When I search for "UserName1" it matches to MyNestedGroup and MyBigGroup, when I search for "UserName2" it doesn't match to any groups. Am I doing something wrong with my queries/filters or is this a bug in the ldap-plugin? *Note, when I do "Parse user attribute for list of LDAP groups" instead, I see "MyNestedGgroup" for both users (no matches to MyBigGroup, which is expected as not reverse lookup appears to be done here)

Add Comment

[cjp135@yahoo.com (JIRA)]

Topher Perusse updated an issue

Jenkins / JENKINS-61761 LDAP not matching groups with different base dn as user Change By: Topher Perusse

We have a pretty large company that has users created in different domains and user groups in a single domain. When we attempt to do user grouping, if the users base dn doesn't match the group dn, the group won't match to the user. We try to manage access all via a single (largely nested) group.

What I observe: User 1: CN=UserName1,OU=Users,OU=SomePlace,dc=foo,DC=company,DC=com User 2: CN=UserName2,OU=Users,OU=SomeOtherPlace,dc=bar,DC=company,DC=com Group 1: CN=MyBigGroup,OU=Distribution Lists,DC=foo,DC=company,DC=com Group 2: CN=MyNestedGroup,OU=Distribution Lists,DC=foo,DC=company,DC=com User 1 and User 2 are a members of "MyNestedGroup".  Here is my ldap config: Server: ldap://server.company.com:3268 Root DN: DC=company,DC=com User Search Base: <empty> User Search Filter: sAMAccountName=\{0} Group Search Base: <empty> Group Search Filter: (&(cn=\{0})(objectclass=group)) Group Membership: (Search for LDAP groups containing user) Group Membership Filter: (&(objectClass=group)(member:1.2.840.113556.1.4.1941:=\{0})) When I search for "UserName1" it matches to MyNestedGroup and MyBigGroup, when I search for "UserName2" it doesn't match to any groups. Am I doing something wrong with my queries/filters or is this a bug in the ldap-plugin? *Note, when I do "Parse user attribute for list of LDAP groups" instead, I see "MyNestedGgroup" for both users (no matches to MyBigGroup, which is expected as not reverse lookup appears to be done here)

Add Comment

[cjp135@yahoo.com (JIRA)]

When I run the script console with the following, I see that everything has the right members: println(Jenkins.instance.securityRealm.loadGroupByGroupname('MyBigGroup', true).getMembers()) println(Jenkins.instance.securityRealm.loadGroupByGroupname("MyNestedGroup", true).getMembers()) ------------------------- [MyNestedGroup] [User1, User2]

Add Comment