LDAP groups and Role Based Authorization no playing nice.
1,373 views
Skip to first unread message
Michael Lasevich
Aug 15, 2016, 4:59:56 PM8/15/16
to Jenkins Users
I am trying to do something I thought I have done many times before, but it is not working now - using Roles based Authorization with LDAP authentication and specifically LDAP Groups
I believe I have LDAP Authentication setup and working for both users and groups
I believe I have Role based authentication set up.
Granting roles to LDAP users directly - either global or project roles - works. I can login with LDAP user and get expected permissions. Granting roles to 'authenticated' also seems to work.
However if I grant permissions to LDAP group - it just does not work.
I am very confused why assigning roles to groups does not work.
Few thoughts and observations:
* "Assign Roles" UI recognizes LDAP Groups and shows a group icon next to them.
* "User status" UI (/user/username URI) shows groups for the use and I even ran that LDAP test groovy script that worked as expected. Although...
* "User Status" only shows groups to "admin" user. A regular use with just access to run specific jobs does not see their own groups - perhaps something is blocking non-admin users from reading their own groups?
* Increasing logging shows that a user that was granted admin rights directly has all the groups in the "Granted Authorities" but non-admin user only has "authenticated" - interestingly enough admin user does NOT have 'authenticated'...
* Don't think it is relevant here, but in the past I recall having to do a special prefix for groups (like '@' I think) - not sure if this is still necessary
Versions -- Running this on:
* Jenkins 2.10
* LDAP Plugin 1.12
* Role Based Authorization Strategy 2.3.2
Any thoughts or suggestions would be appreciated....
Thanks,
-Michael
Indra Gunawan (ingunawa)
Aug 17, 2016, 8:25:08 AM8/17/16
to jenkins...@googlegroups.com
LDAP group never works with the Role Based Authorization plugin. Only the CloudBee paid version of Role based plugin combined with Folder plugin on Enterprise Jenkins are made to work with LDAP group.
-Indra
--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/0c1f3dd2-e132-4c08-b8e3-c4b22cb2974c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/0c1f3dd2-e132-4c08-b8e3-c4b22cb2974c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Michael Lasevich
Aug 17, 2016, 1:26:34 PM8/17/16
to Jenkins Users, ingu...@cisco.com
So, was this broken at some later time on purpose? I could have sworn I have used this functionality in the past.
Is this a problem in Role plugin or LDAP plugin? You mention Role plugin, but Role plugin is clearly recognizing the group for admin - it seems like there is a security problem in LDAP plugin that prevents it from reading the groups for non-admin users.
-M
Michael Lasevich
Sep 1, 2016, 1:52:04 PM9/1/16
to Jenkins Users
For what its worth, I believe this is an issue with LDAP Plugin as I was able to recreate it without Role Based auth using Matrix based auth as well
From a little digging I did, it appears it is some odd permissions issue, as if you grand the user explicit admin rights ahead of time, it can read the groups - but any other kind of user fails. This of course makes LDAP Groups completely useless as only admins can see them. I filed a ticket with LDAP Plugin team: https://issues.jenkins-ci.org/browse/JENKINS-37858
-M
Reply all
Reply to author
Forward
0 new messages