|
The following is our current setup:
Jenkins with the latest LDAP plugin (as per 05.11.2015) in which we have configured:
-
Server (in the form host:port)
-
root DN (comprising of two "dc" components)
-
Allow blank DN (checked)
-
User search base (comprising of relative path with two components, "ou", "o" and no leading/trailing commas)
-
user search filter (uid= {0}
)
-
Manager DN with fully qualified DN
-
Manager Password
-
Display Name LDAP Attribute (displayName)
-
Email Address LDAP Attribtue (mail)
All other fields blank or unchecked.
We have two types of user in our LDAP. The Manager DN who when bound can browse the entire tree and regular users who can bind but cannot browse at all (for security reasons). Anonymous connection is permitted. All connection parameters are verified independently (e.g., using Apache Directory Studio)
Here is the problem: regular users cannot authenticate.
Here is what we found: when we login using the Manager DN (i.e., just the "uid" part as login name) we gain access to Jenkins - this was just a test since this is not ordinarily a user that we would want to use to connect to Jenkins but it is one with liberal browsing rights. When we connect with a regular user, it would appear that an anonymous bind occurs but that an "Insufficient Access Rights" error is raised. In order words, the fact that we have configured the Manager DN does not appear to be relevant since this is never used during the bind and subsequent operations. Owing to policy constraints we are neither able to block anonymous binds nor loosen up regular user browsing rights.
What we would like is that the Manager DN perform any compare/retrievals or other operations that Jenkins requires and that the bind is performed using the user supplied credentials.
What can we do? e.g., configuration or code changes?
|
