[JIRA] (JENKINS-55813) Improve AD/LDAP attribute analysis for locked accounts

16 views
Skip to first unread message

wfollonier@cloudbees.com (JIRA)

unread,
Jan 28, 2019, 9:49:01 AM1/28/19
to jenkinsc...@googlegroups.com
Wadeck Follonier created an issue
 
Jenkins / Improvement JENKINS-55813
Improve AD/LDAP attribute analysis for locked accounts
Issue Type: Improvement Improvement
Assignee: Wadeck Follonier
Components: active-directory-plugin, core, ldap-plugin
Created: 2019-01-28 14:48
Priority: Major Major
Reporter: Wadeck Follonier

In the current situation, there is no check about the accounts that are disabled, locked or expired, or having their credentials expired in active-directory.

This ticket has the goal to improve the situation by reading as much as possible from the attributes returned by the server.
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

spinus1@gmail.com (JIRA)

unread,
Jan 28, 2019, 9:50:03 AM1/28/19
to jenkinsc...@googlegroups.com
Alessio Moscatello assigned an issue to Alessio Moscatello
Change By: Alessio Moscatello
Assignee: Wadeck Follonier Alessio Moscatello

wfollonier@cloudbees.com (JIRA)

unread,
Jan 28, 2019, 10:48:02 AM1/28/19
to jenkinsc...@googlegroups.com
Wadeck Follonier commented on Improvement JENKINS-55813
 
Re: Improve AD/LDAP attribute analysis for locked accounts

The PRs in ldap and active-directory uses the Microsoft's standard for the attribute names/values. I am not sure that's sufficient to cover most of the usage.

spinus1@gmail.com (JIRA)

unread,
Feb 4, 2019, 8:41:02 AM2/4/19
to jenkinsc...@googlegroups.com
Alessio Moscatello assigned an issue to Wadeck Follonier
 
Change By: Alessio Moscatello
Assignee: Alessio Moscatello Wadeck Follonier

boards@gmail.com (JIRA)

unread,
May 7, 2019, 3:38:04 PM5/7/19
to jenkinsc...@googlegroups.com
Matt Sicker commented on Improvement JENKINS-55813
 
Re: Improve AD/LDAP attribute analysis for locked accounts

Wadeck Follonier what do you mean by cover most of the usage? The usage within Jenkins plugins that may wish to impersonate a user? Or other LDAP servers? I've been starting to investigate this and have gotten somewhat confused around the current goal.

wfollonier@cloudbees.com (JIRA)

unread,
May 8, 2019, 3:26:01 AM5/8/19
to jenkinsc...@googlegroups.com

Matt Sicker In the core, I covered only the cast of the API Token, but didn't investigate further, it was just a PoC at that time. We need to ensure that every use of the Security realm check methods are consistent, i.e. checking the attribute of the UserDetails before using them.

fbelzunc@gmail.com (JIRA)

unread,
May 20, 2019, 2:53:03 PM5/20/19
to jenkinsc...@googlegroups.com
Félix Belzunce Arcos started work on Improvement JENKINS-55813
 
Change By: Félix Belzunce Arcos
Status: Open In Progress

fbelzunc@gmail.com (JIRA)

unread,
May 20, 2019, 2:53:03 PM5/20/19
to jenkinsc...@googlegroups.com
Status: In Progress Open

James.Schlesselman@GrinnellMutual.com (JIRA)

unread,
May 23, 2019, 10:27:02 AM5/23/19
to jenkinsc...@googlegroups.com

FYI . . I was not able to login after upgading to 2.15.  I downgraded back to 2.14 and was able to login again.

neil@x2systems.com (JIRA)

unread,
May 23, 2019, 2:11:01 PM5/23/19
to jenkinsc...@googlegroups.com

Same issue for me, 2.15 stops me logging in had to revert to 2.14.

boards@gmail.com (JIRA)

unread,
May 23, 2019, 2:28:01 PM5/23/19
to jenkinsc...@googlegroups.com

I believe this PR was merged prematurely in the AD plugin. I'll submit a revert PR and refile the original as a draft PR.

boards@gmail.com (JIRA)

unread,
May 23, 2019, 4:24:02 PM5/23/19
to jenkinsc...@googlegroups.com

Adding link to updated AD PR as a draft.

wfollonier@cloudbees.com (JIRA)

unread,
May 28, 2019, 9:08:03 AM5/28/19
to jenkinsc...@googlegroups.com

The work on this ticket is "on-hold" for the moment, to be resumed soon-ish.
Reply all
Reply to author
Forward
0 new messages