Jenkins Integration with LDAP - Testing Connection Fails

108 views
Skip to first unread message

Mk

unread,
Aug 20, 2020, 1:28:21 PM8/20/20
to Jenkins Users
Hi Team,

I am trying to configure LDAP(AD) Authentication in our Jenkins, Below is my configuration settings, But test LDAP connection is failing.

Environment:-
Jenkins Version - 2.235.5(LTS)
LDAP Plugin - 1.24


Server - ldap://ad-ldap-server.com
root DN: DC=domain,DC=com
User search base: OU=Users,OU=Division,OU=Team,DC=domain,DC=com
User search filter: sAMAccountName={0}
Group search base: OU=Users,OU=Division,OU=Team,DC=domain,DC=com
Group search filter: (&(objectclass=group)(cn={0}))
Group membership
      Group membership filter - (&(objectCategory=group)(member:1.2.840.113556.1.4.1941:={0}))
Manager DN: CN=jenkins,OU=Users,OU=Division,OU=Team,DC=domain,DC=com
Manager Password: password
Display Name LDAP attribute: displayname
Email Address LDAP attribute: mail


Error Message:-

1.png


Please let me know what is missing in my configuration?. Any help would be appreciated.

jeremy mordkoff

unread,
Aug 21, 2020, 2:14:56 PM8/21/20
to Jenkins Users
sounds like the user is valid but not a member of any groups. Is that possible? 

Mk

unread,
Aug 22, 2020, 12:30:55 AM8/22/20
to Jenkins Users
Hi Jeremy, Thanks for the reply. Actually ldapsearch command on jenkins master server terminal works. Below is the response.

ldapsearch -x -h ad-ldap-server.com -p 389 -D "CN=jenkins,OU=Users,OU=Division,OU=Team,DC=domain,DC=com"  -b "OU=Users,OU=Division,OU=Team,DC=domain,DC=com" "(sAMAccountName=jenkins)" -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <OU=Users,OU=Division,OU=Team,DC=domain,DC=com> with scope subtree
# filter: (sAMAccountName=jenkins)
# requesting: ALL
#

# search result
search
: 2
result
: 0 Success

# numResponses: 2
# numEntries: 1

Since i am getting reponse so seems i have permission to query the AD(LDAP) server.

Also tried Login name case sensitivity & Group name case sensitivity - Both with Case sensitive & Case insensitive but still same result.

Mk

unread,
Aug 22, 2020, 2:25:37 AM8/22/20
to Jenkins Users
Hi Jeremy,

I have tried by keeping the root DN as empty and enabled the tick mark - Allow blank rootDN. now my test connection is successful but took around 4mins to show the successful result. Below is the configuration used.

root DN - Allow blank rootDN

User search base: OU=Users,OU=Division,OU=Team,DC=domain,DC=com
User search filter: sAMAccountName={0}
Group search base: OU=Users,OU=Division,OU=Team,DC=domain,DC=com
Group search filter: (&(objectclass=group)(cn={0}))
Group membership
     
Group membership filter - (&(objectCategory=group)(member:1.2.840.113556.1.4.1941:={0}))
Manager DN: CN=jenkins,OU=Users,OU=Division,OU=Team,DC=domain,DC=com
Manager Password: password
Display Name LDAP attribute: displayname
Email Address LDAP attribute: mail

Now how to figureout the login performace issue? Another thing keeping the root DN empty does not an issue?

Mk

unread,
Aug 23, 2020, 1:07:42 AM8/23/20
to Jenkins Users
Hi Jeremy,

Even LDAP Login slowness issue also resolved with below configuration.

Group membership filter - (memberOf={0})

Enable cache
Cache size - 200
Cache TTL - 30min

Now everything working as excepted, But would like to know that currently i am running root DN as empty and enabled - Allow blank rootDN in plugin section. Is this is fine?

Mk

unread,
Aug 28, 2020, 12:26:39 AM8/28/20
to Jenkins Users
Dear Team,

Now our LDAP Authentication working fine. I have question regarding "Display Name LDAP attribute: displayname" i have configured like this and for all logged in users, The display name shown as like below which is too lengthy/long.

First-Name/Sur-Name/Team-Name/Location/Title/Company-Name

Would like to display only First-Name + Sur-Name. For this i tried to change Display Name LDAP attribute: with name such as givenName, cn & sn but none of them are worked. So is it possible to display only First name + Sur-name in Jenkins for logged-in users?

Mk

unread,
Sep 2, 2020, 12:27:31 AM9/2/20
to Jenkins Users
Team, Is it possible to display only First name + Sur-name in Jenkins?

Mk

unread,
Sep 2, 2020, 1:15:58 AM9/2/20
to Jenkins Users
I have fixed it. Each time when we change/update the "Display Name LDAP attribute" value in LDAP configuration section, We need to delete the user from people category and need to login. Post that it displays the configured settings.

anilkumar panditi

unread,
Jan 1, 2021, 1:59:12 AM1/1/21
to Jenkins Users
Hi MK,
i am getting ldap_bind: Invalid credentials (49)

what are the credentials need to give here.

Thanks,
Anil

Mohan

unread,
Jan 1, 2021, 2:03:02 AM1/1/21
to jenkins...@googlegroups.com
Hi Anil,

Manager and manager password need to configured to validate the test connection.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/ff6057a3-0c96-48d9-ae83-7c8cfe234fe9n%40googlegroups.com.

anilkumar panditi

unread,
Jan 1, 2021, 2:40:30 AM1/1/21
to Jenkins Users
Okay, can you help how to create manager credentials, also i am trying from the command (what is the user id need to give in this command)

ldapsearch -x -h ad-ldap-server.com -p 389 -D "CN=jenkins,OU=Users,OU=Division,OU=Team,DC=domain,DC=com"  -b "OU=Users,OU=Division,OU=Team,DC=domain,DC=com" "(sAMAccountName=jenkins)" -W  

Thanks,
Anil

Mohan

unread,
Jan 1, 2021, 2:45:02 AM1/1/21
to jenkins...@googlegroups.com
Manager credentials should be your domain LDAP Credentials. So it requires the complete CN,OU details. To get that contact your domain administrators. 

anilkumar panditi

unread,
Jan 1, 2021, 5:19:43 AM1/1/21
to Jenkins Users
Hi Mk,
Yes i have the CN,OU details i was confused what is this Manager DN password, also when we click on Test it prompt for credentials which i am giving the LDAP admin credentials.

Mohan

unread,
Jan 1, 2021, 5:28:30 AM1/1/21
to jenkins...@googlegroups.com
Okay.  In that case you need provide the password of account configured in Manager DN section.

Reply all
Reply to author
Forward
0 new messages