[JIRA] (JENKINS-60306) LDAP login user needs read permissions

[roberto.galicia@axa.es (JIRA)]

Roberto Galicia created an issue

Jenkins / JENKINS-60306 LDAP login user needs read permissions Issue Type: Bug Assignee: Unassigned Components: ldap-plugin Created: 2019-11-27 16:47 Environment: Red Hat Enterprise Linux Server 7.6 Jenkins 2.204 LDAP Plugin 1.21 Labels: jenkins plugin ldap Priority: Major Reporter: Roberto Galicia In our LDAP server the anonymus access is not allowed, so we need to authenticate with Manager DN and then search the login user attributes. When we "Test LDAP settings" we can see how the Lookup is successful:   Lookup User lookup: successful User ID: username User Dn: CN=username,OU=people,OU=Collaborators,OU=Users,O=domain User Display Name: username LDAP Group membership: GLOBAL_GROUP LDAP Group lookup: successful (1 group) But the login failed:   Login Authentication: failed for user "username" Lockout The user "username" will be unable to login with the supplied password. If this is your own account this would mean you would be locked out! Are you sure you want to save this configuration?   We have checked that the password is okey loging in directly on the LDAP.   We have captured the conversation between Jenkins and the LDAP and analyzing it with Wireshark we found that the LDAP plugin requires two times the read permission for reading the LDAP tree, the first time when the Manager DN search the login user, and a second time when the login user needs to read his own attributes before login, in our LDAP is not allowed for login users to read the attributes for security reasons, that king of users only can login on LDAP not read the tree:so the search find 0 attributes:     searchRequest    baseObject: CN=username,OU=people,OU=Collaborators,OU=Users,O=domain    scope: baseObject (0)    derefAliases: derefAlways (3)    sizeLimit: 0    timeLimit: 0    typesOnly: False    Filter: (objectClass=*)    filter: present (7)       present: objectClass    attributes: 0 items     And produces that error: 0000208D: NameErr: DSID-031522C9, problem 2001 (NO_OBJECT), data 0, best match of: 'O=domain'   I think it is not necessary to read two times the LDAP three, the first time is necessary to lookup (Manager DN) but the login user shouldn't have to read again the LDAP to login.   Add Comment

This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)

[mig@mig5.net (JIRA)]

Mig Jacq commented on JENKINS-60306

Re: LDAP login user needs read permissions I have exactly the same problem (accidentally reported in a different plugin here but the issue is the same there: https://issues.jenkins-ci.org/browse/JENKINS-60306) It should not be necessary for the user to have read access to the LDAP tree if the ManagerDN is being used to bind. That's the whole point of using a ManagerDN, in case read access otherwise is not enabled except to maybe a few key attributes (like userPassword so the user can edit their own password in some sort of LDAP manager)

Add Comment

This message was sent by Atlassian Jira (v7.13.12#713012-sha1:6e07c38)

[mig@mig5.net (JIRA)]

Mig Jacq edited a comment on JENKINS-60306

Re: LDAP login user needs read permissions

This worked for me: {code:java} olcAccess: {3}to *   by self read   by * break {code} (other access controls to * but with filters, allowed to other bind auth credentials follow, hence the break) This works for my needs as it appears to only allow read access to the user's own object itself (rather than read all users)

Add Comment

[mig@mig5.net (JIRA)]

Mig Jacq commented on JENKINS-60306

Re: LDAP login user needs read permissions

This worked for me: olcAccess: {3}to * by self read by * break (other access controls to other bind auth credentials follow, hence the break)

This works for my needs as it appears to only allow read access to the user's own object itself (rather than read all users)

Add Comment