LDAP authentication problem for multiple OUs

[Ramaprakash Ganesan]

I am trying to get all our organization users to login using their LDAP domain credentials to Jenkins. 

With the options below, only users under 1 particular OU are able to login. I want to provide multiple OUs to search from. 

Our Active Directory structure is as below:

ca -> America -> Users -> <actual user id>

ca -> India -> Users -> <actual user id>

Currently only users who are part of the America OU are able to login successfully to the application. I want users from both America and India OUs to be able to login successfully. 

I thought changing both User search base and Group search base as 'OU=Users,OU=America|OU=India' would work. But that fails for everybody. I tried replacing '|' with ','. But that did not help. 

Please provide suggestions or the right options to use. This is a blocker for our Jenkins implementation. 

root DN

DC=ca,DC=com

allow blank root DN

Not checked

User search base

OU=Users,OU=America

User search filter

sAMAccountName={0}

Group search base

OU=Users,OU=America

Group search filter

sAMAccountName={0}

Group membership

Search for groups containing user (selected option)

Group membership filter <blank>

Manager DN

CN=admin,OU=Role-Based,OU=America,DC=ca,DC=com

Display name LDAP attribute

sAMAccountName

Email address LDAP attribute

mail

Environment variables

com.sun.jndi.ldap.connect.timeout = 60000

com.sun.jndi.ldap.read.timeout = 60000

[Daniel Beck]

How about:

OU=Users

> --
> You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/4205b5d4-6788-45ba-a9e1-a7a518ccef54%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Rama]

I tried it now. Providing only OU=Users also does not work.

> You received this message because you are subscribed to a topic in the

> Google Groups "Jenkins Users" group.

> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/jenkinsci-users/RP78og8cRcw/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to

> jenkinsci-use...@googlegroups.com.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/jenkinsci-users/80FE5687-8D0F-4A97-9D54-5542D29B60DC%40beckweb.net.

[James Nord]

As you have country -> users. You need to have a common root.
In your case that is dc=ca which given your root dn would be a blank entry.

[Rama]

I tried keeping User search base (and also tried with User search
filter as well) as blank, but that failed.
I also tried with blank root DN, that also failed. :(

On 11/26/15, James Nord <james...@gmail.com> wrote:
> As you have country -> users. You need to have a common root.
> In your case that is dc=ca which given your root dn would be a blank entry.
>

> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Jenkins Users" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/jenkinsci-users/RP78og8cRcw/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> jenkinsci-use...@googlegroups.com.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/jenkinsci-users/7e58c381-cda6-4d24-a311-9bd5c758abb3%40googlegroups.com.

[Rama]

Anybody, any ideas?
I am contemplating using TeamCity if we will be unable to get through this :(

[Björn Pedersen]

As Daniel said: You need a single base node to start the search.
(see http://www.idevelopment.info/data/LDAP/LDAP_Resources/SEARCH_Setting_the_SCOPE_Parameter.shtml)

Keep userSearchBase emtpy(!)
The filtering hsa to be done with the userSearchFilter.
Take a look at http://stackoverflow.com/questions/9184978/ldap-root-query-syntax-to-search-more-than-one-specific-ou

Björn