Jenkins Integration with FreeIPA LDAP

714 views
Skip to first unread message

Yogesh Sharma

unread,
Sep 19, 2015, 7:03:25 AM9/19/15
to Jenkins Users
Hi List,

I am trying to integrate Jenkins with FreeIPA LDAP. Configuration is done and seems to be OK as there is no error. However, I am not able to authenticate into the Jenkins using FreeIPA LDAP users.

Jenkins logs does not say anything. Tried adding Log Level:

org.acegisecurity.providers.ldap.authenticator,org.acegisecurity.providers.ldap.LdapAuthenticationProvider (WARNING) but does not help.

Below is LDAP Config in Jenkins:


 root DNHelp for feature: root DN
 
 User search baseHelp for feature: User search base
 User search filterHelp for feature: User search filter
 
 Group search baseHelp for feature: Group search base
 Group search filterHelp for feature: Group search filter
 Group membership
 Group membership filter
 Manager DNHelp for feature: Manager DN
 Manager PasswordHelp for feature: Manager Password
 Display Name LDAP attributeHelp for feature: Display Name LDAP attribute
 Email Address LDAP attributeHelp for feature: Email Address LDAP attribute
 
Help for feature: Enable cache
 Environment Properties
Help for feature: Environment Properties
Help for feature: Login with Google
Help for feature: PWauth Authentication
Help for feature: Unix user/group database

Neil White

unread,
Sep 20, 2016, 12:49:05 PM9/20/16
to Jenkins Users
I'm running Jenkins 2.21 and I got it running on LDAP with only the following details.
This is from the config.xml, which you can translate into the frontend.

<server>ipa.example.com</server>
<rootDN>dc=example,dc=com</rootDN>
<inhibitInferRootDN>false</inhibitInferRootDN>
<userSearchBase>cn=users,cn=accounts</userSearchBase>
<userSearch>uid={0}</userSearch>
<groupSearchBase>cn=groups,cn=accounts</groupSearchBase>
<groupSearchFilter>memberOf=cn=jenkins,cn=groups,cn=accounts,dc=example,dc=com</groupSearchFilter>
<groupMembershipStrategy class="jenkins.security.plugins.ldap.FromGroupSearchLDAPGroupMembershipStrategy">
  <filter></filter>
</groupMembershipStrategy>
<managerDN>uid=jenkins,cn=sysaccounts,cn=etc,dc=example,dc=com</managerDN>
<managerPasswordSecret>TRLkkCtAA1X2hAyqXXXXXXXXXXXXXXXXXXXOsJz8Q3txUCTprcl/qTItIFNDrR5x7</managerPasswordSecret>
<disableMailAddressResolver>false</disableMailAddressResolver>
<displayNameAttributeName>displayname</displayNameAttributeName>
<mailAddressAttributeName>mail</mailAddressAttributeName>
<userIdStrategy class="jenkins.model.IdStrategy$CaseInsensitive"/>
<groupIdStrategy class="jenkins.model.IdStrategy$CaseInsensitive"/>
</securityRealm>

Michael Lasevich

unread,
Sep 20, 2016, 7:14:33 PM9/20/16
to Jenkins Users
Out of curiosity, have you gotten the groups to work in this config?

I have this same setup working, but I can only see groups IFF the user already has admin rights  (which is very backwards and useless, as groups are mostly meaningless if you are already admin). I opened a bug with LDAP plugin (https://issues.jenkins-ci.org/browse/JENKINS-37858)

-M
Reply all
Reply to author
Forward
0 new messages